How to create a custom security role for assets

book

Article ID: 181908

calendar_today

Updated On:

Products

CMDB Solution

Issue/Introduction

 

Resolution

A custom security role for assets can be created by the Altiris Administrator if they want to have certain users have less or more rights to assets such as computers, purchase orders, locations, etc. (i.e., any resource types from Asset Management Solution, CMDB Solution, Barcode Solution and Data Connector Solution which are all part of the Asset Management Suite), than the out of box security roles provide. To help the Altiris Administrator get started with this, this article provides general information and best practices for how to create and troubleshoot custom security roles for assets. For additional assistance in creating and troubleshooting custom security roles, please refer to the Symantec ITMS Administration Guide (below), or contact Symantec Consulting Services at http://www.symantec.com/it-consulting-services.

Symantec IT Management Suite 7.5 powered by Altiris technology Administration Guide
http://www.symantec.com/business/support/index?page=content&id=DOC5330 

Out of Box Security Roles for Assets

When possible, it is always recommended to use an out of box asset security role instead of trying to create a custom security role. This is because trying to create a custom security role to do exactly what is desired with assets can be very difficult, which is further discussed in the next two sections. There are three* out of box security roles that work with assets, which are:

  1. The Asset Managers security role, which is installed by Asset Management Solution. This security role has rights for managing contract types, software licensing and procurement (such as purchase orders). It also has basic rights for managing configuration items (such as computers).
  2. The CMDB Managers security role, which is installed by CMDB Solution. This security role has rights for managing configuration items (such as computers). It also has basic rights for managing contract types, software licensing and procurement (such as purchase orders).
  3. The Symantec Administrator security role, which is installed by the core Symantec Management Platform. This security role has the same asset rights as both the Asset Managers and CMDB Managers security roles combined, along with additional administrative rights such as the ability to delete assets. (This is actually the only out of box security role that has rights to delete assets.)


* There are also one to two Barcode Solution security roles (depending on the version of Barcode Solution), the Barcode Manager and the Barcode User, but as these are intended for the configuring and scanning of assets with a handheld device, these are not otherwise discussed in this article.

Sometimes non-asset security roles are mistaken to have asset rights, but of which they do not, or if so, very little. For example:

  • The Symantec Software Librarian security role, which is installed by Software Management Solution. This security role has rights for managing software packages, but does not have rights for managing Asset Management Solution or CMDB Solution assets. 
  • The Symantec Level 1 Workers and Symantec Level 2 Workers security roles, which are installed by the core Symantec Management Platform. These security roles have basic rights for managing software patches and packages, but do not have rights for managing Asset Management Solution or CMDB Solution assets other than Read rights (such as for viewing asset reports).


