Video Screencast Help

How to find out a Security Roles assigned permissions and privileges

Created: 13 Dec 2013 • Updated: 13 Dec 2013 | 7 comments
Language Translations
SK's picture
+2 2 Votes
Login to vote

As the 7.1.2 MP1.1 v7RU Console does not contain any reports that display this information, the following two queries will help you achieve this goal:

 

-- display all privileges associated with one (or more) security roles.

declare @my_role varchar(max)
-- set @my_role='%Security Role%'
set @my_role='symantec admin%'

    select vsr.name [Role],
        v5.name [Solution], spdg.NameRef [Privilege Type], sp.Name [Privilege]
        -- , st.Trustee
    from SecurityRole vsr
        left join SecurityPrivilegeTrustee spt on spt.TrusteeGuid = vsr.TrusteeGuid
        left join securityprivilege sp on sp.guid = spt.PrivilegeGuid
        left join securityprivilegedisplaygroup  spdg on spdg.guid = sp.DisplayGroupGuid
        left join vitem v5 on v5.guid = spdg.Solution
        -- left join SecurityTrustee st on st.guid = vsr.TrusteeGuid
    where vsr.name like @my_role
    order by [Role], [Solution], [Privilege Type], [Privilege]

 

 

-- for a given security role
-- display all the non-inherited security permissions.

declare @my_role varchar(max)
-- set @my_role = '%Security_Role%'
set @my_role = 'symantec admin%'

    declare @c1 table (
        zRole varchar(max),
        zGroup varchar(max),
        zPerm varchar(max),
        zInherited int,
        zguid uniqueidentifier,
        zItemName varchar (max),
        zClassName varchar (max),
        zParentGuid uniqueidentifier
        )

    -- get all the "easy" stuff abou each item.
    insert into @c1
    select sr.Name, spdg.NameRef , sp.name,
        sa.Inherited,  sa.Entityguid,
        v1.name, c.Type, vif.ParentFolderGuid
    from
        SecurityRole sr
        left join SecurityTrusteePermission stp on stp.TrusteeGuid = sr.TrusteeGuid    
        left join SecurityPermission sp on sp.guid = stp.PermissionGuid
        left join SecurityPermissionDisplayGroup spdg on spdg.guid = sp.DisplayGroupGuid
        join SecurityACENonResource sa ON sa.TrusteePermissionId = stp.[Id]
        left join vitem v1 on v1.guid=sa.Entityguid
        left join class c on c.guid = v1.ClassGuid
        left join vItemFolder vif on vif.ItemGuid = sa.Entityguid
    where sr.name like @my_role
        and sa.Inherited = 0

    -- select * from @c1 c1

    -- now include the path to the item, this is faster after limiting to just non-inherited permissions
    select
        c1.zRole [Role],
        (SELECT v2.name + '; '
        FROM FolderBaseFolder fbf
            left join vitem v2 on v2.guid=fbf.ParentFolderGuid
        WHERE fbf.FolderGuid = c1.zParentGuid
            and fbf.ParentFolderGuid <> '00000000-0000-0000-0000-000000000000'
        ORDER BY fbf.depth desc
        FOR XML PATH('')
        ) AS [Path],
        c1.zItemName [Item],
        -- c1.zClassName [ItemClass], c1.zguid [ItemGuid],
        c1.zGroup [Permission Type], c1.zPerm [Permission]
    from @c1 c1
    group by c1.zRole, c1.zGroup, c1.zPerm, c1.zItemName, c1.zguid, c1.zParentGuid, c1.zClassName
    order by c1.zRole, [path], c1.zItemName, c1.zGroup, c1.zPerm

script_end:
    delete @c1

Comments 7 CommentsJump to latest comment

LS05's picture

This is helpful. :)

Thanks.

0
Login to vote
SK's picture

You're most welcome.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

0
Login to vote
Falquian's picture

Thanks for providing all these reports, SK

They are really helpfull

Kind regards:

     Falquian

If this post is useful to you, remember to mark it as a solution ;)

0
Login to vote
JStrecko's picture

Very useful.

Do you know a way to Add,Modifiy Role permission on Resource (Organisational views,items ..) by script.

I have to add permision to 100 roles on distinct Orgination view, filters. etc..
 

I have think to edit directly in DB but I would miss many things and break some relations.

The SDK seems limited  to previleged , create role .... permission ???
 

Thank you

0
Login to vote
SK's picture

Yes, the ASDK allows you to configure privileges for a role, because they are both related entities.

Permissions, on the otherhand, are related to items (objects).

I agree that it would be nive to have a security permissions method; however, it will most likely be very complex.

The easiest way to setup multiple roles with the same permissions, is to create and configure one role, and then clone and rename it.

Obviously it will be possible to assign permissions directly via SQL manipulation; however, the queries will most likely be quite complex.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

0
Login to vote
Falquian's picture

SK: I'd like to include another report to this set of reports; a report showing the members of a security role . I think that with this last report you have the full "view" of a security role.

In this thread (https://www-secure.symantec.com/connect/forums/altiris-security-roles-audit-report#comment-9727841) there is the following query that may be of help:

 

select vi.name as [Group], v2.Name as Member

from [ResourceAssociation] ra

join vitem vi on vi.guid = ra.ParentResourceGuid

join vitem v2 on v2.guid = ra.ChildResourceGuid

where ra.ResourceAssociationTypeGuid = '63468F04-6751-448D-891C-B59906360A27'

order by [group]

 

Thanks again for providing these reports:

Falquian

Kind regards:

     Falquian

If this post is useful to you, remember to mark it as a solution ;)

0
Login to vote
SK's picture

Yes that query displays a role members.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

0
Login to vote