Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

Secured Filters - Secured Collections

Created: 12 Jun 2013 • Updated: 27 Jun 2013 | 1 comment
FaaVog's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

Please bring Secured Collection functionality back to Altiris 7.x.  We need to be able to set up server collections/filters that can be modified by the SysAdmins, but that are limited in scope by a parent filter. Our SysAdmins support multiple customers/multiple locations so using Organizational Groups security is not feasible for this purpose.

A bit of background:

  • We are an outsourcing organization supporting servers for multiple customers.  The customer's servers may reside at any of several datacenters as well as at remote customer locations.
  • In our environment, customers/servers cannot be grouped by subnet or location and domain configuration (if any) is customer-determined & controlled.
  • Since we have multiple customers with unique change control and patch scheduling requirements, we're rarely able to employ fully automated patching policies.
  • Each customer has its own SW Update Agent Configuration Policy. If their requirements preclude fully automated patching, their Policy is set to run as far in the future as Altiris will it never actually runs.
  • For these customers, the patching process for each patching collection is triggered by a Job scheduled by SysAdmins based on customer requirements.
  • Each customer has its own set of collections. Customer collections are based on a custom dataclass value (customer code) gathered from the client's registry by a scripted process.  The registry entry is set up during build.

Current NS6 setup:

  • Customer master collections: Filtered by customer code & OS type (Windows/UNIX)....also used by Inventory, Task Management, & Reporting.
  • Customer global patching collections: Limited in scope to the customer master collection with “Customer Exclusions” collection excluded,
  • Customer Exclusion collections.  Explicit. SysAdmins can modify the exclusions, based on customer requirements.
  • If required, window/wave patching collections: Limited in scope to the customer global patching collection, servers are explicitly included, SysAdmins can modify the inclusions, based on customer requirements.

Comments 1 CommentJump to latest comment

FaaVog's picture

I am very disappointed that the ability to secure the scope of computer filters to a parent filter was not brought back in the 7.5 release. This has made it difficult for us to implement Altiris 7.x.....we're still at 6.0 as a result.  Using Organizational Groups will not provide the functionality we're looking for since it only works at the computer and user level. 

We use a job to manually initiate the patching cycle on groups of computers.  These groups may represent patch waves or customer-defined groups (prod, dev, ???).  We also set up various scripted jobs for admin use, such as to configure or update a customer-specific app on a group of servers. 

Admins need the ability to create/modify the job targets, but we want to limit the scope of computers that are available for inclusion......this is not a security measure, it's a safety net.

Our admins support multiple customers, so we can't limit computer visibility by customer.....unless we set up separate accounts for each customer group for each admin.  This would result in hundreds of new accounts to manage.

We could make this work if we could tie a filter to an Organizational Group in the same fashion as a Secured Collection, but I don't see a way to do that.

Login to vote