Video Screencast Help

Privilege for Editing Policy Target

Created: 29 Jan 2013 | 4 comments

I have built software deployment policies with targets based on Organizational Views. I am training my helpdesk staff on how to use this method to schedule software installs on computers. I'd like to train them on how to expedite installations this way, meaning that I'd like to eliminate the intrinsic delay between adding a computer to an Organizational View and having that change be recognized by the deployment policy. Currently my techs do not see my targets when they look at my policies. Instead they see "No items found" where I see my target name.

My techs currently have privileges equivalent to Symantec Level 2 Workers, while I am a Symantec Administrator. I assume that they cannot see this information because they don't have privileges to, but I'm not finding any settings under Manage Accounts that obviously pertain to this. Does anybody know what permissions an account needs to edit policy targets?

Thanks.

Comments 4 CommentsJump to latest comment

mclemson's picture

What version are you running?  You may need to edit the role in Security Role Manager and ensure that under Policy Permissions you have 'Apply to Resource Targets' checked.  Read/Write should be enabled by default for the Level 2 Worker Role.

If you add this permission to the policy/policies in question, are they able to modify the resource target?

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

sirNARVY's picture

Thanks for the input Mike. Since your reply we upgraded from 7.1 SP2 to 7.1 SP2 MP1.1, which is part of why it's taken me so long to respond.

I've reviewed Security Role Manager for one of the policies on which I've noticed this issue and I see that Level 2 Workers does indeed inherit 'Apply to Resource Targets', as well as Read and Write system permissions.

When my techs look at this policy they see the number of computers to which it's applied, and if they change the View droplist to Computers they can see all the targeted computers, but when looking at the Targets view they still get 'No items found', even after adding the above permissions explicitly to the policy.

Any other ideas?

Thanks much.

GarethNZ's picture

Hi, did you figure this out? I've got the same issue, but we don't use Organizational Views, I've just changed my users from Symantec Administrartors to Symantec Level 2 Workers, I've changed a few permissions, but can not figure this one out.

If I right click on a single policy and choose Security I can see the role does not have "Apply to resource targets" permissions, but I don't want to add that permission on each policy individually, but can't find where to get it in Security Role Manager so it will be inherrited by all polices.

*Edit, in Security Role Manager I have Role = Symantec Level 2 Workers, I have view = Policies, but didn't see "Apply to resource targets", I changed view to "All Items" and selected Policies and was able to tick "Apply to resource targets", but users with that role still no target under "Applied to" for every policy.
I can see the Computer resources if I change view to Computers, just can't see Targets.

*Edit 2, found this thread, same issue for me, https://www-secure.symantec.com/connect/forums/target-permissions-altiris-71, I dont understand what msapovalov said.

sirNARVY's picture

What I found is that this is a known issue with SMP 7.1 SP2. It was supposedly addressed in security rollup version 4, which we recently applied. After applying that, my techs can now see the target (which is now based on Filters instead of Organizational Views) but they still cannot edit the target.

I need to call technical support again to follow up on that, but haven't been able to due to other project priorities.