Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Enhancement: limit/throttle NS 7.x task executions as in DS 6.x per role

Created: 25 Feb 2013
michael cole's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

Hello,

In DS 6.x there was a setting as below:

 

DS 6.x console>Tools>security>select a user/group>restriction tab

-          Set the maximum number of computers that can be selected for a single schedule of a job

-          Allow the job to be run immediately

This was implemented in order to restrict the amount of concurrent tasks that could be executed on PC's, especially to counter the ease of drag and drop error. The "run immediately" checkbox also forced a "job summary" in case of inaccurate drag and drop so the EU could double check their operation.

In NS7.0, 7.1+ there is no equivalent security restriction.

The only workaround to this would be via Workflow, of which a full implementation to replace console access is a vastly longer process than a security implementation that works.

The suggestion is that this limit of how many times the task/job can run at the same time be added into future versions of Notification Server security.

Scenario: Companies are now using security in NS to farm out common tasks to less skilled teams with security restrictions in place. It is typical for teams to perhaps restrict what computers can be subjected to tasks and what tasks can be run. However there is no limit to how many computers can be processed simultaneously in order to "throttle" human error, reduce exposure and risk etc. Thus a subsidiary team that is allowed to run scripts on all machines can still send the same script out to all computers at once. This is not a "who" or "what" scope and role choice...it is a "how much" choice.

I have found no workaround to this. 

With this limitation in place you could force sub teams to be only able to create tasks targeted to one machine at a time and build in less risk to such operations.

As a further suggestion, and building on the DS 6 idea it would also be advantageous to add the following restrictions

- Only be able to schedule a task/policy/operation x minutes in time in the future - the purpose to allow a manual throttling of human intentions to circumvent the multiple options by repeating the task.

- Only be able to configure x tasks/policies/operations per hour where x is the maximum number of scheduled tasks awaiting remediation

- Or a combination choice; force x minutes between task creation where x is the shortest number of minutes a user can have between two tasks they have created

- Configure automation policies and alerts for the above where an administrator is appraised of job/task creation per role on creation.

I believe that the addition of these settings would reduce risk at a corporate level, give Administrators more encouragement to implement security and sub farm minor activities to less skilled teams which in turn would broaden Altiris' adoption and use and speed up the dependency on Altiris as a mainstream corporate system.

If anyone wishes to advise/expand on these ideas, including offering workarounds i'd appreciate it as this is a suggestion from a customer.