Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Custom Security Role

Created: 14 Feb 2013 • Updated: 25 Feb 2013 | 11 comments
Sean Templeton's picture

I need to create a Security Role that allows select users to run Jobs/Tasks only. I've been successful in allowing the privileges and permissions to run the Jobs/Tasks but I'm having difficulty in the console view itself.

The Menu only shows Manage --> Jobs and Tasks, which is great, but the Console still shows Computers, Policies and Software. Clicking any of these shows the contents and allows the user to view and possibly modify the contents.

Is there a way to "hide" the Computers, Policies and Software from the Console view and only show the Jobs / Tasks?

Thanks.

Comments 11 CommentsJump to latest comment

mclemson's picture

Select the role you created, click Security Role Manager Console, change View to Console Menu, then click the Edit pencil and uncheck any items you don't want them to see in the menu.  This will prevent them from seeing the items in the menu, but they may still be able to access the policies, tasks, or computers (such as by searching).  If you don't want them to have access to resources or items, make sure to also select View: Resources or View: Policies and perform the same steps (unchecking anything you don't want them to have access to).  It's better to make just one change, save the role, and test before performing the next restrictive change.

Does this answer your question?

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

Sean Templeton's picture

Thanks Mike.

I've done all those things and it works for hiding from the menu, but they can still see the Computers, Jobs and Tasks and Policies blades in the Console.

What I did for this scenario was created a new View that only included the Jobs and Tasks and then added the new View to the Manage Menu. Then I modified the permissions on the Manage Menu to only show that View. That essentially hid the blades and now only Jobs and Tasks is available for that role.

Sean

michael cole's picture

Hi Sean, from reading your question I believe there are two more steps to take. Bear with me, this is normally a convoluted setup.

1. Create an Altiris Organisational Group structure to fence off the particular PC's you wish the role to have access to.

and

2. When creating the view in your menu, ensure you start with a blank role, add in the menu structure to a view stemming from the exact point in jobs/tasks you want. It sounds like you have cloned from something that already had a view of those tools, else they would not be there. The alternative is you break inheritance on a larger role and that brings you into a world of pain if you want something tightly locked down.

I've doing some docs on this, I'll paste what I have.

The Altiris OU

  1. Console>Manage>Organisational Views and Groups. To avoid making changes to existing OV’s and keep the security more straightforward, create your structure from the root.
  2. Right click on Organisational Views and select ‘New Organisational view’
  3. Edit the name of the View you just created on the right hand pane.
  4. On the left tree view right click your new Organisational View and select ‘New Organisational Group’. You now have a green wire globe under a blue globe. You may customize this to fit needs.
  5. Select the Organisational Group you are working with and in the right context pane assign resources by clicking ‘Add’ computers then selecting the computers you want to be managed only. When finished press OK and ensure they display under your OG.

The menu view (this example we make their view under the Home menu but can be applied to any menu including makign a new top level)

  1. Create the area/folder under Jobs and Tasks you want to role to see from the menu
  2. Open Settings>Console>Menu
  3. Expand the Home menu, select it and create a New menu. Give it a name ‘Team 1’, show a view and browse to the Folder in Jobs and Tasks.
  4. Show View, select browse on the view root node, point to your folder level created in 1

Michael Cole

Principal Business Critical Engineer

Business Critical Services

michael cole's picture

If you can clarify if you are cloning from Supervisors or something similar you may need additional steps to allow reading of various other things. Appreciate this is quite complicated and custom but let me know if the process gets you on the right track. I've not finished validating my docs on this yet but I am in the process of writing a process that allows a role to have only specific PC's to process, only speicifc tasks to run on those PC's and only a small folder on the console to do it with. The problm is that this doc is now into 6 pages and i'm waning!

Michael Cole

Principal Business Critical Engineer

Business Critical Services

Sean Templeton's picture

Thanks Michael for the great information. I'm not trying to target specific computers or Jobs but more so hide the Policies and Software "blades" in the console. After more research, I don't believe this is possible. Your explanation gave me a few more ideas to try. Good luck on that documentation; this stuff can be a real bear.

Thanks,

Sean

michael cole's picture

OK, how about just removing the menu visibility rather than the items themselves?

ie go to menus as above and break the ability to see them.

Michael Cole

Principal Business Critical Engineer

Business Critical Services

chrismcevoy72's picture

I too have a similar request to hide the Policies and Software "blades" from the bottom left of the console pages (e.g. Jobs / Tasks, or Computers) for specific users.  Maybe the problem lies by us linking the menu items in the custom menu to the Single Page View URL (which obviously shows these blades).

Is there a way to disable the "blades" completely?

HXG's picture

I am interested As well. I dabbled With this almost a year ago.

michael cole's picture

I know how to remove that entirely but not piecemeal.

I've also managed to break it sufficiently to show nothing when they are clicked.

However the security options won't affect the rendering of the actual buttons hence i abandoned the idea of using them and moved the locked down area to another menu that didnt display the activity centre...ie the standard tree on the left.

The way to do that is to not use your "root" from within the 'manage' top level menu, but rather push it to something like "home" or even give it its own custom menu.

If you want people to have access to right click computers then you will have to put them into an Altiris OG and show that in the custom menu. Once you break down the permissions to see too few things the activity centre becomes a waste of empty space and just looks terrible, you are as well creating it 7.0 style.

So really the below screenshot might be not what you want but it might do what you want.

Does this help or answer the question?

Michael Cole

Principal Business Critical Engineer

Business Critical Services

Sean Templeton's picture

Michael

Your view above is basically what I ended up with for one of my Secureity Roles where only Jobs and Tasks need to be available and it seems to work fine. I'm now trying to create a role that only allows the Computers and Jobs and Tasks blades so I want to get rid of or break entirely the Software and Policies tab. Thanks for all your great input.

JeanWilson's picture

Could you provide me a more detailed instruction?  I am creating a role that will only have access to Computers and Jobs/Tasks blade.