Best Practices When Creating and Using Custom Security Roles for Assets

  • As mentioned, it is recommended to use an out of box asset security role instead of trying to create a custom security role. It can be very difficult to correctly configure a custom security role to work with assets. This is because asset rights are extremely granular and many security areas must be configured, all of which the Altiris Administrator must be aware of and understand when configuring the custom security role. For example, the Altiris Administrator may need to configure rights for resource types, data classes, reports, web parts, console menus, right click menus and folders (visible and hidden). In addition to this, when new Altiris products are installed, the custom security role may need to be further configured to then accommodate the rights that the new products included. Even after all apparent areas are configured; it's still possible that certain asset areas in the Symantec Management Platform Console may fail to work successfully with the custom security role due to something being missed or being not able to be configured.
  • A custom security role can be created from scratch (very complicated) or be cloned from of an out of box security role (less complicated), preferably from either the Asset Managers or CMDB Managers security roles. WARNING: Do no change the rights for an out of box security role. Doing so may result in the permanent loss of functionality to the security role and any of its inherited rights. It may be difficult or impossible to restore this. Instead, clone an out of box security role that is close to what is needed and then increase or decrease its rights as appropriate. In addition to this, repairing the product, uninstalling and reinstalling it, using AeXConfigure against its .config files or upgrading it may also reset a modified out of box security role back to its default rights, thereby losing everything that was changed with it. A custom security role would not be affected, however, by any of these processes.
  • An alternative to making a custom security role is to simply add a user account to both the Asset Managers and CMDB Managers security roles. These two security roles provide nearly everything an asset user would need to manage assets. 
  • Cloning the Symantec Administrator security role and modifying it is also a good suggestion. It can be time consuming, however, removing the many rights that the Altiris Administrator doesn't want its users to have. 
  • Security roles can have other security roles as members. This may result in users having unexpected rights, however, as the highest level security role grants its full rights to the "parent" security role.
  • When a security role is cloned, whether it is out of box or custom, any members (users and other security roles) in the original security role are automatically added as members to the cloned security role. 
  • When using the Security Role Manager to add rights to a custom security role, often the custom security role does not have even basic rights to a function. For example, if the Symantec Level 2 Workers security role was cloned and then edited in the Security Role Manager, under Settings > Notification > Resource and Data Class Settings > Resource Types, there are no rights to display any asset resource types such as for computers. These must be added from a security role that already includes these, such as from the Symantec Administrators security role. Refer to the next section for more information about how to do this.
  • While there is a right click Export menu function for security roles, this does not fully or correctly export the security role. This function is not intended to do this, but is a left-over of the right click menu default functionality found elsewhere in the Symantec Management Platform Console. Furthermore, there is no import function. Because of both of these, there is no method to export a security role from one Symantec Management Platform server and take it to another. A workaround is to restore/attach the Symantec_CMDB database from one Symantec Management Platform server to be used by another; however, this also uses all of the same data and so cannot really be used to copy over the security role. At the most, the Altiris Administrator could then analyze and record what was configured in the custom security role this way, and then revert back to the original database and attempt to recreate it there with this information.


Walkthrough for How to Create a Custom Security Role for Assets by Cloning the Out of Box Symantec Level 2 Workers Security Role

The following instructions describe how to clone and modify the out of box Symantec Level 2 Workers security role so that its users can edit computers as an example on the basics of how to create a custom security role for assets. These instructions are not all-inclusive and only provide the bare minimum of what is needed to edit computers and only in certain areas of the Symantec Management Platform Console. The Altiris Administrator would further need to determine what other rights to set, which can be very hard to ascertain without a lot of testing and experimenting. Please Note: Symantec Technical Support is unable to provide the customer with a list of what rights are required to perform specific tasks and is unable to walk them through how to make a custom security role perform specific tasks. If the customer requires extensive help in creating or troubleshooting their custom security role, instead please contact Symantec Consulting Services at http://www.symantec.com/it-consulting-services.
 
Part 1: Clone and configure the Symantec Level 2 Workers out of box security role as a custom security role and add a test user to it.

  1. While logged onto a computer with a Symantec Administrator user account, open a Symantec Management Platform Console.
  2. In the Symantec Management Platform Console, click on the Settings button and then select Security > Account Management.
  3. In the left window pane, in the Account Management folder, click on Roles.
  4. In the Roles window pane, right click on the Symantec Level 2 Workers security role and then select Clone from the right click menu.
  5. In the Clone Role window, click in the edit box and type a name for the custom security role, such as "Asset Workers".
  6. Click on the OK button.
  7. The custom security role should automatically be selected in the Roles window pane; if not, click on it to select it. In the right window pane, click on the Members tab.
  8. Click on the Add Member "+" button and then select Add Account from the pop-up menu.
  9. In the Select Account(s) window, click on a test user account to use for testing the custom security role with, of which this will be the only security role that they will be in other than also in Everyone. WARNING: Do not select the user account to test that is the Application ID, which is the primary Symantec Administrator account for the Notification Server. Doing so will result in severe rights issues and may result in having to reinstall the Notification Server.
  10. Click on the OK button.
  11. Click on the "Save changes" button.
  12. In the left window pane, in the Account Management folder, click on Accounts.
  13. In the Accounts window pane, click on the test user account selected in step 9.
  14. In the right window pane, ensure that the test user account is enabled and configured for use. If not, make any changes as appropriate so that it can be used.
  15. Click on the Member Of tab.
  16. In the Accounts window pane, remove all security roles other than the custom security role and the Everyone security role:

