Video Screencast Help

understanding Roles and Permissions

Created: 08 Oct 2012 • Updated: 15 Oct 2012 | 3 comments
This issue has been solved. See solution.

ok so now that my dev environment has been up for a good time, tons of documentation for us to move over to our test server...

this now has to be prestine and installed and configured and validated step by step with no room for errors as then when we go to our production server it is all documented 100% without a doubt...

ok so all looks good but for the security/permissions... this is where i just cant wrap my head around it. Since myself and a few others are in the Symantec Administrators group, this has been a walk in the park!

now we need to segregate us (administrators) out and lock ourselves out somewhat... there is the app id account that will get us in to do what we need too and is auditable so off to the steps/questions...

I followed the instructions in the KB's to import an AD group.
This created a new role and populated users
Now questions on that.

1. if I rename the group will it still modify the group accordingly to the AD group when the import runs next? (supposed new/removed employees)

If you clone say Symantec Administrators then add those administrators in, name to App Admins for Role Name... 

2. how would you tie that AD group to this role?

in NS6 it was easy.. clone role, modify, add AD group and done.... now it seems that it isnt that easy and im not getting what I need.

I will give the exact example of what im trying to do.

App ID account is in Symantec Administrators group and has FULL RIGHTS

App Admins group needs Administrator functions minus a few where auditing is not possible and an exmaple is Purging Maintenance.
I impored in a AD group and it created a new role but that role had 0 access. so I have been trying to give ALL rights but this is not an easy task as I am still missing stuff here and there.... so I figured you should be able to Clone Symantec Admins Give it a Name and modify... done...

so lend me a thought please!!!!!

Comments 3 CommentsJump to latest comment

PeeGee's picture

Notice that you can make groups to be members of other groups.

So what we usually do is to create a "semi admin" security role with everything setup as we require. Then you run the AD import of the security groups you want to create Security Roles off. After the import simply go into the newly created Security Groups and click on the "Member Of" tab... add the "semi admin" security role. 

TeleFragger's picture

hmmm so theoretically.. i can create and App Admins group.. cloned off of the Symantec Administrators group... let AD Import populate a new group... make the new group a member of the App Admins group. from there restrict the App Admins group from first time setup, purging maintenance, etc....

is that the route to go? pretty sure that is what your saying... [:-P>


Did we help you? Please Mark As Solution those posts which resolve your problem,

PeeGee's picture

Yes, this is what I'm saying.

Just make sure to remove any permissions which you don't want for your App Admins groups after you have cloned the default admins group. Keep in mind that permissions are always ADDITIVE. So once you have a permission anywhere in the "stream" you'll have it, no matter if it's missing from any other group you are a member of.