This article intended to address the scenario where there are multiple groups of users who are responsible for different groups of computers but will be performing the same actions on their scope of resources.

Since Security Roles are additive, two roles are needed per user:

1. One role for only the actions that they should be able to do, patch, deliver software, etc.
2. One role that allows them to see a group of computers.

By doing this the overhead is greatly limited.  Make adjustments to the first role to define what actions they can take in the console and make adjustments to the second role to define what computers each role can access.

Then when users are added they are added to two roles, one for the group of computers they are to manage and the other for the types of actions they can take on those computers.

Computer access is handled in the Organizational Views and Groups area.  The most common location for this is the Organizational Groups created by an Active Directory Import.

For the purposes of this document, assume you are using Organizational Groups that are based on an imported Active Directory OU structure.

Note: This document assumes that a Trustee import has already been done through the Microsoft Active Direcory Import page to have users to add to the groups.

ITMS 8.x

Patch Management 8.x

To access only a particular OU

1. In the Symantec Management Console go to Settings> Security> Account Management
2. Select "Roles"
3. Click the "Add" button to create a new role
4. Name it appropriately to represent the group of computers this role with have access to
5. Select "Show Security Role Manager Console" at the bottom of the page
6. Change the "View:" dropdown to "Resources"
7. Click the blue "plus" icon at the top of left pane
8. In the "Add Permissions" dialog box click the "Folder:" drop down
9. Expand Resource Management, then Organizational Views, then Active Directory Domains
10. Click on your top level domain name
11. This will populate the lower pane where you can select the desired OU.
12. Select your OU and press the right arrow to move it into the "Selected items:" pane
13. Press OK
14. By default, this will give the role read for only the select OU
15. Click radio buttons for "Read Resource Associations" and "Read Resource Data"
16. If the users of the role should also be able to edit and delete the Computers give them the additional rights
17. Save changes

For this example, you will focus on Patch but any desired role could be cloned to achieve the same result.

For patch rights role you are removing rights to computers as they will get them from the role created in the first step

1. Clone the desired role, in this case "Patch Management Administrators" and name it something like "Patch Admins"
2. Select the newly cloned role and click "Show Security Role Manager Console" at the bottom of the page
3. Select "Resources" from the "View:" drop down
4. Select the top level "Resource Management"
5. Uncheck "Read" and "Write"
6. Save changes
7. Select the "Filters" folder located directly under "Resource Management" 
8. In the right-hand pane check "Read" and "Write"
9. Save changes
10. Click the blue plus sign to add additional rights
11. In the "Add Permissions" dialog, Expand Resource Management
12. Click Organizational Views which will populate the lower left pane.
13. Click on Default and move it over to the "Selected Items:" right-hand pane
14. Make sure that "Read", "Write", "Read Resource Data", "Read Resource Association", "Write Resource Data" and "Write Resource Association" are selected
15. Save changes
16. Expand Resources> Organizational Views> Default> All Resources> Asset> Network Resource and select Computer
17. With "Computer" selected, click "Advanced" in the lower right hand
18. Uncheck the box for "Inherit the permissions from the . . ."
19. Click Save changes
20. In the new popup, click COPY. VERY IMPORTANT DO NOT CLICK REMOVE
21. Select the name of the new Role you created, such as "Patch Admins" and click the red X to remove rights to all computers
22. Save changes

Add a user to both of the newly created roles and test

Create additional roles as defined in the first step for as many groups of users as needed.

Note: Tested on ITMS 8.0 and above.