When the user that is in a custom security role for assets tries to view, edit or save (etc.) assets, such as computers, errors occur such as Access Denied or Permission Denied. Some areas may work, however, such as being able to see and edit computers. But when, for example, the asset is attempted to be saved, a permission error then occurs.
Permission errors can occur in any are of the Symantec Management Platform Console when the necessary rights have not been granted to a custom security role. For example:
Going to Home > Service and Asset Management can result in an Access Denied error:
Going to Manage > Assets > Organizational Types > Company can result in an Access Denied error:
Going to Manage > Service and Asset Management > CI Management or Home > Service and Asset Management > Manage Configuration Items can result in an Access Denied error:
Editing a specific resource type without any permissions can result in a Resource Edit Denied error:
Editing a computer without any data class permissions can result in no data classes seen and therefore not editable:
When permissions are removed while a user is working in the Symantec Management Platform Console, more severe errors can occur such as a Symantec Management Server Error:
In rare cases if permissions were corrupted during an upgrade or removed directly from SQL, trying to save an asset can result in errors on the edit window when trying to save the asset. This sort of error should not, however, occur when permissions are removed or not granted, such as through the normal configuration of a custom security role. Breaking inheritance for a permission may result in similar errors, but which generally instead result in one of the above errors or similar errors.
The custom security role does not have sufficient rights to perform the desired action.
Depending on where the permission error(s) occurs at, in general, use Security Role Manager to add additional appropriate permissions to the custom security role.
In the Symantec Management Platform, while logged in as a Symantec Administrator, click on Settings > Security > Account Management.
Click on Roles.
In the Roles list, click on the custom security role to modify.
a. Click on the Privileges tab to modify privileges. These include right click function privileges in reports. b. Click on the Show Security Role Manager Console button to modify permissions. These include virtually everything else, including folder, resource, data class, views, web parts, reports, etc. permissions.
Change the permissions to resolve the error. The difficulty in this is that the Altiris Administrator would need to determine what needs to be set where, which may be very hard to ascertain without a lot of testing and experimenting. Please Note: Symantec Technical Support is unable to provide the customer with a list of what rights are required to perform specific tasks andis unable to walk them through how to make a custom security role perform specific tasks. If the customer requires extensive help in creating or troubleshooting their custom security role, instead please contact Symantec Consulting Services at http://www.symantec.com/it-consulting-services.
When finished, ensure that any changes are saved. If a user is in a Symantec Management Platform Console when their custom security role is changed, the changes generally take effect immediately, but they may need to refresh their browser or close it and restart it, depending on what was changed.
If the user is placed in an out of box security role instead of their custom security role, do the permission errors stop? If the answer is yes, the Altiris Administrator has then verified that the sole issue is with the lack of privileges or permissions in the custom security role, not with the Asset Management or CMDB products. Ensure that it includes the appropriate rights to do what is expected.
When possible, it is always recommended to use an out of box asset security role, such as the Asset Managers or CMDB Managers security roles, instead of trying to create a custom security role. This is because trying to create a custom security role to do exactly what is desired with assets can be very difficult.
Refer to the following article for more information about creating, configuring and troubleshooting custom security roles for assets: