Quick query to list inherited right (undue) after SP2 upgrades
Update! Added the Dataclass and Filters top level items as they also needed fixing. Also I added a reference to my original SP1 to SP2 upgrade post, with steps for fixing the issue .
I attended an upgrade for a customer installing MP1.1 on 4 servers in hierarchy (1 parent, 3 children). We had some minor problems when we got started but nothing major:
- 2 servers (including the parent) did not have the MP1.1 upgrade option because SMP 7.1 SP2 was not appearing as installed in SIM. We just ran the upgrade as a new installation.
- The parent configuration went much to fast to be healthy. In effect it did not install most of the products, so we ran the "aexconfig /configureall" manually and this fixed the environment
- One role had been granted undesired rights (inherited from the hidden parent folder) on main console locations: "Reports", "Console menu", "Settings" and "Resource".
To solve the latest issue we crafted a report based on the following diagram to list the items that roles had access to when they should not:
From this we crafted the following query:
/* Resource Management guid = 'fec994ae-1787-44c2-b5ec-e94d210838c9' Reports guid = '4d4d03c6-cb51-4502-886f-13f756198b1b' Settings guid = '5d9e00c1-146f-478b-a94d-ccbbe89e0347' Tasks = '297171fd-395f-41d8-a482-ea4271bc9572' Console menu = 'a2145b77-3df4-4b99-b36d-817d82b920a2' Filters = 'a725fb57-09e1-4e9f-bb13-b4600094cf61' All dataclass = 'fdbbeaae-56ed-4c15-8325-79f1fe1a27f3 */ select i.name as 'Security Role', i2.name as 'Object', stp.permissionguid from SecurityACEData ace join SecurityTrusteePermission stp on ace.TrusteePermissionId = stp.id join SecurityTrustee t on stp.trusteeguid = t.guid join Item i on t.Guid = i.Guid join Item i2 on ace.entityguid = i2.guid where Inherited = 1 and EntityGuid in ( 'fec994ae-1787-44c2-b5ec-e94d210838c9', '4d4d03c6-cb51-4502-886f-13f756198b1b', '5d9e00c1-146f-478b-a94d-ccbbe89e0347', '297171fd-395f-41d8-a482-ea4271bc9572', 'a2145b77-3df4-4b99-b36d-817d82b920a2', 'a725fb57-09e1-4e9f-bb13-b4600094cf61', 'fdbbeaae-56ed-4c15-8325-79f1fe1a27f3' ) /* and i.name not in ( 'Symantec Level 1 Workers', 'Symantec Level 2 Workers', 'Symantec Administrators', 'Symantec Supervisors', 'Symantec Guests', 'Patch Management Administrators', 'Patch Management Rollout' )*/ order by i.name
Interestingly enough beware of the result as the effective permissions for specific group can be inherited from other groups as we have role hierarchy that can be implemented (inheriting from the other roles a role is in).