Hi to everyone.
I will try to summarize as much as I can what my problem is. I have created a customized Security Role which I want to be a base for futures roles. I have configured this role console with only a Manage and Reports menu on the Symantec Management Console. I want this role only to have access to a certain Organizational View based on what I obtained when discovering my Active Directory, I mean, the users belonging to this Role will be able to manage assets, task and jobs, reports, and so on only on the Organizational Unit inherited from the AD discovery.
The point is that I do not want these users being able to see the other OU's from the console, for doing that, what I made was giving Read permission to an specific OU. Everything works fine doing that, the user is able to manage all the resources on this OU, except in case I want to view reports from a resource within this view; I am able to open the report but no info is shown. I will provide an example, the report which you obtain when clicking over the resource and selecting Actions - Installed Software Report. I am able to open the report but no info is shown. Checking the Altiris Log Viewer, I see the following error:
Description: Error getting node url: Altiris.NS.Exceptions.AeXUnauthorizedAccessException: The current user does not have required permission 'read' to load item 'Organizational Views (42441bee-bc0f-469c-8a66-06288cb1b8af)'.
at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.Tree.ItemTreeBuilder.GetNodeUrl(Guid nodeGuid)
at Altiris.NS.UI.AeXConsole.GetNodeUrl(String strNode, Hashtable args)
at Altiris.NS.UI.CoreWebService.GetNodeUrl(Guid treeGuid, String nodeXPath, String url)
Obviously, if I provide the Read permission to this group at a "Organizational Views" level, user can view and run any report, but also can do it at ANY level / Organizational View / OU / whatever. As it is noted on the KB http://www.symantec.com/business/support/index?page=content&id=HOWTO45253
(on the bottom line), "the only security permission that a user requires to apply a task or policy to a resource is the read permission on the resource
." So if I create a role for, i.e., the France Local IT group, this group is able to run a task on a resource on Italy, and this is not what I want to do... By the way, the most strange thing of all of this is that if I use the resource manager for this resource, Summaries - Software Summary, I can see this info...
Could anyone give me a clue for this error? Thanks to all for reading my :D.