Client Management Suite

Hi All,

We are running CMS 7.1 SP1 and We are trying to create a detection check for a managed software delivery for a perticular software but getting error message as below.

Symantec Management Server Error

Internal server error

Description: The server encountered a problem while performing the requested action.

 

The Symantec Management Server log and the Windows Event log may contain useful information. The Symantec Management Server log can be accessed on the server by running "Start" menu > "All Programs" > "Altiris" > "Diagnostics" > "Altiris Log Viewer".

I did checked the Altiris Log Viewer and got the below information:

Log File Name: C:\ProgramData\Symantec\SMP\Logs\a.log
Priority: 1
Help and Support:
Date: 4/20/2012 2:05:41 AM
Tick Count: -2113875697
Host Name: XYZ
Process: w3wp (3236)
Thread ID: 8
Module: w3wp.exe
Source: Altiris.TaskManagement.ClientTask.*
Description: BaseXmlHttpCallback Exception: Altiris.NS.Exceptions.AeXUnauthorizedAccessException: The current user does not have required permission 'read' to load item '37b0ac4c-bdc1-4fb8-ba4b-eaa1bff30ecb'.
   at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
   at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid)
   at Altiris.NS.ItemManagement.Item.GetItem(Guid itemGuid)
   at Altiris.TaskManagement.ClientTask.BaseWeb.RegisterTaskServer.WriteResponse(XmlTextWriter wr)
   at Altiris.TaskManagement.Common.XmlHttp.BaseXmlXmlHttpCallback.WriteResponseRaw(XmlTextWriter xwr)
   at Altiris.TaskManagement.Common.XmlHttp.BaseXmlHttpCallback.ProcessRequest(HttpContext context)

Log File Name: C:\ProgramData\Symantec\SMP\Logs\a.log
Priority: 1
Help and Support:
Date: 4/20/2012 2:06:01 AM
Tick Count: -2113855745
Host Name: XYZ
Process: w3wp (3236)
Thread ID: 74
Module: w3wp.exe
Source: ResourceItem::SaveResourceDataSet
Description: An unexpected exception has occured (GUID: d9a0694a-2322-4eef-b46f-e322aaae012f, DataClassTable: Inv_Inventory_Rule, Exception: Altiris.NS.Exceptions.AeXSecurityException: The caller ('cb\XYZ') does not have one or more of the specified permissions on the specified items.
   at Altiris.NS.Security.SecurityMonitor.Demand(ItemPermissionEntryCollection entries)
   at Altiris.NS.Security.ItemPermission.Demand()
   at Altiris.Resource.ResourceDataTable.Save()
   at Altiris.Resource.ResourceData.Save_Impl(Boolean dataClassDataChanged, Boolean associationDataChanged, ResourceAssociationDataCollection resourceAssociationsToLoad))

Is there any admin  rights issue? Please help me get the proper resolution for the same.

Thanks in Advance!

Sounds like a rights issue.  What roles is this user a part of?  Do you receive the error if you run this as a Symantec Administrator?

Appears to possibly be an issue with one or more of your task servers according to these:

https://www-secure.symantec.com/connect/forums/task-server-fails-register

https://www-secure.symantec.com/connect/forums/task-details-restricted-users-machines-they-manage

Thanks a lot mclemson & Zac,   the user is a part of following groups

Everyone

NT Authority\Authenticated Users

Patch Management  Administrators

Hi mclemson,

Can you please let me know for this activity do the user needs to a part of Symantec Administrator group.

Thanks in advance

Yeah, none of those groups likely have the permissions to deploy software.  I'd try adding in Software Librarian.  I *think* that might giver you what you need.

It would be easiest, but not necessarily best, to add them to this role.  It would definitely work!  However, if time allows and you can troubleshoot issues, it is best to create a custom role that only provides the minimum permissions needed.

You could clone Software Librarian and then check all the Software Management privileges, then check the Managed Software Delivery and Quick Delivery Task checkboxes under Right Click Menu - Actions.

You should also check 'Create software deliveries' within Software Management Framework Privileges.

Doesn't the detection check run as the application identity contained in Altiris?  It sounds like it could be an issue with that account not having admin rights on the target computers.  If it uses the logged on users credentials then I would think you would have to modify the rights on the target computer, not in the Altiris Roles.

I don't have the rights to add or remove any role for any account. Can I get clear idea what i need to do to get the rights to create detection rule.

Thanks

As mclemson said, the quick answer is to just add whoever needs to make detection rules to the Symantec Administrators group.  However, that is FAR from Best Practice.

The best answer is to dive into the confusing quagmire that is Altiris role and scope security.  I found there to be an extremely steep learning curve.  Depending on how much time you have to devote to this task, it could take you days or weeks of testing to get roles exactly right.  But once you come out the other side, its worth it.

Hi mclemson,

I am not getting an option to clone Software Librarian. May be I am missing that . Can you please provide me the path from where I can get the Software Library and cloing option.

Thanks,

If you don't have the rights to add or modify roles you won't be able to create a clone either.  Is your account currently in the Symantec Administrators group within Altiris?

Thanks dgott20,

currently my account is not in the group of Symantec Administrators, I have the following roles on NS

Everyone

NT Authority\Authenticated Users

Patch Management  Administrators

Please do let me know whether a admin role is mandatory to do the detection rule activity in Software Package creation. Is athere any support document which clearly describes the functionality of all roles.

Thanks,

Pravash

Hello friends,

Can anyone help me to have the resolution for the above quoted issue?

Try adding Software Librarian.

You need an account with the 'Symantec Administrator' role to modify security.  Are you the primary manager of Altiris at your organization?  If so, you may want to log in as the Application Identity (service account) and add your user account to the Symantec Administrators role.  This would let whatever account is currently just a member of Patch Administrators create, modify, and save detection rules.