Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12.1 - Limited Administrators Can Access New Groups

Created: 23 Jan 2013 | 7 comments

Hello,

I manage a global deployment of SEP 12.1.  I've got a single Symantec domain and then 4 main groups under that domain.  The 4 main groups correspond to geographical areas like North America, Europe, Asia Pacific, etc.  Under each of the main groups I have many sub-groups which correspond to the cities I support.

My problem is that I create a limited administrator for a city (group), and adjust access to prevent that administrator from accessing any other groups.  That works fine until I create a new city group.  The console for some reason grants previous administrators access to new groups automatically.  This results in me having to go through and edit 80 or more limited administrator accounts every time I add a new city group.

I'm not sure who at Symantec thought this was a good idea, but it isn't.  If I grant specific granular access to a limited administrator then I don't ever want their access to increase unless I specifically increase it.  They should NEVER get access to my new groups unless I specifically grant them access to my new groups.

I've read other forum posts saying this is resolved in 12.1, but it isn't.  What can be done to correct this insecure behavior in the Symantec Console?

Thanks,

Tom

Comments 7 CommentsJump to latest comment

.Brian's picture

What version of 12.1 are you running? Latest is 12.1 RU2

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

for time being check this step 

When you want to inherit the permissions click with the secondary mouse key just on the My Company and deny access for all.
This will be inherited for all subgroups and then you can simply allow full or read access only for certain groups.... Try it :-)

https://www-secure.symantec.com/connect/ideas/sep-...

AravindKM's picture

Try by granting deny access to all limited admins on the secondary groups...

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

SebastianZ's picture

For the existing limited administrators did you selected as well Full Access to "My Company" group?

...if yes this will force the full access rights to the administrators for all the new subgroups created under it. This will apply same for the groups and subgroups...on a example:

Limited admin has following rights:

- My company - no access

- - Europe (subgroup to My company) - full access

- - - London (subgroup to Europe) - full access

.. you create a new subgroup in Europe called Bristol, the limited admin will get automatic full access to it cause he has full access to Europe.

Mithun Sanghavi's picture

Hello,

What version of SEP 12.1 are you running?

Could you check by installing the Latest version of SEP 12.1 RU2 if that resolves the issue.

Check this Article:

A Limited Administrator doesn't consistently see all groups listed in the Clients tab where their group rights are "No Access" in Symantec Endpoint Protection Manager 12.1

http://www.symantec.com/docs/TECH162661

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

TallTomD's picture

I'm running 12.1.671.4971. I was looking into RU2 last week to begin planning the upgrade.

When creating a new Limited Admin I right click the top level group My Company and select no access to this and all sub-groups. I grant Full Access to a 2nd tier Regional group of unclaimed computers. I then navigate down past the Regional groups, and into the City group. I right click the city group and select full access to this and all sub groups. I close out the newly created Limited Admin account and all is fine.

The problem arises when I create a new 3rd tier City group in the same 2nd tier Regional group where the Limited Admin has rights. The old existing Limited Admin accounts are given access to the newly created City group, which requires that I perform cleanup on the permissions of the Administrators.

I'll read through the attached articles and see if there is a better approach to creating the Limited Admins or the new city groups.

Thanks,
Tom

SebastianZ's picture

Do each group of your limited admins require the full rights to the 2nd tier Regional group or only to the 3rd tier City Group?

As mentioned above if you create a new 3d tier city group in a 2nd tier regional group - all admins having full rights to that 2nd tier group will gain automatically access to the new 3rd tier group as well bby inheritance of the full right access from 2nd tier above.