Symantec Endpoint Management (EPM) Partners Community

IT Analytics provides a flexible security structure, modeled off the role and scope security of the Symantec Management Platform. Additionally, because IT Analytics uses standard technologies within Microsoft SQL Server (namely SQL Server Analysis Services and SQL Server Reporting Services) there is a deeper level of granularity with which security can be set.

In this article, we will walk through the typical procedures for setting security to IT Analytics within the Symantec Management Console as a best practice, and then dig deeper into more advanced security settings for scoping cube data and reports.

Applying Basic Security to IT Analytics within the Symantec Management Console

At a high level, there are three main steps to setting basic security settings for IT Analytics:

• Step 1 - Add users to the default IT Analytics Users role
• Step 2 - Synchronize IT Analytics with SQL Server Analysis Services
• Step 3 - Grant Access to SQL Server Reporting Services

Step 1 - Adding Users to the IT Analytics Users Role

In most instances, you will want to manage a standard security configuration for IT Analytics. In this configuration, all users of IT Analytics are granted the same rights to view cubes and report information. In this instance, a recommended best practice is to use a Domain Security Group. This group will contain all of the users and groups of users that require access to view cubes and reports in IT Analytics. To aid in this configuration, we will use the out-of-the-box security role called IT Analytics Users.  

Users typically leverage the Symantec Management Console to access IT Analytics cubes and reports. To access the console, users at minimum must be granted membership to the IT Analytics Users role and Symantec Guests role. For the standard security configuration, users in the IT Analytics Users group already have access to the Symantec Guests Security role in Symantec Management Platform.

For the purposes of this exercise, we will already assume the proper user accounts have been created in the Symantec Management Console.

To add users to the IT Analytics Users role:

1. In the Symantec Management Console, on the Settings menu, click Security > Account Management.
2. In the left pane, click Roles.
3. From the list of roles, select IT Analytics Users.
4. On the Members tab, click Add Member.
5. Select Add Account or Add Role.    

6. Select the accounts and roles, and then click OK. 
7. Click Save changes.
8. All users assigned to the IT Analytics Users role now have access to the IT Analytics features in the Symantec Management Console, but do not yet have access to SQL Server Analysis or Reporting Services (covered below). 

Step 2 - Synchronize IT Analytics with SQL Server Analysis Services

To view IT Analytics cubes, the IT Analytics Users security role must be synched with SQL Server Analysis Services. By default, the IT Analytics Users role is already created on SQL Server Analysis Services, however it is not automatically populated with any membership information added through the Symantec Management Console. Synchronizing the IT Analytics Users role with SQL Server Analysis Services either manually or on a given schedule, ensures that any recent changes made from the console propagate down to SQL Server Analysis Services.

Additionally, any resource scoping that is defined in the organizational groups or views through Symantec Management Platform's role and scoped security are automatically applied to the cubes. Only items in that cube which are within the same organizational group or view they have been granted access to see. It is within this section that you also have control over which cubes can be accessed by certain security roles.

To Synchronize IT Analytics with SQL Server Analysis Services:

1. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
2. In the left pane, expand the Settings folder.
3. Click Cubes.
4. In the right pane, click the Security tab.
5. Under Automatically Scoped Roles, check the Enable Schedule box to synchronize the IT Analytics founded security with the Symantec Management Platform's role and scoped security. Once the schedule box is enabled, you can either select a specific time to set a schedule and/or click Run Now to synchronize immediately.

6. Under Security Roles, is the list of roles within the Symantec Management Platform. Click the Manage Cube Permissions link next to the desired role to manage cube access for that specific role. By default, the IT Analytics Users role will have full access to all cubes. An empty box indicates that members of this role do not have access to that cube. An empty box also indicates that any cubes, dashboard, or the reports that include this cube have reduced data sets or return no results. The Synchronize check box indicates if the role should be included in the Automatic Scoped Roles synchronization process. 

7. Click Save to close and apply changes to the Manage Cube Permissions box, and then click Save Changes to apply changes to the synchronization schedule.

Step 3 - Granting Access to SQL Server Reporting Services

To access SQL Server Reporting Services reports and dashboards, end users must be added to the Browser Role on the actual Reporting Server configured through the IT Analytics Connection Settings page. This process can be facilitated by adding Users and Groups to the Role Member list within the Symantec Management Console.

To grant access to a SQL Reporting Services:

1. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
2. In the left pane, expand the Settings folder.
3. Click Reports.
4. In the right pane, click the Security tab. 

5. In the Role Members dialog box, add members to the role.
6. Click Save Changes.

Granting Access to Save and Load Views and Create New Reports (Optional)

You can grant the privileges that allow other users outside of the IT Analytics Users role to author and save table or chart views. You can let others load and read those same views and create new reports.

To grant access to save and load views and create new reports:

1. In the Symantec Management Console, on the Settings menu, click Security > Roles.
2. In the left pane, select the role that you want to grant access to. In our example below, we chose Symantec Level 1 Workers.
3. In the right pane, click the Privileges tab.
4. Scroll down to the IT Analytics privileges section, and expand it if necessary.

5. Select the privileges that you want to grant the role.
6. Click Apply. You can configure additional, scope-based security for each individual dashboard, report, or cube.

Creating a New Security Role for IT Analytics (Optional)

You can create a new security role apart from the default IT Analytics Users role, and modify it accordingly to only give permission to certain cubes. This can be done for users that will have access to IT Analytics through the Symantec Management Console, and ones that will not.

To create a new role for IT Analytics for users accessing the Symantec Management Console:

1. In the Symantec Management Console, on the Settings menu, click Security > Roles.
2. In the left pane, right-click the IT Analytics Users role and select Clone.