    1. Click on a security role to remove.
    2. Click on the Remove "X" button.
    3. In the confirmation window, click on the OK button.
    4. Repeat steps 16a through 16d until all security roles are removed except the custom security role and the Everyone security role.
       
  17. Click on the "Save changes" button.
  18. In the left window pane, in the Account Management folder, click on Roles.
  19. In the Roles window pane, click on the customer security role.
  20. Leave the Symantec Management Platform Console running at Account Management; additional configurations will be made to the custom security role in the next part.

  
Part 2: Add minimum rights to the custom security role enabling it to create and edit computers.

Note: This part refers to configuring a security role's "rights", which refers collectively to "privileges" (from the Account Management > Roles window) and/or to "permissions" (from every where else in Security Role Manager).

  1. On a different computer, log onto it with the test user account selected in Part 1, step 9 and open a Symantec Management Platform Console.
  2. In the Symantec Management Platform Console, click on the Manage button and then select Assets. An Access Denied error occurs. Notice that this test user account in the custom security role currently has virtually no access rights to any Asset Management Solution or CMDB Solution data (except for some asset reports). For another example, click on the Home button. The expected Service and Asset Management menu choice is missing.
  3. Leaving this test user account logged in on this computer and in a Symantec Management Platform Console, return back to the computer that is logged onto with a Symantec Administrator user account, which is still running its Symantec Management Platform Console at Security > Account Management.
  4. In Account Management, in the right window pane, click on the Show Security Role Manager Console button.
  5. Click on the View drop-down list and select Console Menu > Home.
  6. Click on to expand the Console Menu folder. Notice that this test user account in the custom security role does not see Service and Asset Management under Home, which confirms what was seen in step 2. Any area of the Symantec Management Console that the custom security role has no access to must be explicitly granted by a higher level security role.
  7. Add desired rights by granting them from a higher level security role by clicking on the Role drop-down list and selecting Symantec Administrators, then repeat the following sub-steps as necessary for each area to grant rights to:

    1. Click on the View drop-down list and select the area to grant rights to, for example, Console Menu.
    2. Navigate to where the rights will be granted to, for example, click on to expand the Console menu folder and then click on Home.
    3. Click on Service and Asset Management.
    4. In the right window pane, click on the Advanced button.
    5. In the "Permissions for" window, in the Account/Role section, notice that the custom security role is not part of the security roles that have rights to the selected area. Click on the Add "+" button.
    6. In the Add Trustees window, click on the custom security role.
    7. Click on the OK button.
    8. In the Account/Role section, click on the custom security role.
    9. In the "Permission for" section, add the desired rights to the area, such as Full Control. Note: If permissions are removed for an area for a security role, the area being edited will disappear from the left window pane in Security Role Manager. A higher level security role that includes this still will need to be used to re-grant the area permissions if these are needed back.
       
    10. Click on the "Save changes" button.
    11. Close the "Permissions for" window.
       
  8.   Repeat steps 7a through 7k for any area to add rights to. For example, for computers:

    1. Click on the View drop-down list and select Settings.
    2. Click on to expand the folders Settings > Notification Server > Resource and Data Class Settings > Resource Types > Asset Types > IT.
    3. Click on Computer.
    4. Repeat steps 7d through 7k.
    5. Click on the view drop-down list and select Views.
    6. Click on to expand the folders Views > Asset Management Views.
    7. Click on CI Management.
    8. Repeat steps 7d through 7k.
    9. At this point, the test user account, if they refresh their browser (F5), which is actually needed to be performed if any live changes to their security role is performed while they are in a Symantec Management Platform Console, will see that they can now go to Home > Service and Asset Management > Manage Configuration Items, and see that they can then create and edit computers. However, they still do not have permissions to any of the computer data classes or associations; the Edit window is blank without any of these available. These desired data classes and associations must all be granted permission one at a time. For example:

