Adding domain users or groups to Notification Server (NS) Security Roles
search cancel

Adding domain users or groups to Notification Server (NS) Security Roles

book

Article ID: 152911

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

When you (the administrator) perform the following actions, you expect to be allowed to add the domain user or group under the Members tab:

  1. In Symantec Management Console, click Settings > Security > Account Management.
  2. Select the Roles node.
  3. Select any Security Role and attempt to add domain users or groups under the Members tab.

After performing these actions, however, you are unable to select any domain users or groups. You are only given the option to select Accounts or Roles.

Another Use Case:

  1. You have a Domain Group called 'Testing\Domain Users'
  2. This domain group has approximately 65 User accounts in it
  3. You want to add the Domain Group into the Security Accounts and be able to give Admin Rights to the Domain Group, letting all those users have the same permissions without having to add each user individually into the SMP Console.

Sugggestion:

  1. Go to Settings>Security>Account Management
  2. Under Accounts, add a new account, and we name it 'Testing\Domain Users' (use any name of your choice)
  3. Select the new 'Testing\Domain Users' account and under the General tab, click 'Add Credentials'>Windows and under 'username' add 'Testing\Domain Users' and then add the Full Name 'Domain Users Group'
  4. Under the 'Member Of' tab, add the role 'Symantec Administrators'
  5. Under Roles> Symantec Administrators, you can see that the new 'Testing\Domain Users' is listed

When logging into the SMP Console using your own user account (which is a member of the 'Testing\Domain Users'), you should only see the top menus but get denied access in any of the left-pane tree views.

Environment

ITMS 8.x

Cause

This is expected behavior.

Role memberships are managed as resource associations between Roles and Trustees (Roles and Accounts). Only managed Roles or Accounts can be added as members of a Security Role.

Resolution

To support the Symantec Management Platform scenario where you want to add a user or a domain group to a Security Role, perform the configuration steps are below:

   1. Configure an Active Directory import rule to import the domain group.
        a) In the SMP Console, go to Actions>Discover>Import Microsoft Active Directory
        b) Use or create a 'Role and Account' AD Import rule.
        c) Select the Domain Group (in this case it should be a Security Group for it in AD) and run the AD Import

      NOTE: This creates a Symantec Management Platform Role/Account for the domain group/user. Members of the domain group are created as either Roles or Accounts.
      
   2. Add the new Role created by step 1 to the appropriate Security Role. For example, if you want to add a domain group named "Testers" to the Symantec Management Platform role, do the following:

       1. Configure a 'Role and Account' AD Import rule to import the "Testers" domain group.

            NOTE: This creates a new Role named "Testers". The new Role contains all of the members of the "Testers" domain group.
      
       2. Add the new "Testers" Role to the Symantec Management Platform Role, for example the Symantec Administrators Role.
           a) In the SMP Console, go to Settings>Security>Account Management.
           b) Under the treeview>Account Management, click on 'Roles'
           c) Find the "Testers" Domain Group Role created from your 'Role and Account' AD Import rule
           d) Under the 'Members' tab you should see all the users and other groups that are associated to that " Testers" Group role
           e) Under 'Members Of' tab, add the Security Role desired.

Powered by Wolken Software