Client Management Suite

 View Only
  • 1.  Protecting specific machines from having tasks run against them

    Posted Jun 15, 2012 04:52 AM

    Hi,

    I am trying to implement security so a selected group of machines cannot have images or tasks run by standard users.

    We currently have help desk users that can image and run applications on all machines but i want to be able to block them from running tasks just against against certain machines.

    We are using CMS 7.1 SP2

    Any ideas how best to acheive this?

    Thanks

     

     



  • 2.  RE: Protecting specific machines from having tasks run against them
    Best Answer

    Posted Jun 15, 2012 12:54 PM

    If you want user accounts part of a security role to have the ability to run tasks on some systems but not others, you will need to create a custom organizational view with organizational groups within.  Then you'll assign permissions to some, but not all, groups for that role.

    Overview:

    1. Create a security role that has user accounts added to it, hopefully from Active Directory synchronization so that your life is easier.  For our discussion we'll call this group 'Help Desk'
    2. Create a new organizational view.  For example, 'Functional'
    3. Create as many organizational groups as needed within the Functional view, e.g. US Servers, EMEA Servers, US Desktops, EMEA Desktops
    4. Within account management, go into Roles and select the Help Desk role
    5. Click 'Show Security Role Manager Console'
    6. Change the View drop-down to 'Resources', then click the Edit pencil
    7. Uncheck access to all computer resources.  Typically, this means unchecking 'Organizational Views,' then expanding the Default view and checking everything EXCEPT Asset > Network Resource > Computer.
    8. The Help Desk role now has access to no computer resources.  Expand the Functional view you created and check the box for what they should have access to -- for example, in this case we'll say that the Help Desk role should only have access to US Desktops, so check 'US Desktops' but leave EMEA Desktops and both server groups unchecked.
    9. Choose 'Save Changes' and test.

    Of course, I recommend working with a test user and a test role before implementing this in production for your Help Desk role so that you do not interrupt their work.  It should be planned like any other production change.

    So you've removed access to all computers within the Default view, then given back access to only certain computers in your Functional view.  If you had only given access in the Functional view but not removed it in Default, they would still have access to all computers.

    Does this help point you in the right direction?



  • 3.  RE: Protecting specific machines from having tasks run against them

    Posted Jun 18, 2012 03:46 AM

    hi,

    thanks for this. I did have a try at this using organisation views but only got it partly working. Your explantaion helps make it clearer so I will go ahead and test it, but it makes sense now.

     

    thanks