      1. Click on the View drop-down list and select Settings.
      2. Click on to expand the folders Settings > Notification Server > Resource and Data Class Settings > Resource Associations.
      3. Click on Asset's Status.
      4. Repeat steps 7d through 7k.
      5. Click on to expand the folder CMDB Association Types. Note: If this references any assets other than computers, these resource types and all of their data classes and associations must also be granted permission.
      6. Click on Associated Assets.
      7. Repeat steps 7d through 7k.
      8. Click on to expand the folders Settings > Notification Server > Resource and Data Class Settings > Data Classes > CMDB Data Classes.
      9. Click on Barcode.
      10. Repeat steps 7d through 7k.
      11. Now, repeat 7d through 7k steps for any remaining data classes and associations to add permissions for. The remaining out of box data classes and associations are: Comment, Computer Type, Cost Center Ownership, System Number, Location, Manufacturer, Model, Asset Owners, Provided Services and Serial Number. Also, add permissions as necessary for any custom data classes or associations that may be present. Note: As with step 8iv, if any of the associations reference areas that do no have permissions, these too must be granted.
         
  9. When finished adding all necessary permissions, close the Security Role Manager window.
  10. Later, when trying out the test user account in the custom security role, if Access Denied or similar permission errors occur, the Symantec Administrator will need to evaluate what area the test user was in, and then try to determine where to add permissions for that by following the above steps.


Other Customization Settings

This article intentionally does not cover in detail other security setting types that can be customized. In brief, these include:
 

  • In Account Management > Roles. Many privileges can be found here, most of which are for right click functionality.
  • In Security Role Manager, in the right window pane, these permissions are the same as those that are set in the Advanced window.
  • In the Advanced window,  there are two powerful permission settings here that should never be tampered with unless the repercussions are fully understood by the Altiris Administrator:

    • "Inherit the permission entries from parent object that apply to child objects" - Disabling this is referred to as "breaking inheritance" for the security roles that have inheritance to parent objects. Doing this can result in severe rights issues, may be impossible to reverse and may result in having to reinstall the Notification Server. The intended purpose of this function is to cause a security role to not inherit rights from parent objects, so that it can be more easily configured. Inheritance is what causes some rights to be disabled, as they cannot be changed due to their inheritance from the parent security role that they were based on. For example, the Computer resource type inherits rights from the Asset resource type, which in turn inherits rights from Resource resource type.
    • "Replace permissions on all child objects" - The intended purpose of this function is to easily replace all permissions on child objects with what the user changed. This too can result in severe rights issues, may be impossible to reverse and may result in having to reinstall the Notification Server 


Summary

As can be seen by the minimal-yet-still-extensive above walkthrough, it can be very complicated and even daunting to create, even from a clone, a custom security role for assets. When possible, it is always recommended to use an out of box asset security role instead of trying to create a custom security role.

Related Articles

Unable to view, edit or save assets when the user is in a custom security role for assets
http://www.symantec.com/business/support/index?page=content&id=TECH218224

After upgrading the Symantec Management Platform 7.1 to 7.5, associations in resources are then missing
http://www.symantec.com/business/support/index?page=content&id=TECH213873

Error "User does not have permissions to create a resource of the given type ." occurs when trying to save an Asset Management or CMDB Solution asset type after upgrading to from Symantec Management Platform 7.1 to Symantec Management Platform 7.5
http://www.symantec.com/business/support/index?page=content&id=TECH215867

CMDB Managers role no longer is able to use Set Asset Status right click function
http://www.symantec.com/business/support/index?page=content&id=TECH218151