Organizational Groups (locations) have been added to the Symantec Management Platform (Manage > Organizational Views and Groups). Permissions have been set, but users are still able to edit assets that they should not have access to. For example:
Read access has been restricted to the Organizational Views "Default" and "Assets by Location". Users under Assets by Location cannot then edit assets in Default.
However, a user in a location under the now restricted Assets by Locations can still add security permissions such as Read and User Created. Also, these users can edit any assets from the "User Created Resources" Organizational Group.
This is working as designed. Security role permissions are additive. Giving users the Privilege to create Organizational Groups gives them full permissions to anything they place in that Organization Group. By giving the Organizational View locations Read access without further restricting specific permissions grants users under these to further perform their own modifications of permissions and have edit abilities.
If the purpose of restricting Organizational Groups is to restrict their user's access to edit assets only to their location, it is recommended to use the following best practices to configure this instead of setting edit or view permissions for the users in an Organizational Group. Note: It is recommended that these aspects be controlled by a Symantec Administrator and not be granted to all users.
Part 1: Restrict security roles from using the Create Organizational Groups privilege. To ensure that restricted users do not have unexpected permissions, it is recommended to prevent them from being able to create Organizational Groups. The following instructions describe how to do this.
While logged into the Symantec Management Platform console as a Symantec Administrator, click on the Settings button > Security > Account Management.
Click on Roles.
Click on the role to edit.
Click on the Privileges tab.
Under the Management Privileges section, click to uncheck and turn off (if already turned on) "Create Organizational Groups". Note: The "Create Filters" privilege can also be turned off here, but keeping this enabled will not enable the restricted security roles from having access to assets they should not have access to.
Click on the "Save changes" button.
Repeat steps 3 through 6 for any other security roles to restrict.
Part 2: Define locations to only include specific users. Configure locations to include only those users who are part of them. This further enables restriction of assets.
Edit each location and assign subnets to it. This will define which computers and therefore which users belong to the location.
While logged into the Symantec Management Platform console as a Symantec Administrator, click on the Manage button > Assets.
Click on to expand Organizational Types > Location.
Right click on the location to edit and choose Edit. Note: If no locations are available, either create new ones or import these in using the Microsoft Active Directory Import found in Settings > All Settings > Notification Server > Microsoft Active Directory Import.
Add subnet(s) to the Location to Subnet field. Note: Information on how to automatically populate location subnets can be found in the following related articles:
Repeat steps 3 through 5 for any other locations to edit.
Alternatively, the core Automation Policy "Assign computers discovered in the last day to Organizational Group" can be used instead of assigning subnets to locations. This requires more work, however, in setting up.
While logged into the Symantec Management Platform console as a Symantec Administrator, click on the Manage button > Automation Policies.
Click on "Assign computers discovered in the last day to Organizational Group". Note: A new Automation Policy can be made that uses this functionality to further customize the process, but for most purposes, the out of box Automation Policy should work fine.
Configure the options as desired.
Set the Data Source to use SQL. The administrator will need to provide SQL to help determine which computers to add to Organizational Groups.
Click on the "Save changes" button.
Part 3: Configure the CMDB task "Update Organizational Hierarchy". When new locations, cost centers, or departments are added into the database, the items do not automatically appear in the Organizational Views and Groups list until the organizational hierarchy gets updated. This CMDB task performs this. Additional information about using Update Organizational Hierarchy can be found in the CMDB 7.1 SP2 User Guide, page 17:
While logged into the Symantec Management Platform console as a Symantec Administrator, click on the Manage button > Jobs and Tasks.
Click on to expand System Jobs and Tasks > CMDB > Update Organizational Hierarchy.
Click on the Update Organizational Hierarchies link.
Select the Organizational Hierarchies to use and then click on the ">" button. For example "Users by Location".
Click on the OK button.
By default, the task is set to run daily at 2:00 AM. If this is desired to be at another time, edit the top most task to change its schedule. Note: A new task can be created to run immediately to update the hierarchy then and there, instead of waiting for the next scheduled update.
Click on the task's "Save changes" button. Note: This will be disabled if no changes were made to the task.
Part 4: Create any special filters for the restricted organizational groups to use
Special filters may be needed to be created to help accommodate the restricted organizational groups. This is performed under Manage > Filters. Note: Filters will automatically show the limited list of assets to the users in the restricted organizations groups.
Part 5: How to use tasks, reports, etc. as the now restricted users
While logged into the Symantec Management Platform console as a user under one of the restricted Organizational Groups, open a task, policy or report (etc.) that should show a restricted list of assets.
Depending on the item used, different changes are performed. For example, for tasks, this can be set to exclude computers not in a group and then set this to be the restricted Organizational Group. Or if special filters were set up in Part 4, these can be used instead. Or for many reports, change the "Showing" to the Organizational Group or set this to a special filter.