Creating a Custom SMP Role for Password Disclosure - v. 7.0 SP1 and above
Content
Steps to create a Customer SMP Security Role which has access to disclose passwords on defined resources for LSS v. 7.0 SP1 and above
Steps
- Create role in the SMP console and give privileges.
- Right Click: Show Managed password
- Right Click Menu - Local Security: Show Managed User Passwords
- Associate Role to the Organizational Views or Groups which have the computer resources to which this Role should have access to view passwords. At a minimum this role will need read permission to the Organizational Views and Groups.
- Add read permissions on the "All resources/Security Principle/Local Users OG or add the specific Account to the OG the role already has permissions to.
- Add Read/write Resource data access to these data classes:
- GlobalWindowsUser (under Inventory, User Data)
- User Account Password Disclosure
- Read Resource Data access to these data classes:
- User Account Password
- User Account Password Change
- User Account Password Change Request
- Based on what is required for this Role, ie. if they don't need to be able to change the password then the "Change" data classes won't be needed.