IT Management Suite

 View Only
  • 1.  Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Sep 29, 2022 05:47 AM
    Edited by Pablo Llorente Sep 29, 2022 05:49 AM
    Hello,

    This morning we have realized that, during the upgrade 8.6 version from RU2 to RU3, two accounts belonging to the same role, were granted with ALL rights over all filters in the system, instead of having only rights over the filters that they should have according with their role. One of the users affected with this issue has caused a lot of problems in our system removing computers out of his scope and adding his machines (this is only an example).

    Checking the Role, everything was correct, and checking the accounts also, nothing strange. But accessing to the console with the account mentioned, we could see all filters. Also checking the properties/security of any filter, we could see how those accounts had all permissions over the filter, and those were "heritaged".

    I think that it should be checked deeply. We have removed the accounts and created them again and the problem has been solved.

    If you need any log, I will provide it. The upgrade was done last 15/09.

    Best regards.






  • 2.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Sep 29, 2022 05:49 AM
    Sorry, I mean 8.6 RU2 to 8.6 RU3.


  • 3.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Broadcom Employee
    Posted Sep 30, 2022 04:06 AM

    Good morning Pablo Llorente!

    Could you please provide information:

    1. How this security role was created? Cloned from default "Symantec Administrators" role or from any other default role?
    2. What restrictions has this affected security role? Otherwise this role can see all default Org Views/Org groups and resources 

    For example, how looks accessible Org groups, resources for this Role


    3.
    Pablo Llorente: We have removed the accounts and created them again and the problem has been solved.
    IgorP: Looks like I'm too late.. Would be useful to check where Accounts were "Member of" other Security roles 

    For example, check "Member Of" and "Members" tab for affected Security role


    Also check "Member Of" for affected "Account"

    This case isn't same as described here https://community.broadcom.com/symantecenterprise/discussion/filters-new-computers-and-installed-agent#bm9ff586e8-25b8-410f-b707-8d0b2e745364 ?

    Many Thanks!
    IP.



    ------------------------------
    [JobTitle]
    [CompanyName]
    [State]
    ------------------------------



  • 4.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Sep 30, 2022 04:37 AM
    Hello Igor,

    We have around 32 similar roles in our sistem. One Role per country. All
    roles are identical, and this one was the latest created.

    All roles have the same privileges, but in terms of "Filters", "Reports"
    and "Jobs and tasks" any role has access only to their country folder. and
    additionally any ole has access to their own AD OU.

    [image: image.png]

    [image: image.png]

    [image: image.png]

    [image: image.png]

    [image: image.png]

    The users were members of their country's role: "AA_EMEA_GNE_LEVEL 1" and
    EVERYONE, not more groups. It was deeply checked.

    The case is totally different to the one that you are referring to. In this
    case, two users, randomly, were granted just after the upgrade for having
    access to all filters. In fact, two filters were modified by them when they
    shoundt even see it.

    After remove and create the users again, the situation back to normal, and
    they can see only the filters under their country folder.

    One significant aspect is that I checked when the country role had been
    modified and who did it, and it was done by the System Service account (the
    altiris one) and just the date when the upgrade was done.

    The filter called: EMEA - Bitlocker_Automatic_Activation



    is under the folder:

    [image: image.png]

    [image: image.png]

    and as you can see, it was modified by someone that does not have access
    over such a filter:

    [image: image.png]
    [image: image.png]

    The two accounts (one of them has been deleted because the user left the
    company):

    [image: image.png]

    and this user Today, after recreate the accounts is seeing what he has to
    see, not more:

    [image: image.png]

    As you can see, Today for this user would be impossible to modify the
    commented filter.

    Hope it clarifies.


    Best Regards / Saludos
    ___________________________

    PABLO LLORENTE ABAD
    EMEA Workplace Services , Workplace Specialist

    Calle Albasanz 14, 4th floor
    Madrid , Spain
    Mobile +34 672746460
    *pablo.llorente@holcim.com <pablo.llorente@holcim.com>**
    <http: *">www.holcim.com/="">*
    *www.holcim.com <http: *">www.holcim.com/="">*

    Follow us on Facebook <https: ">www.facebook.com/lafargeholcimitemea/=""> |
    Twitter <https: twitter.com/lhitemea=""> | LinkedIn
    <https: ">www.linkedin.com/company/lafargeholcimitemea/="">

    *To visit our Workplace Connect site click here
    <https: connect.lafargeholcim.com/emea-digital-center/functions/it-security/emea-workplace-services="">*

    This email is confidential and intended only for the use of the above named
    addressee. If you have received this email in error, please delete it
    immediately and notify us by email or telephone.




  • 5.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Oct 03, 2022 03:12 AM
      |   view attached
    Hello Igor,

    The ROLE was cloned from others similar roles for other countries. The Role #0 was clone from WORKERS_LEVEL 1 Role, but we added some additional rights. All Roles (around 40) are identical but with different scope.

    Please find attached my email sent last week but in PDF format in order to avoid the issues on the images enclosed.

