Create security role for users to patch, deliver software, initiate tasks etc on only specific computers

book

Article ID: 179081

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

This is intended to address the scenario where there are multiple groups of users who are responsible for different groups of computers but will be performing the same actions on their scope of resources.

Since security roles are additive, two roles are needed per user.

  • One role for only the actions that they should be able to do, patch, deliver software etc
  • One role that allows them to see a group of computers

By doing this the overhead is greatly limited.  Make adjustments to the first role to define what actions they can take in the console and make adjustments to the second role to define what computers each role can access.

Then when users are added they are added to two roles, one for the group of computers they are to manage and the other for the types of actions they can take on those computers.

 

Computer access is handled in the Organizational Views and Groups area.  The most common location for this is the Organizational Groups created by an Active Directory Import.

For the purposes of this document, we will assume we are using Organizational Groups that are based on an imported Active Directory OU structure.

Note: This document assumes that a Trustee import has already been done through the Microsoft Active Direcory Import page to have users to add to the groups.

To access only a particular OU

  1. In the Symantec Management Console go to Settings> Security> Account Management
  2. Select "Roles"
  3. Click the "Add" button to create a new role
  4. Name it appropriately to represent the group of computers this role with have access to
  5. Select "Show Security Role Manager Console" at the bottom of the page
  6. Change the "View:" dropdown to "Resources"
  7. Click the blue "plus" icon at the top of left pane
  8. In the "Add Permissions" dialog box click the "Folder:" drop down
  9. Expand Resource Management, then Organizational Views, then Active Directory Domains
  10. Click on your top level domain name
  11. This will populate the lower pane where you can select the desired OU.
  12. Select your OU and press the right arrow to move it into the "Selected items:" pane
  13. Press OK
  14. By default, this will give the role read for only the select OU
  15. Click radio buttons for "Read Resource Associations" and "Read Resource Data"
  16. If the users of the role should also be able to edit and delete the Computers give them the additional rights
  17. Save changes

For this example, we will focus on Patch but any desired role could be cloned to achieve the same result.

For patch rights role we are removing rights to computers as they will get them from the role created in the first step

  1. Clone the desired role, in this case "Patch Management Administrators" and name it something like "Patch Admins"
  2. Select the newly cloned role and click "Show Security Role Manager Console" at the bottom of the page
  3. Select "Resources" from the "View:" drop down
  4. Select the top level "Resource Management"
  5. Uncheck "Read" and "Write"
  6. Save changes
  7. Select the "Filters" folder located directly under "Resource Management" 
  8. In the right-hand pane check "Read" and "Write"
  9. Save changes
  10. Click the blue plus sign to add additional rights
  11. In the "Add Permissions" dialog, Expand Resource Management
  12. Click Organizational Views which will populate the lower left pane.
  13. Click on Default and move it over to the "Selected Items:" right-hand pane
  14. Make sure that "Read", "Write", "Read Resource Data", "Read Resource Association", "Write Resource Data" and "Write Resource Association" are selected
  15. Save changes
  16. Expand Resources> Organizational Views> Default> All Resources> Asset> Network Resource and select Computer
  17. With "Computer" selected, click "Advanced" in the lower right hand
  18. Uncheck the box for "Inherit the permissions from the . . ."
  19. Click Save changes
  20. In the new popup, click COPY. VERY IMPORTANT DO NOT CLICK REMOVE
  21. Select the name of the new Role you created, such as "Patch Admins" and click the red X to remove rights to all computers
  22. Save changes

Add a user to both of the newly created roles and test

Create additional roles as defined in the first step for as many groups of users as needed.

Note: Tested on ITMS 8.0 and above.