Altiris Security (Scope/Role)

dtimmons · 10-26-2005, 07:16 PM

Well to me the security is pretty weird on the NS does anyone have any experance creating collections and applying security for groups to them.

What I am trying to do is setup so there are basicly two admin groups.
The first for servers and second for workstations.

Anyone done anything like this before, the only thing I can find is one really short paper on Altiris' site.

ddavis · 10-28-2005, 10:59 AM

D,

When I was first implementing 6.0, I found very little on best practice or docs on how to imlement security. You may want to check out the ManageFusion content which includes a session on console security.

I made some documentation when implementing it & will share some excerpts here. It's a lot of tedius work because you have to adjust permissions the same way in multiple places (all of the functional folders in each solution).

Quote:

Understanding Role and Scope Security
Role vs. Scope – they go together and don’t work without each other. Roles are local security groups in the OS of the Notification Server machine. Local groups cannot be added to local groups. Domain groups can be added to local groups. Security permissions are evaluated in NS by NS making security queries to the OS.

The Role is the privilege to do a function or operation in Notification Server. The Scope is a security permission granted on the folders/objects (computers, packages, etc.) in Notification Server which allows you to use your privileges on those items.

Role without scope (except if you have ‘Take Ownership’) doesn’t get you anything. Scope without role doesn’t let you do anything either. You have to have the privilege (Role) to do something, and then you have to have permissions (Scope) to do that something on the specific object/item.

Role Based Security
Create Windows Domain Security Groups (Role based securtity)
For each NS Role (including Altiris Admins), create appropriate Windows Domain Security Groups in AD and add the appropriate personnel to those groups. These are domain groups that will be added to the roles (local groups) on the NS. This is where you will manage what "individuals" will be in the role instead of doing it on each NS (if you have multiple NS environment).

Create NS Roles
For each group that needs seperate access, create a new role and assign the priviledges you want them to have in the console (this is the functions they will be able to do on the machines you scope them out for). Also limit what tabs they will see in the console (we only allowed the TASKS, RESOURCES, and SHORTCUTS tabs). To secure reports, we did not allow groups to see the reports tab, and we make shortcuts for the ones we want "published" on the shortcuts tab.

Add the Altiris Admins AD group to the Altiris Admins Role in the NS. Create a new role in the NS for each of the different groups that need access. Check the boxes for the functions you want them to be able to do in the console. Then add the AD group you created for them to the role.

Scope based security
Administrative Containers
Under each functional folder (Computer Collections, Software Delivery Packages -> Windows, Software Delivery Tasks -> Windows, etc.) create new folders for each role.

Set Core Tab Permissions
For the top folder(s) in each tab, grant Altiris Admins FULL and all other roles READ. Select to replace permissions on all child objects (you may have to uncheck the inheritance and copy the existing groups in order to change or delete them). Click Apply.

We didn't use the native altiris roles except the Altiris Administrators role, so we removed those roles all together. However, when it's there by default, never remove the /Everyone permissions because you can't recreate it or select it again.

Now, you need to go down to all of the subfolders and adjust the permissions for the groups as needed. Leave the inheritance everywhere but the lowest level folders so all groups can get to their Administrative Group folder.

For instance, leave inheritance on Resource Management > Resources > Software Management > Software Delivery Packages > Windows, but then adjust (you'll have to uncheck inheritance & copy current roles) the role's folders underneath that to add WRITE, DELETE, CLONE, etc. permissions for the given role. Remove the other roles (leave Altiris Admins) so that they can't see what's not theirs.

Creating Default (Secured) Collections
Now you must create a default collection for each group that will define the scope security for that group (what machines the group may act on). This will serve as the groups ‘Secured Collection’ which they will base every other collection they create off of.
Under each of the role's Administrative Groups collection folder, create a new collection with only that role's machines in it (or clone the native Servers and Workstations collections & move them to the appropriate folders).

Grant the "Use as Secured Collection" permission for that role on that collection. You can set that permission at the folder level if you want the role to be able to use any of their own collections as secured collections (kind of like sub-collections). Name that collection with a special character ( _, !, etc.) at the beginning so that it is always at the top of the list and easy to find.