    Thanks​

    Attachment(s)

    pdf
    Broadcom_Issues_RU3.pdf   1.45 MB 1 version


  • 6.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Broadcom Employee
    Posted Oct 03, 2022 12:04 PM

    Hi Pablo Llorente!

    Many thanks for detailed information in attached .pdf file.

    I can't reproduce this problem. All custom roles cloned from "Symantec Level1 Workers" or "Symantec Administrators" role, set same permissions for same Items, resources (like it is shown on pictures from attached .pdf), after upgrade from 8.6 RU2 to 8.6 RU3 release, all custom roles (accounts in) have same permissions and see only allowed Items, Resources, Filters in SMP Console.

    Assume that maybe these affected accounts/other roles were added in not required "Security Role" therefore they saw all other items in console.
    Please check "History" for affected accounts and roles

    Example, when you right click on account or role to see "Resource Change History"



    Best Regards,
    IP.



    ------------------------------
    [JobTitle]
    [CompanyName]
    [State]
    ------------------------------



  • 7.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Oct 03, 2022 12:23 PM
    Hello Igor,

    As I commented, I removed those accounts and created them again, so no
    history is available. In any case, I dont have the same menu as you, I dont
    have the "CMDB Functions" when I right click over an account.

    [image: image.png]

    Is there any log available that is created during the upgrade that we could
    check?
    BR


    Best Regards / Saludos
    ___________________________

    PABLO LLORENTE ABAD
    EMEA Workplace Services , Workplace Specialist

    Calle Albasanz 14, 4th floor
    Madrid , Spain
    Mobile +34 672746460
    *pablo.llorente@holcim.com <pablo.llorente@holcim.com>**
    <http: *">www.holcim.com/="">*
    *www.holcim.com <http: *">www.holcim.com/="">*

    Follow us on Facebook <https: ">www.facebook.com/lafargeholcimitemea/=""> |
    Twitter <https: twitter.com/lhitemea=""> | LinkedIn
    <https: ">www.linkedin.com/company/lafargeholcimitemea/="">

    *To visit our Workplace Connect site click here
    <https: connect.lafargeholcim.com/emea-digital-center/functions/it-security/emea-workplace-services="">*

    This email is confidential and intended only for the use of the above named
    addressee. If you have received this email in error, please delete it
    immediately and notify us by email or telephone.




  • 8.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Broadcom Employee
    Posted Oct 04, 2022 03:36 AM

    Hello Pablo!

    PL: As I commented, I removed those accounts and created them again, so no
    history is available. In any case, I dont have the same menu as you, I dont
    have the "CMDB Functions" when I right click over an account.

    IP: Yes, I remember that those accounts were removed to fix main problem with permissions.

    Seems like you are using "Client Management Suite", therefore there is no "CMDB Functions" available via right click menu in Console.
    You can install "Altiris CMDB Solution" product (it doesn't require license nodes to use it)
    As example if there is CMS 8.5 RU4 installed and user wants to install "Altiris CMDB Solution" product.

    So in future if similar case will appear, you can check "Resource Change History" via right click on affected account(s) or Role(s) to identify what is changed, when and who changed.

    PL: Is there any log available that is created during the upgrade that we could check?
    IP:  During upgrade there is such information about separate account or role but if you had "Verbose", "Trace" log level enabled, then you can try to find all related logs for affected account from Altiris Log Viewer on SMP Server.

    For example all logs related to my account
    - "Verbose" and "Trace" log level was enabled so all current NS logs can show me information for required Account changes


    Choose "All" existing log files to check (or for some days ago)


    Specified affected "Account" name to show logs only where this account involved

    Best Regards,
    IP.



    ------------------------------
    [JobTitle]
    [CompanyName]
    [State]
    ------------------------------



  • 9.  RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected

    Posted Oct 05, 2022 04:32 AM
    Thanks Igor,

    We will install CMDB and we will enable the verbose mode in logs in order
    to capture everything during the upgrade in the future.

    Thanks for your help, I understand that is a difficult scenario to
    reproduce.

    Thanks for your valuable support.


    Best Regards / Saludos
    ___________________________

    PABLO LLORENTE ABAD
    EMEA Workplace Services , Workplace Specialist

    Calle Albasanz 14, 4th floor
    Madrid , Spain
    Mobile +34 672746460
    *pablo.llorente@holcim.com <pablo.llorente@holcim.com>**
    <http: *">www.holcim.com/="">*
    *www.holcim.com <http: *">www.holcim.com/="">*

    Follow us on Facebook <https: ">www.facebook.com/lafargeholcimitemea/=""> |
    Twitter <https: twitter.com/lhitemea=""> | LinkedIn
    <https: ">www.linkedin.com/company/lafargeholcimitemea/="">

    *To visit our Workplace Connect site click here
    <https: connect.lafargeholcim.com/emea-digital-center/functions/it-security/emea-workplace-services="">*

    This email is confidential and intended only for the use of the above named
    addressee. If you have received this email in error, please delete it
    immediately and notify us by email or telephone.