Symantec Management Platform Security Privileges

Article:DOC1740  |  Created: 2009-01-22  |  Updated: 2009-01-22  |  Article URL http://www.symantec.com/docs/DOC1740
Article Type
Documentation

Description



System privileges

Privilege Description
Change Security Lets you change the security configuration on the Symantec Management Platform.
You can create security roles, assign privileges and users to security roles, and assign permissions to management items for each role.
Import XML Lets you create an item or resource in the Symantec Management Platform by importing information that is stored in a specially structured XML file. Creating an item this way bypasses all security checks.
For example, a user can create a report by importing itsXMLeven when the user does not have the Create Reports privilege or the Create Children permission to the folder in which the report is stored.
This privilege is very security sensitive. By default, it is granted only to the Symantec Administrators role and should not be granted to non-administrators.
Manage Hierarchy Replication Lets you create and run hierarchy replication rules. The hierarchy replication rules specify what is being replicated to the parent Notification Server and to any child Notification Servers.
View Security Lets you view the security configuration on the Symantec Management Platform. This information includes details of the security roles, and the users, privileges, and permissions that are assigned to each role.
Edit SQL Directly Lets you create or modify SQL queries in reports and filters. If a user is proficient in SQL and familiar with the CMDB, this lets them write very specific, efficient reports. However, it can also be used to avoid security checks. For example, a user can write a query that accesses resources that are outside their scope (i.e. the resources are not contained in the organizational groups that the user has permission to view).
Warning: Poorly written SQL queries can return incorrect results or be inefficient, consuming excessive memory and CPU time on theCMDBcomputer. Also, a malicious SQL query can delete, modify, or add data anywhere in the CMDB. Therefore, this privilege is very security sensitive and is only granted to the Symantec Administrators role by default.
If you let security role members edit SQL directly, you should use the report-specific application to force reports to use an account with restrictedCMDBaccess.
Manage Hierarchy Topology Lets you add your Notification Server to a hierarchy, or remove it from a hierarchy. You can add your Notification Server (the one that you are logged into, which may be a remote logon) to a hierarchy as a child of an existing remote Notification Server, or as its parent.
You require this privilege on both Notification Servers to create or change a hierarchical relationship between them.
Take Ownership Lets you take ownership of a security entity. This grants the new owner full permissions on the entity. For example, you would need to take ownership if all permissions on the entity were accidentally removed.
 

Agentless Inventory Privileges

Privilege Description
Read SNMP Table Lets you access the SNMP Table Mappings page for initial viewing
Import SNMP Table XML Lets you import SNMP Table mapping definitions as .XML.
Manage SNMP Tables Lets you create, delete and edit existing SNMP user tables.
Note: pre-defined tables cannot be edited.
Test SNMP Table Mappings Lets you use the test snmp functionality on the SNMP Table Mappings page
 

Application Metering Privileges

Privilege Description 
Create Application Monitor Policies Still to be written.

 

Console Privileges

Privilege Description
Create Portal Pages Lets you create new portal pages. A portal page is a Symantec Management Console page that you can customize to suit your requirements. You can use a portal page to consolidate key information into a single, easy-to-view page.Aportal page can display the status of the Symantec Management Platform and managed computers, or any other information that you want to make available. For example, you can include external web pages, intranet pages, RSS feeds, or your own applications.
You need to have the Create Children permission on the folder in which you want to create the new portal page.
Create Web Parts Lets you create new Web parts. Web parts are mini web pages that you can use as the building blocks for portal pages. A Web part can display a report or the contents of a web page.
You need to have the Create Children permission on the folder in which you want to create the new Web part.
Create Views Lets you create new views. A view is a two-pane layout with a navigation tree in the left pane and content in the right pane. The navigation tree contains links to Symantec Management Console items and lets you group items from different parts of the console into a suitable structure. An item may appear multiple times in a view, and in any number of different views. A view can include folders, item links, and Web links.
Edit Console Menu

Lets you customize the Symantec Management Console menus. The menu options that are supplied with the Symantec Management Platform are read-only and cannot be modified. You can add new submenus, and can modify them as necessary. You can move or delete any menu item, except those that have been designated as read-only.

