Hello Igor,
We have around 32 similar roles in our sistem. One Role per country. All
roles are identical, and this one was the latest created.
All roles have the same privileges, but in terms of "Filters", "Reports"
and "Jobs and tasks" any role has access only to their country folder. and
additionally any ole has access to their own AD OU.
[image: image.png]
[image: image.png]
[image: image.png]
[image: image.png]
[image: image.png]
The users were members of their country's role: "AA_EMEA_GNE_LEVEL 1" and
EVERYONE, not more groups. It was deeply checked.
The case is totally different to the one that you are referring to. In this
case, two users, randomly, were granted just after the upgrade for having
access to all filters. In fact, two filters were modified by them when they
shoundt even see it.
After remove and create the users again, the situation back to normal, and
they can see only the filters under their country folder.
One significant aspect is that I checked when the country role had been
modified and who did it, and it was done by the System Service account (the
altiris one) and just the date when the upgrade was done.
The filter called: EMEA - Bitlocker_Automatic_Activation
is under the folder:
[image: image.png]
[image: image.png]
and as you can see, it was modified by someone that does not have access
over such a filter:
[image: image.png]
[image: image.png]
The two accounts (one of them has been deleted because the user left the
company):
[image: image.png]
and this user Today, after recreate the accounts is seeing what he has to
see, not more:
[image: image.png]
As you can see, Today for this user would be impossible to modify the
commented filter.
Hope it clarifies.
Best Regards / Saludos
___________________________
PABLO LLORENTE ABAD
EMEA Workplace Services , Workplace Specialist
Calle Albasanz 14, 4th floor
Madrid , Spain
Mobile +34 672746460
*
pablo.llorente@holcim.com <
pablo.llorente@holcim.com>**
<http:
www.holcim.com/="">**www.holcim.com <http:
www.holcim.com/="">*Follow us on Facebook <https:
www.facebook.com/lafargeholcimitemea/=""> |
Twitter <https: twitter.com/lhitemea=""> | LinkedIn
<https:
www.linkedin.com/company/lafargeholcimitemea/="">*To visit our Workplace Connect site click here
<https: connect.lafargeholcim.com/emea-digital-center/functions/it-security/emea-workplace-services="">*
This email is confidential and intended only for the use of the above named
addressee. If you have received this email in error, please delete it
immediately and notify us by email or telephone.
Original Message:
Sent: 9/30/2022 4:06:00 AM
From: Igor Perevozchikov
Subject: RE: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected
Good morning Pablo Llorente!
Could you please provide information:
1. How this security role was created? Cloned from default "Symantec Administrators" role or from any other default role?
2. What restrictions has this affected security role? Otherwise this role can see all default Org Views/Org groups and resources
For example, how looks accessible Org groups, resources for this Role
3.
Pablo Llorente: We have removed the accounts and created them again and the problem has been solved.
IgorP: Looks like I'm too late.. Would be useful to check where Accounts were "Member of" other Security roles
For example, check "Member Of" and "Members" tab for affected Security role
Also check "Member Of" for affected "Account"
This case isn't same as described here https://community.broadcom.com/symantecenterprise/discussion/filters-new-computers-and-installed-agent#bm9ff586e8-25b8-410f-b707-8d0b2e745364 ?
Many Thanks!
IP.
------------------------------
[JobTitle]
[CompanyName]
[State]
------------------------------
Original Message:
Sent: Sep 29, 2022 05:48 AM
From: Pablo Llorente
Subject: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected
Sorry, I mean 8.6 RU2 to 8.6 RU3.
Original Message:
Sent: Sep 29, 2022 05:46 AM
From: Pablo Llorente
Subject: Upgrade from 8.5 RU2 to 8.5 RU3: issue detected
Hello,
This morning we have realized that, during the upgrade from RU2 to RU3, two accounts belonging to the same role, were granted with ALL rights over all filters in the system, instead of having only rights over the filters that they should have according with their role. One of the users affected with this issue has caused a lot of problems in our system removing computers out of his scope and adding his machines (this is only an example).
Checking the Role, everything was correct, and checking the accounts also, nothing strange. But accessing to the console with the account mentioned, we could see all filters. Also checking the properties/security of any filter, we could see how those accounts had all permissions over the filter, and those were "heritaged".
I think that it should be checked deeply. We have removed the accounts and created them again and the problem has been solved.
If you need any log, I will provide it. The upgrade was done last 15/09.
Best regards.
</https:></https:></https:></https:></http:></http:></pablo.llorente@holcim.com>