Symantec Level 2 Workers security role "read" permission change on fresh install of ITMS 8.6 RU3 / 8.7
Article ID: 261743
Updated On:
Products
Issue/Introduction
On a fresh install of ITMS 8.6 RU3 (not upgraded from the previous version), members of the default "Symantec Level 2 Workers" role can view filter results report under Manage > Computers for Basic and Query Builder filters. However, members of the same role on previous versions or on 8.6 RU3 upgraded from previous versions get a spinning window when attempting to view the same filter reports.
The NS logs show something like the following:
Failed to load item: 493435f7-3b17-4c4c-b07f-c23e7ab7781f, Default
The current user 'testuser1' does not have required permission 'read' to load item: 493435f7-3b17-4c4c-b07f-c23e7ab7781f
Steps to duplicate issue:
1. In ITMS 8.6 RU1 release, create a new account
2. Clone the "Symantec Administrators" role and add their newly created account.
Login to SMP Console and check that cloned admin role has access to the Item Tracking functionality.
3. Perform upgrade to 8.6 RU3.
4. Check that cloned admin role in 8.6 RU1 before the upgrade, now doesn't have access to Item Tracking functionality.
Environment
ITMS 8.6
Cause
Known issue. There were changes on security checks to improve handling View/Change privileges.
QA team has verified for clean-installed SMP 8.6 RU3 and I see that the "Level 2 Worker" role still has "Read" and "Write" permissions inherited for the root "Data Classes" folder (although should not have).
They've compared all available config files between 8.6 RU2 release and 8.6 RU3 release and found only 2 different config files where the "Symantec Level2 Workers" role is mentioned for granting permissions
1. In SMF 8.6 RU3 "SoftwareManagement_ResourceDataClasses.config" contains grant permissions for Level1 and Level2 workers roles
In "Task Management" there is a "TaskManagement_TaskTypeFolders.config" which differs between 8.6 RU2 and 8.6 RU3 releases
Resolution
Some fixes were added on ITMS 8.6 RU3 to handle some issues with "Non-admin" security roles.
"Symantec Level 2 Workers" role now has read and write access to more Data Classes after a clean installed SMP 8.6 RU3 release. It is expected as a result of security fixes in 8.6 RU3.
Note:
The "Symantec Level 2 Workers" role doesn't have read/write permissions to more Data Classes if ITMS 8.x is upgraded to 8.6 RU3 or 8.7 so this new behavior is applicable only in case of clean installed SMP 8.6 RU3 or SMP 8.7.
Feedback
