How can I grant limited access to an item in the Altiris Console using security roles?
In this exercise, you will create a new security role (View Reports), assign it privileges, add it to a report, and run the report from an account that only gets Altiris permissions from the “View Reports” security role. After doing this exercise, you should be able to create security roles and apply them to items such as reports and collections in the Altiris Console.
Creating a new security role and assigning privileges for it
In the Altiris Console, create a new security role. In this exercise, we will create a new “Report Viewer” role and assign privileges to it.
- Click the Configuration tab > Server Settings > Notification Server Settings.
- Right-click the Security Roles folder and click New > Security Role.
- When the New Role dialog appears, enter a name for the new role. In this exercise, enter “Report Viewer” and click OK.
- Wait a few moments for the new security role to be created and the Altiris Console to be refreshed. When the Altiris Console is refreshed, the Report Viewer security role will be listed under the Security Roles folder.
- Double-click the new security role; in this exercise, double-click Report Viewer. The General tab will be displayed.
- Enter a good description for the security role.
- Click the Privileges tab. The Report Viewer’s privileges pages appears in the right pane. All the check boxes should be blank.
- Scroll down to the Altiris Console Privileges section. In this exercise, only mark the View Reports tab check box.
Tip: Use the options next to Show to make sure that the item or items you want are selected (checked), and only those items are selected.You can click the All option to display all the options, selected and unselected, the Check option to display only the selected (checked) options, or the Unchecked option to display only the unchecked options.
- Click the Membership tab. Click the Add New Members button (blue plus sign) and add the users or groups you want to include in the security group.For this exercise, choose a user that does not have other rights in the Altiris Console.I created a new user “rviewer” with out Administrator rights for this exercise and used it to verify that it gets the needed privileges to view the selected report.
Note: A user or group can be in multiple security roles.Altiris will determine the rights and permissions for each user based on the combined rights of all the security roles.For this exercise if a user is a member of the Altiris Administrators role, but not the Report Viewer security role, the user would still be able to view the report because of the privileges from the Altiris Administrators security role.If the user is only a member of the Report Viewer security role, the user will only be able to view reports that have the Report View security role applied to them.
- Click the Apply button and wait for the “Changes have been saved successfully” message to appear.
Adding a security role to a report
Select a report to add the security role to. In this exercise, we will add the new “Report Viewer” security role to the Clients with no configuration requests in last N days report.
- Click the Reports tab > Notification Server Infrastructure > Agent > Configuration Request.
- Right click the report, in the exercise the Clients with no configuration requests in last N days report, and click Properties. A new window titled Properties appears with the General tab showing.
- Click the Security tab.
- Click the Add button.
- When the Role Selection dialog appears, click the role you want to have permissions to the report and click Select.
- When the Permission Selection dialog appears, select the permissions you want to grant to the security role for this specific report. In this exercise, we only want to grant the Altiris System Permissions’ Read permission to the Report Viewer security role and the Altiris Report Permissions Run Reports and Save Reports permissions.
Important: Make sure you grant at least Altiris System Permissions’ Read permission to the security role, or members of the security role that don’t get the report’s Read permission from another security role won’t be able to have the report displayed in the Reports tab treeview pane.
- Click the Apply button and wait for the “The operation completed successfully” message to appear.
Running a report from an account that only gets permissions from the “View Reports” security role
- Log in to your network using an account that only gets Altiris permissions from the View Reports security role you just created.
- Open the Altiris Console.In Internet Explorer, enter http://notification_Server/Altiris/NS/Console.aspx
Important: If you get the error: 'The context help ActiveX object failed to load' trying to open the Altiris console”, see article 21719.You need to install the Notification Server ActiveX controls on the computer and will need to install them using Run the AltirisNSCABinstaller.exe from the Program Files\Altiris\Notification Server\Nscap\Bin\Win32\x86\NS Cab Installer Package folder (enter \\notification_server_name\nscap\ Nscap\Bin\Win32\x86\NS Cab Installer Package) using an account that has permissions to install software on the computer.
- When the Altiris Console appears, only the Reports tab should be displayed. In the left pane, click Notification Server Infrastructure > Agent > Configuration Request > Clients with no configuration in the last N days.
- In the right pane, click Run this report.
- When Clients with no configuration in last N days appears in the right pane, enter values and click Refresh. The report is generated and the information is displayed in the right pane.