3. Enter a name for the new role and click OK.

4. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
5. In the left pane, expand the Settings folder.
6. Click Cubes.
7. In the right pane, click the Security tab.
8. Under Automatically Scoped Roles, you should see the new role name you just created. Check the box next to that role to ensure it will synchronize with SQL Server Analysis Services to create the role there.
9. Click the Manage Cube Permissions link next to the new role to manage cube access for that specific role.
10. Click Save to close and apply changes to the Manage Cube Permissions box, and then click Run Now to synchronize immediately.
11. Click Save Changes to save the synchronization schedule.

To create a new role for IT Analytics for users that will not be accessing the Symantec Management Console:

1. In the Symantec Management Console, on the Settings menu, click Notification Server > IT Analytics Settings.
2. In the left pane, expand the Settings folder.
3. Click Cubes.
4. In the right pane, click the Security tab.
5. Under Manually Managed Security Roles, click New (or Create Manually Managed Role if you have already synchronized scoped roles).     

6. Enter a name for the new role.

7. Add members to the role.
8. Grant read access to the required cubes.
9. Click Save Changes.
10. Note that this example will create the role within SQL Server Analysis Services only. It does not grant any privileges to view reports and cubes within the Symantec Management Console. 

Advanced Security Settings for IT Analytics (Optional)

IT Analytics offers several options for setting additional security within SQL Server Analysis and Reporting Services in a more granular fashion, even down to specific cube dimensions and values. Note that these settings are not required for IT Analytics security access to function properly, but are intended as an extension to allow administrators greater control over what data in IT Analytics is presented to users. 

Granting access to cubes using SQL Server Management Studio (Optional)

As an alternative to granting access to cubes for the IT Analytics Users role using the Symantec Management Console, you can also use SQL Server Management Studio.

To grant access to a cube using SQL Server Management Studio:

1. Open SQL Management Studio.
2. Connect to Analysis Services using an account that has administrative rights.
3. Within the IT Analytics database, expand the Roles folder.
4. Right-click the IT Analytics Users role and click Properties. 

5. Ensure the Read Definition database permission is checked for this role.
6. On the Membership page, click Add to specify users and groups for this role.
7. Click Location and ensure the location of the domain is where you installed IT Analytics.
8. Click OK. 

9. Enter the name of the user and click Check Names, then select the user to add to the role.
10. On the Cubes page, set the Access drop-down list to Read for each cube that you want this role to have access to. If you install additional cubes in the future, you need to explicitly grant the read privilege for each cube after you install it. 

11. Click OK. Members of this role now have the appropriate rights to view the cubes that this role permits. You might need to configure Notification Server security to see the IT Analytics tab and installed cubes or reports. 

Filtering role-based cubes (Optional - Advanced)

SQL Server Analysis Services has a wide range of advanced security opportunities. You can explore these opportunities through the SQL Server Management Studio. One such feature is the ability to filter the data that a role has access to by restricting access to specific members of a dimension.

For example, you can restrict access for the IT Analytics Users role to return the cube data only for computers with a Win32 system type. Here we will assume you at least have granted access to the Computer cube for the IT Analytics Users role.

 To filter a role-based cube:

1. In SQL Server Management Studio, in the IT Analytics analysis services database, navigate to the Properties for the IT Analytics Users role.
2. In the Edit Role dialog box, navigate to the Dimension Data page.
3. In the Dimension drop-down list, click the Computer dimension. 

4. Select the Deselect all members radio symbol.
5. In the Attribute Hierarchy drop-down list, click Computer - System Type. 

6. Select the dimension members that you want the role to have access to. In our example, there is a Win32 member. Actual names are specific to each instance of Notification Server.      

7. Navigate to the Advanced tab of the Dimension Data page.
8. Click Enable Visual Totals. This step prevents the role from seeing the aggregate totals that are independent of the configured filtering and restricts aggregations. 

9. Click OK to save the role configuration. Users in the configured role now see the results only for the computers that have a Win32 system type across all cubes. This filtering is enforced across all means of accessing the cubes including dashboards, cubes, reports, and third-party applications. 

Granting access to reports using the Report Manager Web site (Optional)

Similar to granting security access within SQL Server Analysis Services for cubes, you can grant reports access to users that do not already have browser privileges directly on the report server instance that hosts the IT Analytics reports.

To grant access to a report using the Report Manager Web site:

1. As a user with system administrator privileges for the reporting services instance, access the Report Manager Web site. The URL for the report manager is similar to http://servername/Reports/ (or http://localhost/Reports/ if you are on the server itself). If you did not install SQL Server Reporting Services as the default instance, the URL might be http://servername/Reports$InstanceName/.
2. The Home screen should display within Report Manager, and you should see the default folder that includes all the IT Analytics reports.

3. Hover over the IT Analytics folder to see the list of menu items and select Security.

4. Click New Role Assignment.
5. In the Group or user name box, enter IT Analytics Users.
6. Select the Browser role.

7. Click OK. Members of this role now have the appropriate rights to view the reports that this role permits. You might need to configure Notification Server security to see the IT Analytics tab and any installed cubes or reports.
8. Optional - If the IT Analytics or any individual users need access to create reports using Report Builder, you must grant the System User privilege. Members of this role now have the appropriate rights to create reports through Report Builder. To grant System User privilege, complete the following steps:

• Click Site Settings in the top right-hand corner.
• Click the Security tab on the left.
• Click New Role Assignment.
• In the Group or user name box, enter IT Analytics Users.
• Select the System User role.

• Click OK.