Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Restricting roles from running tasks on servers

Created: 13 Jan 2014 | 13 comments
GarethNZ's picture

Hi, we are in the process of installing the SMA on servers, but we don't want any roles (except Symatnec Admins) to be able to run any tasks on the servers eg restart. I found an instruction video for doing this (https://www-secure.symantec.com/connect/videos/creating-role-based-security-within-symantec-management-platform), I've completed the steps in the video but all it has done is removed the custom Organization View\Group, I can still see the server in filters, and still run tasks on it. I assume this is because I still have the default Org View available, this custom view I'm putting the servers in is the only custom view, everything else just sits in the Default Org View. What is my best approach here? We're running SMP 7.1 SP2. Thanks.

Operating Systems:

Comments 13 CommentsJump to latest comment

SK's picture

As you probably want some roles to run tasks on workstations, you cannot simply remove the relevant task privilege/permission from the roles.

What you will need to do is create an OG for clients and an OG for servers, add the respective OG to the required roles and then remove the default OG(s) or even the default OV from those roles.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

Ok, thanks. If I do that, I will then need to add all new clients to the OG for clients, is there an automated way to do that? Otherwise our team that images new PCs won't be able to do anything with those PCs until a Symantec Admin (eg me) moves it into the OG for clients (right?). cheers.

SK's picture

Yes, you can use either the "Assign computers discovered in the last day to Organizational Group" automation policy, the "Assign to Organizational Group" automation policy task, a CMDB rule task, or the "Assign To Organizational Group" NS task.

You may have to schedule the "Update Organizational Hierarchy" CMDB task too.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

Thanks. I've turned on "Assign computers discovered in the last day to Organization Group" and set to move to my custom PC OG, schedule = shared, quarter-hour.
I PXE booted a new PC into automation and can see it as a new computer using Symantec Administrator Role, but I can't see it using the role I've removed Default OG access from, after 1/2 hour I still can't see it, organization summary for the new computer shows it is still only in the default group. Am I thinking about it wrong? Should it run every 1/4 hour and move any "new" (discovered in last day) to my custom OG?

Goal: Our "Symantec level 1\2 workers" can PXE boot a new PC, it boots into automation, shows in SMC and they can run the image job on them, then extra tasks as required once complete. I want them to have access to all desktops but no servers. (I'm happy to manually add servers to the custom OG)
Our "Symantec Administrators" are the only users that have access to the servers.

SK's picture

Has the resource been moved to its new OG yet?

If not, please run the last task I mentioned.

As a side note, if you setup initial deployment, new machines will be automatically imaged when they PXE boot.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

No it didn't move. I've found the task and can see it has run, but there is no option to run it manually, it is read only and "new schedule" is greyed out. I've checked the parameters of the AP again, org group = custom = my custom group, action = custom = must only contain, resources = custom = no resources selected, I can click on "no resources selected" and it gives me a list of computer resources, that seems pointless if this AP should run on any new PCs discovered. Have I got it setup right? Thanks.

SK's picture

Strange, as I can schedule the default task.

Have you tried creating a new task of that type?

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

I had logged a call with Symantec support, I ended up creating a new task to move computers named "minint%" to my custom OG, it runs every 15 minutes, it is working.

I've added all existing PCs to my PCs custom OG, all new PCs will be added there by the automation policy, and when I manually deploy the SMA to servers I will manually add them to the servers OG. Just a few tweeks to do on the role permissions and I think I'll be done finally, that was not easy for a simple delegation setup. Thanks.

SK's picture

Thank you for the update.  I am pleased to hear that creating a new task resolved this issue for you.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

An update on this. I have been working with Symantec support for a few months on this, but keep getting to a point were they won't suppot custom roles.

We want the SMA on all our PC and Servers.
In SMP
We want only Symantec Administrators to have access to both PCs and Servers.
We want a role that gives access only to PCs.
We want a role that gives access only to Servers.
We want an asset manager role that can run reports on PCs and Servers but no other tasks, eg Power Control.

We currently have servers 1 in OG, and PCs in a separate OG.
I'm having issues removing access to servers from existing roles, I haven't yet tried a new role like in the video in my first post because I don't know enough to give the roles required permissions for stuff like Patch Management and creating new Software Resource.
I cloned Symantec Level 2 Workers, to XX Symantec Level 2, test member could see Servers OG even though it didn't show in Security Role Manager, I had to remove XX Symantec Level 2 as a member of other roles like Software Libririan and Patch Management Admin, then the member can not see the servers (good) but also can't do patch management tasks or create new software resouces.

Am I over complicating this? If I start from new role how do I know what permissions to give the users? I just want an almost admin level role, but with only access to the PCs and no access to the servers.

SK's picture

Symantec support will not support custom roles?

When I was in support, I was always helping my customers create their roles when they needed it.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

GarethNZ's picture

Any tips?

Seems like it is best to start from a new role rather than cloning roles (to avoid inherrited permissions causing problems), I have tried that a few times but then have to fiddle with permissions\privilages so users can do their jobs, I then end up logging a job with support, and it's just ongoing so I have to keep putting users back into the Symantec Admin role so they can do what they need to do, then I'm back to square one.

datadrudge's picture

I tried to do exactly what you are going for in 7.1...gave up after hours and hours of effort and multiple calls to support. I wish this was recognized and addressed as a common need. The security roles and permission requirements are fairly standard across organizations. Most want to keep server and pc management separate. I wish security roles and privileges were a LOT easier to manage in SMP/Altiris.