This is intended to address the scenario where there are multiple groups of users who are responsible for different groups of computers but will be performing the same actions on their scope of resources.
Since security roles are additive, two roles are needed per user.
- One role for only the actions that they should be able to do, patch, deliver software etc
- One role that allows them to see a group of computers
By doing this the overhead is greatly limited. Make adjustments to the first role to define what actions they can take in the console and make adjustments to the second role to define what computers each role can access.
Then when users are added they are added to two roles, one for the group of computers they are to manage and the other for the types of actions they can take on those computers.
Computer access is handled in the Organizational Views and Groups area. The most common location for this is the Organizational Groups created by an Active Directory Import.
For the purposes of this document, we will assume we are using Organizational Groups that are based on an imported Active Directory OU structure.
Note: This document assumes that a Trustee import has already been done through the Microsoft Active Direcory Import page to have users to add to the groups.
To access only a particular OU
- In the Symantec Management Console go to Settings> Security> Account Management
- Select "Roles"
- Click the "Add" button to create a new role
- Name it appropriately to represent the group of computers this role with have access to
- Select "Show Security Role Manager Console" at the bottom of the page
- Change the "View:" dropdown to "Resources"
- Click the blue "plus" icon at the top of left pane
- In the "Add Permissions" dialog box click the "Folder:" drop down
- Expand Resource Management, then Organizational Views, then Active Directory Domains
- Click on your top level domain name
- This will populate the lower pane where you can select the desired OU.
- Select your OU and press the right arrow to move it into the "Selected items:" pane
- Press OK
- By default, this will give the role read for only the select OU
- Click radio buttons for "Read Resource Associations" and "Read Resource Data"
- If the users of the role should also be able to edit and delete the Computers give them the additional rights
- Save changes
For this example, we will focus on Patch but any desired role could be cloned to achieve the same result.
For patch rights role we are removing rights to computers as they will get them from the role created in the first step
- Clone the desired role, in this case "Patch Management Administrators" and name it something like "Patch Admins"
- Select the newly cloned role and click "Show Security Role Manager Console" at the bottom of the page
- Select "Resources" from the "View:" drop down
- Select the top level "Resource Management"
- Uncheck "Read" and "Write"
- Save changes
- Select the "Filters" folder located directly under "Resource Management"
- In the right-hand pane check "Read" and "Write"
- Save changes
- Click the blue plus sign to add additional rights
- In the "Add Permissions" dialog, Expand Resource Management
- Click Organizational Views which will populate the lower left pane.
- Click on Default and move it over to the "Selected Items:" right-hand pane
- Make sure that "Read", "Write", "Read Resource Data", "Read Resource Association", "Write Resource Data" and "Write Resource Association" are selected
- Save changes
- Expand Resources> Organizational Views> Default> All Resources> Asset> Network Resource and select Computer
- With "Computer" selected, click "Advanced" in the lower right hand
- Uncheck the box for "Inherit the permissions from the . . ."
- Click Save changes
- In the new popup, click COPY. VERY IMPORTANT DO NOT CLICK REMOVE
- Select the name of the new Role you created, such as "Patch Admins" and click the red X to remove rights to all computers
- Save changes
Add a user to both of the newly created roles and test
Create additional roles as defined in the first step for as many groups of users as needed.
Note: Tested on ITMS 8.0 and above.