Notification Server comes with the following built-in reports that provide you with certain security related information:
“Privileges granted to roles” tells you what privileges have been granted to a role. It doesn't tell you who are the members of those roles, and to do this yourself you would need to use a script that calls a Windows API, etc.
“User permission assignments on management items” and “User permission assignments on resources” provide information on the areas they look at, but they do not provide you with permission assignments of users. How can this be done?
Attached to this article is a report that displays the permissions that have been assigned to a User/Role. Note that this report does not include the console items that these permissions are assigned to for that user. This is possible to do, but may cause performance issue when run.
Run the security_sp.sql file so that two stored procedures are created (sp_ByteFlipBinaryFromString and sp_SecurityTrusteeNames).
Import the NS Security Report Folder.xml file into the Altiris Console. It will create a folder called NS Security and will contain two reports (Permissions Assigned to User/Role and Privileges Assigned to User/Role (you can delete this report as it just provides the same information that the “Privileges granted to roles” built-in report does)).
Delete the imported report folder.
Run the two drop statements in the Remove_Security_SPs.sql file to delete the two stored procedures.
When you select to run the reports, the UserRole parameter will execute the sp_SecurityTrusteeNames stored procedure.
The sp_SecurityTrusteeNames stored procedure will create a tabled called temp_trustee and will populate it after executing the sp_ByteFlipBinaryFromString stored procedure.
Once you have answered the parameters prompt, the report will display its output after the Refresh button is pressed. This action will also drop the temp_trustee table.
Note: If you do not click the Refresh button, the temp_trustee table will remain in the database and will prevent you from running either report again, until you manually run this statement: