The resource security model has changed significantly for Notification Server 7.0. Resources, which includes all computers, users, and everything else that is defined in the CMDB or resource model, now obtain all of their permission grants from the organizational views and groups to which they belong. This replaces the Notification Server 6.0 implementation, which required securing both standard collections and resource folders.
There are a few exceptions, such as packages, which are resources but are also items that appear in the Symantec Management Console folder structure. The security options for these items are disabled in the folder structure. Security for these is set in the same way as other resources.
An organizational view is a hierarchical grouping of resources (as organizational groups) that reflects a real-world structure, or "view", of your organization. For example, you may create organizational views to group your resources by geographical location, or by department, or by network structure. As in the real world, a resource may (but is not required to) appear once only in an organizational view.
The Symantec Management Console has a default Default organizational view that contains all known resources. As new resources are discovered in scheduled updates and added to the CMDB, they are automatically placed in the Default organizational view. The Default view organizes resources by type, with each type of resource (computer, user, package, etc.) being placed in the corresponding organizational group. You can manually copy the newly-discovered resources into the appropriate organizational views.
The assignment of resources into organizational groups is automatic and you cannot change it. Note that there may be a delay between the resource being discovered and being shown in the appropriate organizational group. Each newly discovered resource is placed in the top level organizational group, and remains there until being moved into the appropriate organizational group when the Organizational View refresh schedule runs.
You can remove resources from any organizational view except the Default view. When a resource is deleted from the CMDB, it is automatically removed from all organizational views using the delta update schedule.
You set up security by assigning the appropriate permissions for each security role on each organizational view, and on the organizational groups within each view. A permission that is assigned to an organizational group applies to all resources in that group and, by default, applies to all of its child groups. You cannot assign permissions directly to a particular resource.
Permission grants on a resource are accumulated across organizational views. The permissions that a security role has on a particular resource is the union of all the permissions that the resource has been assigned through the organizational groups to which it belongs. If a security role has permission to perform an action on a resource in one organizational view, the role can perform that action regardless of whether the permission is applied to other organizational views that contain the same resource. For example, if a security role has read access to a resource in one organizational view, write access to the same resource in another organizational view, but no access to the resource in a third organizational view, the role has both read and write access to the resource.
Implementing resource security in this way gives each security role its own unique view, or "scope", of the available resources. The security role determines which resources its members can access, and what actions they can perform on those resources. Filters, targets, and report results are dynamic and automatically scoped according to the role of the user who owns them. Therefore, filters, targets, and report results always contain only the resources to which that user has the necessary access permissions.
When a target is evaluated, only resources to which the user has read access are available. Consequently, the only security permission that a user requires to apply a task or policy to a resource is the read permission on the resource.
Imported Document ID: HOWTO62740
Subscribing will provide email updates when this Article is updated. Login is required.