Symantec Management Platform (Notification Server)

 View Only

  • 1.  SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Aug 01, 2013 07:48 AM

    Dear All,

    I am configuring a security role to be able to edit a computer and I had lots of trouble setting this up. The usual process is to give the user the permissions on the Computers OU in the Default OH and then allow the user write access to the resource type, data classes and resource associations. I found this excellent comment that also says that you have to add the "Create Instance" permission as well:

      https://www-secure.symantec.com/connect/forums/asset-management-permissions#comment-5438421

    Sadly, my role MUST only be able to edit a computer asset and NOT delete or create. Delete is easy - don't give them the perms, but stop a create?

    How do I do this in SMP 7.1 SP2 MR1.1?

    Kindest regards,

    QuietLeni



  • 2.  RE: SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Dec 09, 2013 08:23 AM

    Although it appears that the "Create Resource Instance" permission is required in order to edit a resource type, in my opinion it should not be needed, as you are not creating a resource when you go to edit an existing one.

    Please open a support case so that development can review this situation in the hope of adding it to the roadmap.



  • 3.  RE: SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Dec 09, 2013 10:06 AM

    Hi QuietLeni

    To stop the creating the new Computer for user:

    1) Open Security Role Manager

    2) Select settings -> Notification Server -> Resource and DataClass Settings -> Resource Types -> Asset Types -> IT -> Computer and uncheck the 'Create Resource Instance' permission.

    P.S Without 'Create Resource Instance' permission you can easily to edit the Computers.

    Good Luck,

    Anton N.

     



  • 4.  RE: SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Dec 09, 2013 11:06 AM
    I tested this today (7.1.2 mp1.1 v7ru) before my post, and confirmed that if that permission is not applied then the edit page doesnt load because there is no edit access to the computer resource. If you know how to accomplish this then please share.


  • 5.  RE: SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Dec 09, 2013 12:03 PM

    SK and Anton,

    What SK describes in his comment is exactly what I found. You cannot edit a computer without the "Create Resource Instance" permission. I agree that this permission should NOT be needed, but it does, to allow the Edit Computer page to load.

    Sadly, I cannot raise this as a support call, as it is now 4 months after being in that project and it is now closed to me.



  • 6.  RE: SMP 7.1 Permissions to allow a user role to EDIT, but not create or delete a computer resource?

    Posted Dec 10, 2013 04:01 AM

    Hello again,

    Yes, sorry for my previous comment, I didn't have the Console at that moment.

    I can suggest the workaround to disable the creation of resources using right-click menu item permission.

    - Open Security Role Manager

    - Remove the "read" permission from "Settings -> Notification Server -> Right-Click Menu -> Create New Resource"  item.

    This case user is unable to create any resources, at all.

    Thanks,

    Anton N.