Video Screencast Help

Reports, Custom Security Roles and Organizational Views.

Created: 25 Mar 2011 | 1 comment
Alfonso Naranjo's picture

Hi to everyone.

I will try to summarize as much as I can what my problem is. I have created a customized Security Role which I want to be a base for futures roles. I have configured this role console with only a Manage and Reports menu on the Symantec Management Console. I want this role only to have access to a certain Organizational View based on what I obtained when discovering my Active Directory, I mean, the users belonging to this Role will be able to manage assets, task and jobs, reports, and so on only on the Organizational Unit inherited from the AD discovery.

The point is that I do not want these users being able to see the other OU's from the console, for doing that, what I made was giving Read permission to an specific OU. Everything works fine doing that, the user is able to manage all the resources on this OU, except in case I want to view reports from a resource within this view; I am able to open the report but no info is shown. I will provide an example, the report which you obtain when clicking over the resource and selecting Actions - Installed Software Report. I am able to open the report but no info is shown. Checking the Altiris Log Viewer, I see the following  error:

Source: Altiris.NS.UI.CoreWebService

Description: Error getting node url: Altiris.NS.Exceptions.AeXUnauthorizedAccessException: The current user does not have required permission 'read' to load item 'Organizational Views (42441bee-bc0f-469c-8a66-06288cb1b8af)'.
   at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
   at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.Tree.ItemTreeBuilder.GetNodeUrl(Guid nodeGuid)
   at Altiris.NS.UI.AeXConsole.GetNodeUrl(String strNode, Hashtable args)
   at Altiris.NS.UI.CoreWebService.GetNodeUrl(Guid treeGuid, String nodeXPath, String url)
 
Obviously, if I provide the Read permission to this group at a "Organizational Views" level, user can view and run any report, but also can do it at ANY level / Organizational View / OU / whatever. As it is noted on the KB http://www.symantec.com/business/support/index?page=content&id=HOWTO45253 (on the bottom line), "the only security permission that a user requires to apply a task or policy to a resource is the read permission on the resource." So if I create a role for, i.e., the France Local IT group, this group is able to run a task on a resource on Italy, and this is not what I want to do... By the way, the most strange thing of all of this is that if I use the resource manager for this resource, Summaries - Software Summary, I can see this info...
Could anyone give me a clue for this error? Thanks to all for reading my :D.

Comments 1 CommentJump to latest comment

spastor's picture

Hello,

To achieve this kind of management, in my opinion it is better to use organizational views. This way you don't have to deal with securing objects individually. You can create as many views as you need, and this is what they were designed for, enabling different levels of management rights.

Try to add your OU to a custom Org. view and start from there

Hope this help

Santi