Resource Explorer Permissions
By default, only Altiris Administrators can see all details in the Resource Explorer. You must add the permissions for the other roles if you want them to be able to see the details.

You must add READ permissions for your groups to the Resource Data Classes under the Configuration Tab.

Another hint: If you want your groups to be able to move collections between folders, you have to grant permission to 'Change Permissions' to the role. You can limit them though by not allowing them to 'View Permissions'.

dtimmons · 10-28-2005, 12:18 PM

Thanks it's alot more than I had. I think I can understand what I was doing wrong from your explaination.

Thanks again I'll give it a try

kschroeder · 03-04-2006, 05:32 AM

Edit: reading back over this, it is rather jumbled...sorry, I was trying to get it all typed in. Hopefully it is helpful!

Just two groups eh? Must be nice....I have to setup our NS to support about 10 different sites (each with 1 or more AD OUs they have responsibility for), plus all the secured collections, folders, etc so they can't overstep their bounds. It is a real nightmare.

One thing I can suggest (which was suggested to us during our design engagement with a couple of Altiris consultants) is to create a "master group" of all your admin groups, and assign all the Role rights to that group (like tab views, run report; basically all the stuff you setup on the Security Role Management tool). The membership of this group is a superset of all your Workstation and Server administrators (preferably using pre-existing AD groups so you're not reinventing the wheel).

One important trick is to not allow them to create collections, or secured collections. You have to give them a "template" secured collection (Secured by "All Windows Workstations" or "All Windows Servers" etc) that they have read and clone rights on (this needs to be set with Inheritance broken so that the clones are modifiable by the admins). They also need Read rights on most of the default system collections (particularly "All Windows Computers with/without/requiring xxxxxx Agent") so they can create their agent deployment collections (and apply policies to collections of machines which have those agent installed).

Then on each tab you want to assign permissions (probably all of them), create a folder for your company under the root folder. Set read rights to your "master group" (I called mine "All OU Admins"), then create a folder for each site under that. Break inheritance on each subfolder and remove the All Admins group, then add the specific Role for the site/group in question (Workstations or Servers in your case).

kschroeder · 03-18-2006, 03:19 AM

Also, there is a 2 or 3 page exercise in the back of the NS 6.0 SP3 Reference Guide that walks through the basic (and I emphasize, BASIC) method for configuring Scope and Role for Workstation admins and Server admins; it leaves out a lot of the details though (like how to customize reports so the user has to choose a collection to run the report against).

jayjay · 05-15-2009, 03:09 AM

i have a question..

i have a user with the role "worker 2".
the role wasnet changed since the installtion.
i want to keep the current role configuration (if possible) and want to give the role "worker 2" the right to delete computers manually in the collection "all computers" (inventory solution > collections > all computers).
how can i do this?

ddavis · 05-15-2009, 05:16 AM

Delete machines is actually a role "privilege" rather than a "permission" that you assign on a resource (like on a collection).
Go to the role (where you assign membership), then you look at the privileges that role is allowed & add the "Delete Computers" privilege to the role.

The key to this is that you're ok allowing it on "All Computers". That's a good thing because if a role has delete privileges, they can delete computers from anywhere. You can rely on collection permissions to limit what machines they can see, and there for what they can delete from those collections. However, the delete privileges also aplies through reports (machine records can be deleted directly from reports), and reports cannot be secured as easily. So any machine a user with delete privileges can see in a report, they can delete.

As long as you know they can delete any machine record in the console (from the role's secured collections, but also from any report), that should do it.

jayjay · 05-20-2009, 02:38 AM

i have no option to add the privilege to delete computers in "view > configuration > server settings > Notification server settings > Security roles".. how can i add this option? i have Altiris Notification Server 6.0 SP3 with the Inventory Solution for Windows 6.1. SP2 installed..

ddavis · 05-20-2009, 07:37 AM

You need to open/edit the role you want to change, then look under the "Privileges" tab.

There are a few other places that you have to grant them permissions to. Look at Altiris KB article 21270 for the full instructions on granting Computer Delete privileges to a role.
https://kb.altiris.com/article.asp?article=21270&p=1

jayjay · 05-27-2009, 03:00 AM

Thank you for the link. Its much more complicated that I thought.. But it works now!! Thank you for your help!!