KNOWN ISSUE: Unable to create Security role to push the Symantec Management Agent: Getting 'Access Denied' in the Symantec Management Agent Install page
Last Updated March 15, 2013
Customer is trying to create a Security Role that can push out the Symantec Management Agent. In testing it has been found that the only group that has rights to access the push page is the Symantec Administrators role. Not other role has the rights to do so and we are unable to create a role that can push the agent via the push page.
So far when he uses any custom or default security role, when they try to access the Symantec Management Agent Install page, they get the following:
You currently do not have sufficient network access rights to the Notification Server console.
Reason: You do not have required permission or privilege to load the item, please contact the system administrator. "
You currently do not have sufficient network access rights to the Notification Server console. Reason: You do not have required permission or privilege to load the item, please contact the system administrator. "
There is an item that is hidden so we can't access it to provide the proper rights.
This issue has been reported to Symantec Development team. A fix should be available in a future release.
There is a fix available that should make the necessary changes on the permissions. See attached "Fix_eTrack2733060_7_1_SP2_Hidden_Full_Control_Folder_permission.zip"
This is just config change. If this is present on ITMS 7.1 SP2 MP1, then this will fix the problem (if there is no other). If you run a repair on your SMP after applying this fix, you will need to rerun this fix again. Rollups will not overwrite fix.
How to Install Fix:
1. Download and extract the zip file "Fix_eTrack2733060_7_1_SP2_Hidden_Full_Control_Folder_permission.zip"
2. Run 'Install.cmd' as Administrator (right-click>Run as Administrator) on your SMP Server
3. It will open a command prompt window and will execute the necessary changes (reconfiguring the folder permission and update the item XML)
Next import the policies into a visible folder so that we can modify the permissions.
Go to Settings> Agents/Plug-ins> Symantec Management Agent.
Right click on the 'Settings' folder and select Import. Import the files that were exported in the previous step one at a time.
Open security and add the desired role to the needed folder.
Go to Settings> Security> Permissions.
Select ‘Symantec Level 2 Workers’ or the desired role in the Role: drop down.
Select ‘Settings’ from the View: drop down
Expand the tree Settings> Agents/Plug-ins> Symantec Management Agent.
Select the ‘Settings’ folder
Click the ‘Advanced’ button
Within this section add the ‘Symantec Level 2 Workers’ or desired role, using the plus button unless it already exists with a status of Not Inheritted.
Give the role full control
Check the box ‘Replace permissions on all child objects’
Save changes and close the window
Save changes and close the window
Verify that the role can now access the page, you may need to close the console and open it again.
If the role is able to access the page we need to move the items back to their default folder, using the following commands in SQL Management Studio. NOTE: Importing the items back into the correct folder overwrites the security essentially breaking it again.That is why this was chosen as the method to move them back.
o spItemMoveToFolder @ItemGuid = '124d0571-4725-466c-8f43-998160d3cff2', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'
o spItemMoveToFolder @ItemGuid = 'B1238E4D-F821-4A77-94B5-7A3B4B312E9F', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'
o spItemMoveToFolder @ItemGuid = 'F1A08C61-4F14-4C0F-9E57-EB79D43F1334', @FolderGuid = '7C28DA7A-B9A9-4A52-A639-D57F8A287A7D'