Creating a Custom SMP Role for Password Disclosure - v. 7.5 and above (Current)

Owned by John Murphy (Deactivated)
Last updated: Jan 30, 2014 by Mike MurphyVersion comment
4 min read

Purpose:

This article will explain the process of creating a Security Role with the minimum amount of permissions needed to view a managed password. (This is based off of the permissions found in Local Security Permissions for Viewing of Local User Passwords)

Steps:

Allow the Local User resource to be displayed in the Arellia Console

  1. In the Arellia Console navigate to the Resources tab and click on the icon located at the top of the left hand pane
  2. Scroll to "Security Principal" node (expand if necessary) and check the box next to "Local User"

Create the new Password Disclosure security role

  1. Open the Configuration tab and navigate to Settings -> Notification Server -> Account Management -> Roles



  2. Click the icon to add a new Security role, supply a name for the new password disclosure role and click OK
  3. Open the Privileges tab for the new role
    • Check "Show Managed Password" under the "Right Click Menu"
    • Check "Show Managed User Passwords" under "Right Click Menu - Local Security"



  4. Click on the "Save changes" button to commit the new Security role to the database

Configure the Security Role Manager

  1. Remain on the Role configuration page and click the "Show Security Role Manager Console" button
  2. Change the View to "Resources"
  3. Click on the Add icon  to display the Add Permissions dialog
  4. Expand the Folder drop down menu so that Notification Server > Resource Management is displayed
  5. Within the drop down expand Resource Management > Organizational Views > Default > All Resources
    1. Select the Security Principal folder and then add Local User to the list of Selected Items by either double clicking or using the > button



  6. Repeat the process of selecting a parent folder and then adding the required child item for the following items:
    1. Resource Management > Organizational Views > Default > All Resources > User
    2. Resource Management > Organizational Views > Default > All Resources > Asset > Network Resource > Computer
  7. Click OK to finish adding Read access to the Local User, Computer and User resource types
  8. In the Security Role Manager change the View drop down menu option from Resources to Settings
  9. Click on the Add icon  to display the Add Permissions dialog
  10. Expand the Folder drop down menu so that Notification Server > Settings is displayed
  11. Repeat the process of selecting a parent folder and then adding the required child item for the following items:
    1. Settings > Arellia > Infrastructure > Password Disclosure Settings
    2. Settings > Notification Server > Resource and Data Class Settings > Data Classes > Arellia > Security Management > User Account Password
    3. Settings > Notification Server > Resource and Data Class Settings > Data Classes > Arellia > Security Management > User Account Password Disclosure

  12. Click OK to commit the changes to the database
  13. In the Security Role Manager change the View drop down menu option from Settings to All Items
  14. Navigate to the Resource Management > Organizational Views > Default > All Resources > Security Principal > Local User resource folder 
    1. Add the view password permission located under Resource Management Permissions
  15. Navigate to the Settings > Notification Server > Resource and Data Class Settings > Data Classes > Arellia > Security Management folder
    1. Grant Write permissions to the User Account Password Disclosure data class



  16. Close out of the Security Role Manager Console after saving the changes and your new role has been created!
    Optional: You can add the new role as a member of the Symantec Guest role to enable basic Altiris console access.
  17. Add your desired accounts and/or roles as members of the new disclosure role
    These accounts will then be able to access the Altiris Console and disclose passwords by navigating to the Local User or Computer resource folders and using the right click content menu


If you want to access password disclosure from the Arellia Console you will need to grant read access to the Resource Management root node. Please note that by granting read access to this root node the permission will be inherited by all child nodes, effectively granting read access to all resources types

Troubleshooting:

If after clicking the "Show Managed Password" a window pops up with an orange circle, verify that the permissions above (and those found in Local Security Permissions for Viewing of Local User Passwords) are correct. Also restart the Altiris and IIS services as Arellia may have cached a security permission that will be reset when the web services are restarted. For more security caching information see Arellia Security Permissions Caching.