 

Event Console Privileges

Privilege Description 
Alert Actions Lets you interact with alerts in the Event Console grid, including the acknowledging, resolving, changing severity of, and filtering of alerts. This privilege also allows you to launch the Resource Manager for the source resource of an alert.
Enable Forward Rules Lets you enable and disable event console forwarding rules.
Modify Event Console Settings Lets you change Event console settings, including Auto Resolving normal severity alerts, how long resolved alerts are displayed in the Event console, and alert purging settings.
Modify Forward Rules Lets you create, view, and edit event console forwarding rules.
Enable Filter Rules Lets you enable and disable event console filtering rules.
Enable Task Rules Lets you enable and disable event console task rules.
Modify Filter Rules Lets you create, view, and edit event console filtering rules.
Modify Task Rules Lets you create, view, and edit event console task rules.

Software Management Framework Privileges 

 

Privilege Description
Create and Import Software Resources Lets you create or import software resources.
A software resource is the meta data that describes a specific instance of a software product. A software resource provides a common way to describe the software so that all software-related actions can identify it accurately.
Typically, you should give software resource privileges to the users who deliver and manage software. The Symantec Software Packagers role has this privilege by default.
Create Software Library Lets you create the Software Library.
The Software Library is the physical directory location of the package files that are associated with the software in the Software Catalog. Because the Software Library is a repository of the definitive, authorized versions of the packages, you should restrict access to the library to maintain its integrity.

 

Connection Profile Privileges

Privilege Description 
Create Connection Profile Lets you create new connection profiles.

Management Privileges

Privilege Description
Create Agent Settings Lets you create a new targeted agent settings policy, or clone an existing policy. The targeted agent settings are the general parameters that control the Altiris Agent, including how the agent communicates with Notification Server.
Create Filters Lets you create new resource filters. A resource filter, usually known as a filter, is a dynamic definition of a set of resources. Filters are used with organizational groups to identify the resources (a resource target) that a task or policy applies to.
Create Organizational Groups Lets you create new organizational views and groups. An organizational view is a hierarchical grouping of resources (as organizational groups) that reflects a real-world structure, or "view", of your organization.
Create Resource Targets Lets you create new resource targets. A resource target, usually known as a target, is a framework that lets you apply tasks and policies to a dynamic collection of resources.Atarget consists of at least one organizational view or group, and a number of filters. The filters refine the available resources to identify those that you want.
Create Automation Policies Lets you create new automation policies. An automation policy is dynamic and specifies automated actions to perform on client computers or the Notification Server computer. It targets the appropriate computers when the policy is activated and performs whatever action is required based on the current state of each target computer.
Create Maintenance Windows Lets you create a new maintenance window policy, or clone an existing policy. A maintenance window is a scheduled time and duration when maintenance operations may be performed on a managed computer. A maintenance window policy defines one or more maintenance windows.
Create Reports Lets you create a new report, or clone an existing report.
Create Jobs or Tasks Lets you create a new job or task, or clone an existing job or task.

Monitor Solution Privileges 

Privilege Description 
Read Access to Monitor Solution UI Allow you to view Monitor Solution items in the Symantec Management Console. For example, this privilege lets you view rules within the Rule Library.
Write access to Monitor Solution UI Allows you to modify Monitor Solution items in the Symantec Management Console. For example, this privilege lets you edit rules within the Rule Library.
Launch Performance Viewer Lets you launch the real-time performance viewer to view performance data of a monitored computer.

Real-Time Console Infrastructure Privileges

Privilege Description 
Allow data modification Still to be written.
Power management Still to be written.
Control unmanaged resources Still to be written.
Use Real-Time Console Infrastructure Still to be written.

