Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

ITMS workstation rights viewed via Workflow

Created: 06 Aug 2012 • Updated: 13 Sep 2012 | 5 comments
This issue has been solved. See solution.

Our imaging process places PCs into an ITMS7 OV.  We plan on using those OVs to assoceate rights.  I set up the rights to a test group/user and that user can move thoughtout the limited access and see only the PCs they have rights to (if the reports is configured to use user rights).  I hope to set up a workflow to do some actions like deploying applications.  I don't want to give those rights directly in the ITMS console.

SO... Here is my question.  How to I view/query the PCs the user has rights to in a workflow?  

Here is what I have tried.  I set up a report in the console that the user has access to and that report only shows the PC they have rights to ("Promote scoping information to the data source" checked).  I then configured an integration component to pull the results of that report.  I can log into the WF with my Admin ID, and pass my cradentals to the report integration object and the proper results come back.  When I try with the test user, I get "The user does not have permissions to run this report".... even though in the ITMS console, they do.  Only thing I can think of is that I'm an admin in ITMS, and the site admin is not.  They are more or less a user of ITMS.

Only other option I can think of is to query it directly via SQL, but that one is way over my head in how ITMS builds that query filter.  Other thoughts?

Thanks in advance!

Comments 5 CommentsJump to latest comment

masonje's picture

I wrote a report that I used the checkbox "Promote scoping information to the data source".  Here is the resulting query for the report:

DECLARE @v1_TrusteeScope nvarchar(389)
   SET @v1_TrusteeScope = N'{171E113B-AEF0-4476-84B5-317C16F0B8A7},{23A16BF2-43EB-48EB-BD24-83C09BC23C9A},{2E1F478A-4986-4223-9D1E-B5920A63AB41},{3D6D7273-72A6-426C-A854-E0C1DF0F2267},{582029E2-FC5B-4717-8808-B80D6EF0FD67},{64623399-DB17-4301-9BDB-8EE3817F7274},{9AD33914-2171-43FF-8335-649C8D276750},{B760E9A9-E4DB-404C-A93F-AEA51754AA4F},{D5647C14-B8A0-4ACD-93A9-8B1352896FC6},{F41AA34A-3C8F-4C12-97A2-B56C5B80DBF4}'
   [vri2_Computer].[Guid] AS [_ItemGuid],
   [ajs3_vComputer].[IP Address],
   [ajs3_vComputer].[OS Name]
   [vRM_Computer_Item] AS [vri2_Computer]
      LEFT OUTER JOIN [vComputer] AS [ajs3_vComputer]
         ON ([vri2_Computer].[Guid] = [ajs3_vComputer].[Guid])
      ([vri2_Computer].[Guid] IN (SELECT [ResourceGuid] FROM [ScopeMembership] WHERE [ScopeCollectionGuid] IN (SELECT [ScopeCollectionGuid] FROM dbo.fnGetTrusteeScopeCollections(@v1_TrusteeScope))))
How do I find what @v1_TrusteeScope should be for the user via some SQL or WF accessible way?  If I could figure that part out, I could just pass it as a parm to a direct sql query and I'm golden.  I've been digging into the stored procedures and the ASDK but nothing so far.
Jason Short's picture

All Workflow components that integrate with the SMP require SMP credentials to run them, they will always run under the context / scope of those credentials.  Try these steps:

1) Create a custom report in the SMP

2) Use the "Report Component Generator for NS 7.0" in an integration library in Workflow to generate a component for that report.

3) In the Workflow add a "Create SMP Credentials" component, and dynamically set the credentials to whomever is logged into your process

4) The add the new custom report component downstream for the Create SMP Credentials component

That should allow the report to run under the desired credentials, and therefore return the desired result.

masonje's picture

I did that, but I got the return "The user does not have permissions to run this report".  Even though the user can run that report in the itms console.  Is there some thing I need to add to there role privileges to allow access to the reports via the ASDK?

masonje's picture

OK, here is what else I tried.  For the security role for my test user, I went in and checked EVERYTHING.  All privileges and all data classes/types/etc in the security role manager.  Nothing I did gave access to running this report via the ASDK.  Just as a test, I added "Symantec Administrators" to the membership of the test security role.  POOF, that user could now run queries via the ASDK.

So here is my question, can Symantec Administrators only run ASDK calls?  If so, that’s fine (sucks, but fine).  But then I would fall back on my last question to accomplish my goal.  How do I populate the SQL variable @v1_TrusteeScope for the logged in WF user?  If I could generate the query in its own module, then just pass in the scope as a variable, which would essentially do the same thing as trying to run this scoped report via the ASDK.

masonje's picture

FYI, we got it figured out.  Create a SQL integration component and used this query:

DECLARE @SecurityList varchar(max);
 with guids(securityGuid) as (
 select ra1.ParentResourceGuid from ResourceAssociation ra1
 Inner JOIN vItem vi on vi.Guid = ra1.ChildResourceGuid
 where vi.Name = @UserName
 Union all
 Select ra2.ParentResourceGuid from ResourceAssociation ra2
 Inner join guids g on g.securityGuid = ra2.ChildResourceGuid
 Select @SecurityList = COALESCE(@SecurityList + ',','') + '{'+CAST(securityGuid AS varchar(40))+'}' from guids
 Select @SecurityList as SecurityString
...with a parm of the user id found in the item table (domain\user in most cases).  A string is returned that you can later use in other queries.  So for example if you create a report in the console with the option "Scoped" option checked, then pull out the sql into another SQL integration component.  Check for variables and one of the variables that is picked up is @v1_TrusteeScope.  Pass the retuened string into trusted scope and your set.
Hope this helps someone else too!