Symantec Management Platform (Notification Server)

 View Only

  • 1.  Moving user to new role in Altiris Account Management

    Posted Jul 24, 2015 12:32 PM

    We are using ITMS 7.5 SP1 HF5 and I have to move a user out of Symantec Supervisors to Symantec Level 1 Workers, he should not have been in Symantec Supervisors to begin with. The issue is that even thought I have moved that user to Level 1 Workers that user can still see almost everything they had access to in the Symantec Supervisors role.

     

    Does Altiris cache logon information and if so  where does it do that. I have also removed the users access to Altiris and re-added them with no luck. We use Windows Credentials as thier means to access Altiris so my delete and re-add was the same user account re-added.  



  • 2.  RE: Moving user to new role in Altiris Account Management

    Broadcom Employee
    Posted Jul 24, 2015 01:32 PM

    Probably a stupid question, but if your "Level 1 Workers" role is added into another role as well and inherits additional permissions and privileges from it? Check "Member Of" tab of "Level 1 Workers" role.

    I know that by default all default roles are included in "Everyone" role.

    Otherwise only this moved account has such case and other accounts in "Level 1 Workers" role don't have such problems?

    If other accounts also have same behavior, then check "Audit" tab for "Level 1 Workers" role to make sure that no one has changed something there within security role manager.

    Level1Worker.jpg

    There is a custom reports suite which contains "Security Permissions Comparison" and "Security Privilege Comparison" reports where you can compare Security roles.

    https://www-secure.symantec.com/connect/articles/sse-reports-itms-7x

     



  • 3.  RE: Moving user to new role in Altiris Account Management

    Posted Jul 27, 2015 11:56 AM

    The user was moved to the new role, Level 1 Worker and no longer belongs to Symantec Administrators and no permissions have changed on Level 1 Workers. From what I understand is if while the user was in Symantec Supervisors and changed/added sometihng and then moved to Level 1 workers his logon is cached and can see some or all of the role permissions that he came from.



  • 4.  RE: Moving user to new role in Altiris Account Management

    Posted Jul 29, 2015 05:07 PM

    I have done a lot of work with security in the Altiris console and trust me when I say that it can be a pain. As far as you are concerned though, you say that you switched him from Supervisors to Level 1 workers. Just to make sure we are on the same page, I will make the assumption that these are the out of box roles and not custom ones. With that being said, you actually can see a lot of the same things in Supervisors as you can in Level 1...or so it appears.

    Out of the box roles do not have any permissions removed for things such as the ability to read Console menu items. Even in the Enhanced console views, you will be able to see most of everything. Once you start going through some of the menus, you will be hit with "Access Denied".

    So, in essence, the Level 1 role may be able to "See" more than you want them too, but they can not "Do" much. If the "See" part is concerning you, I would recommend cloning the Level 1 role and removing some of the permissions to Read objects such as console menus and the like.

    Also, make sure you look at what Igor has said. I have tripped myself up on this before when people are nested in groups which are nested in roles, etc.

    Last, changes to a persons role are almost instant. Once you move them from Supervisor to Level 1, and click Save, they are now Level 1 once the refresh their IE window. Even if they just right-click something, if permissions changed on what is available through the right-click, it will be apparent immediately. There is a way to clear out someones cache via SQL directly, but I dont think that is necessary in this instance.



  • 5.  RE: Moving user to new role in Altiris Account Management

    Posted Jul 30, 2015 07:00 AM

    Donald, Thank you for the reply, I used the built in roles as an example and I do understand that with built in roles you can see a lot of the same things and depending on what role you are in is what gives you the right to that object in Altiris.

    I have been working with Symantec on this but decided to post to this forum to see if anyone has had a similiar experience and could the persons role be removed/wiped out so as to remove thier previous cached logons. The reason being for this is I have created a new role from scratch, it is not a clone from any other role built in or not and want to move several logons over to the new role and do not want them to see anything from thier previous role. You mention that there is a way to achieve this through SQL, can you share that information?



  • 6.  RE: Moving user to new role in Altiris Account Management

    Posted Jul 30, 2015 11:15 AM

    I dont recommend doing this except for extreme cases though. I have had to do this when someone could not access the console period becasue they were other issues with a page and they did not could not select anything else. This will reset them back to as if it was the first time they are accessing the console, according to the database.

    First, you need to get the Trustee (SID):

    select name,
	Trustee
from SecurityTrustee
order by name

    Once we have the Trustee (SID), we can use it to delete all references to it in the UserSettings table. But, we must make a backup first:

    select *
into #TempUserSettings
from UserSettings

    Now, we can delete. Replace the <Trustee> below with the Trustee we retrieved in the first query.

    delete
from UserSettings
where Sid = <Trustee>

    This will reset the specific Trustee back to the first time they accessed the SMP. In other words, the first page that will come up will be 'My Portal'.

    Just a word of warning though, it is never recommended to delete anything from the db unless you are absolutely sure you know what you are doing.