Right-Click Menu Privileges

Privilege Description  Applies to Item Types Additional Requirements
Add to organizational group Lets you add a resource to an organizational group. All resources Write permission on the organizational group.
Edit Item Link Lets you modify an item link. Item links only Write permission on the item link.
Edit View Lets you edit a view. Views only Write permission on the view.
Schedule Lets you schedule a policy. Policies only Write permission on the policy.
Start Task Lets you start a task immediately. Tasks only Run Task permission on the task.
Edit Rule Lets you edit an inventory rule. Inventory rules only Write permission on the inventory rule.
Stop Task Lets you stop a task immediately Tasks only Run Task permission on the task.
Edit Web Link Lets you modify a Web link. Web links only Write permission on the Web link.
Schedule Task Lets you schedule a task. You can set the task to Tasks only. run once at a particular time, or to repeat at regular intervals. Tasks only Run Task permission on the task.
Delete Lets you delete an item. All item types Delete permission on the item.
 

Right-click Menu - User Defined Privileges

Privilege Description  Applies to Item Types Additional Requirements
New Right-Click Action Lets you create a new user-defined action. The action may be a command that is executed on the managed computer or on the Notification Server computer. The action may be a URL that opens a Web page or another page in the console. The new action is added to the right-click (context) menu for the appropriate resource types.    
Ping Computer Lets you perform a TCP/IP ping on a computer. Computer resources only Read permission on organizational group that contains the computer.

Right-click Menu - Hierarchy Privileges

Privilege Description  Applies to Item Types Additional Requirements
Disable Replication Lets you prevent an item from participating in hierarchy replication.
All configuration and management items, and security roles and privileges are replicated by default. This option is available only when custom hierarchy replication rules are used.
All item types Manage Hierarchy Replication privilege, Write permission on the item.
Replicate Now Lets you replicate selected data directly from a Notification Server to all its child Notification Servers without including it in a replication rule. This operation is a once-off replication that takes place immediately. All item types Manage Hierarchy Replication privilege, Write permission on the item.
Enable Replication Lets you allow an item to participate in hierarchy replication.
All configuration and management items, and security roles and privileges are replicated by default. This option is available only when custom hierarchy replication rules are used.
All item types Manage Hierarchy Replication privilege, Write permission on the item.

Right-click Menu - Actions Privileges

Privilege Description  Applies to Item Types Additional Requirements
Assign Type Assigns a type to an unassigned software resource in the Software Catalog. An unassigned software resource is one that is not categorized as a software release, an update, or a service pack. Before anyone can act upon a software Software resources only  
Detailed Export Exports a software resource and any of its associated resource information to a detailed .XML file. Software resources only  
Edit Command Line Opens the selected commandline for editing within the software resource editing page. Software resources only  
Edit Software Resource Opens the selected software resource for editing. Software resources only  
Merge Company Resource Merges the selected company resource with another company resource. This privilege is useful if you have two entries for the same company that might be spelled slightly differently, such as “Symantec” and “Symantec Corporation”.    
Create Installed Software Filter Creates filters to find managed computers by the software that is installed on them. Software resources only  
Edit Package Opens the selected package for editing within the software resource editing page. Software resources only  
Import Package Changes a package’s source to the Software Library from a different source such as a directory on the server or a UNC path. Software resources only  
Resolve Duplicate Software Resources When two software resources represent the same software but have different identifiers, this dialog box lets the user associate both identifiers with one software resource. Software resources only  

Right-click Menu - Set Asset Status privileges

Privilege Description  Applies to Item Types Additional Requirements
Active Sets the status of the selected resource as active. Resources only Write permission on organizational group that contains the resource.
Retired Sets the status of the selected resource as retired. Resources only Write permission on organizational group that contains the resource.

Legacy ID



45213


Article URL http://www.symantec.com/docs/DOC1740


Terms of use for this information are found in Legal Notices