KNOWN ISSUE: Unable to create Security role to push the Symantec Management Agent: Getting 'Access Denied' in the Symantec Management Agent Install page

Article:TECH185996  |  Created: 2012-04-06  |  Updated: 2013-03-15  |  Article URL http://www.symantec.com/docs/TECH185996
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



Customer is trying to create a Security Role that can push out the Symantec Management Agent.  In testing it has been found that the only group that has rights to access the push page is the Symantec Administrators role.  Not other role has the rights to do so and we are unable to create a role that can push the agent via the push page. 

So far when he uses any custom or default security role, when they try to access the Symantec Management Agent Install page, they get the following:

"Access Denied

You currently do not have sufficient network access rights to the Notification Server console.

Reason: You do not have required permission or privilege to load the item, please contact the system administrator. "


Error



"Access Denied

You currently do not have sufficient network access rights to the Notification Server console. Reason: You do not have required permission or privilege to load the item, please contact the system administrator. "


Environment



Symantec Management Platform 7.1 SP2, 7.1 SP2 MP1


Cause



There is an item that is hidden so we can't access it to provide the proper rights.


Solution



This issue has been reported to Symantec Development team. A fix should be available in a future release.

There is a fix available that should make the necessary changes on the permissions. See attached "Fix_eTrack2733060_7_1_SP2_Hidden_Full_Control_Folder_permission.zip"

Note: This is just config change. If this is present on ITMS 7.1 SP2 MP1, then this will fix the problem (if there is no other).
If you run a repair on your SMP after applying this fix, you will need to rerun this fix again.
Rollups will not overwrite fix.


How to Install Fix:

1. Download and extract the zip file "Fix_eTrack2733060_7_1_SP2_Hidden_Full_Control_Folder_permission.zip"
2. Run 'Install.cmd' as Administrator (right-click>Run as Administrator) on your SMP Server
3. It will open a command prompt window and will execute the necessary changes (reconfiguring the folder permission and update the item XML)

 

*************************************************************************************

The previous workaround (as reference if the fix above didn't work) was the following:

  1. The first step is to export two items that are needed for that page to load, using the following commands.  The path’s may need to be adjusted depending on customer environments.
    • C:\Program Files\Altiris\Notification Server\Bin\Tools>ImportExportUtil.exe /export 124d0571-4725-466c-8f43-998160d3cff2 c:\Temp
    • C:\Program Files\Altiris\Notification Server\Bin\Tools>ImportExportUtil.exe /export B1238E4D-F821-4A77-94B5-7A3B4B312E9F c:\Temp
    • C:\Program Files\Altiris\Notification Server\Bin\Tools>ImportExportUtil.exe /export F1A08C61-4F14-4C0F-9E57-EB79D43F1334 c:\Temp
  2. Next import the policies into a visible folder so that we can modify the permissions.
    • Go to Settings> Agents/Plug-ins> Symantec Management Agent. 
    • Right click on the 'Settings' folder and select Import.  Import the files that were exported in the previous step one at a time.
  3. Open security and add the desired role to the needed folder.
    • Go to Settings> Security> Permissions.
      • Select ‘Symantec Level 2 Workers’ or the desired role in the Role: drop down.
      • Select ‘Settings’ from the View: drop down
      • Expand the tree Settings> Agents/Plug-ins> Symantec Management Agent. 
      • Select the ‘Settings’ folder
      • Click the ‘Advanced’ button
        • Within this section add the ‘Symantec Level 2 Workers’ or desired role, using the plus button unless it already exists with a status of Not Inheritted.
        • Give the role full control
        • Check the box ‘Replace permissions on all child objects’
        • Save changes and close the window
      • Save changes and close the window
  4. Verify that the role can now access the page, you may need to close the console and open it again.

If the role is able to access the page we need to move the items back to their default folder, using the following commands in SQL Management Studio.
NOTE: Importing the items back into the correct folder overwrites the security essentially breaking it again.  That is why this was chosen as the method to move them back.

o    spItemMoveToFolder @ItemGuid = '124d0571-4725-466c-8f43-998160d3cff2', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'

                o    spItemMoveToFolder @ItemGuid = 'B1238E4D-F821-4A77-94B5-7A3B4B312E9F', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'       

                o    spItemMoveToFolder @ItemGuid = 'F1A08C61-4F14-4C0F-9E57-EB79D43F1334', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'

       


Supplemental Materials

SourceETrack
Value2733060


Article URL http://www.symantec.com/docs/TECH185996


Terms of use for this information are found in Legal Notices