United Kingdom Endpoint Management User Group

 View Only

How to find out a Security Roles assigned permissions and privileges 

Dec 13, 2013 11:15 AM

As the 7.1.2 MP1.1 v7RU Console does not contain any reports that display this information, the following two queries will help you achieve this goal:

 

-- display all privileges associated with one (or more) security roles.

declare @my_role varchar(max)
-- set @my_role='%Security Role%'
set @my_role='symantec admin%'

    select vsr.name [Role],
        v5.name [Solution], spdg.NameRef [Privilege Type], sp.Name [Privilege]
        -- , st.Trustee
    from SecurityRole vsr
        left join SecurityPrivilegeTrustee spt on spt.TrusteeGuid = vsr.TrusteeGuid
        left join securityprivilege sp on sp.guid = spt.PrivilegeGuid
        left join securityprivilegedisplaygroup  spdg on spdg.guid = sp.DisplayGroupGuid
        left join vitem v5 on v5.guid = spdg.Solution
        -- left join SecurityTrustee st on st.guid = vsr.TrusteeGuid
    where vsr.name like @my_role
    order by [Role], [Solution], [Privilege Type], [Privilege]

 

 

-- for a given security role
-- display all the non-inherited security permissions.

declare @my_role varchar(max)
-- set @my_role = '%Security_Role%'
set @my_role = 'symantec admin%'

    declare @c1 table (
        zRole varchar(max),
        zGroup varchar(max),
        zPerm varchar(max),
        zInherited int,
        zguid uniqueidentifier,
        zItemName varchar (max),
        zClassName varchar (max),
        zParentGuid uniqueidentifier
        )

    -- get all the "easy" stuff abou each item.
    insert into @c1
    select sr.Name, spdg.NameRef , sp.name,
        sa.Inherited,  sa.Entityguid,
        v1.name, c.Type, vif.ParentFolderGuid
    from
        SecurityRole sr
        left join SecurityTrusteePermission stp on stp.TrusteeGuid = sr.TrusteeGuid    
        left join SecurityPermission sp on sp.guid = stp.PermissionGuid
        left join SecurityPermissionDisplayGroup spdg on spdg.guid = sp.DisplayGroupGuid
        join SecurityACENonResource sa ON sa.TrusteePermissionId = stp.[Id]
        left join vitem v1 on v1.guid=sa.Entityguid
        left join class c on c.guid = v1.ClassGuid
        left join vItemFolder vif on vif.ItemGuid = sa.Entityguid
    where sr.name like @my_role
        and sa.Inherited = 0

    -- select * from @c1 c1

    -- now include the path to the item, this is faster after limiting to just non-inherited permissions
    select
        c1.zRole [Role],
        (SELECT v2.name + '; '
        FROM FolderBaseFolder fbf
            left join vitem v2 on v2.guid=fbf.ParentFolderGuid
        WHERE fbf.FolderGuid = c1.zParentGuid
            and fbf.ParentFolderGuid <> '00000000-0000-0000-0000-000000000000'
        ORDER BY fbf.depth desc
        FOR XML PATH('')
        ) AS [Path],
        c1.zItemName [Item],
        -- c1.zClassName [ItemClass], c1.zguid [ItemGuid],
        c1.zGroup [Permission Type], c1.zPerm [Permission]
    from @c1 c1
    group by c1.zRole, c1.zGroup, c1.zPerm, c1.zItemName, c1.zguid, c1.zParentGuid, c1.zClassName
    order by c1.zRole, [path], c1.zItemName, c1.zGroup, c1.zPerm

script_end:
    delete @c1

Statistics
0 Favorited
3 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Mar 10, 2014 04:20 PM

Yes that query displays a role members.

Mar 07, 2014 11:53 AM

SK: I'd like to include another report to this set of reports; a report showing the members of a security role . I think that with this last report you have the full "view" of a security role.

In this thread (https://www-secure.symantec.com/connect/forums/altiris-security-roles-audit-report#comment-9727841) there is the following query that may be of help:

 

select vi.name as [Group], v2.Name as Member

from [ResourceAssociation] ra

join vitem vi on vi.guid = ra.ParentResourceGuid

join vitem v2 on v2.guid = ra.ChildResourceGuid

where ra.ResourceAssociationTypeGuid = '63468F04-6751-448D-891C-B59906360A27'

order by [group]

 

Thanks again for providing these reports:

Falquian

Jan 31, 2014 06:05 AM

Yes, the ASDK allows you to configure privileges for a role, because they are both related entities.

Permissions, on the otherhand, are related to items (objects).

I agree that it would be nive to have a security permissions method; however, it will most likely be very complex.

The easiest way to setup multiple roles with the same permissions, is to create and configure one role, and then clone and rename it.

Obviously it will be possible to assign permissions directly via SQL manipulation; however, the queries will most likely be quite complex.

Jan 30, 2014 06:39 PM

Very useful.


Do you know a way to Add,Modifiy Role permission on Resource (Organisational views,items ..) by script.

I have to add permision to 100 roles on distinct Orgination view, filters. etc..
 

I have think to edit directly in DB but I would miss many things and break some relations.

The SDK seems limited  to previleged , create role .... permission ???
 

Thank you

Jan 29, 2014 05:58 AM

Thanks for providing all these reports, SK

They are really helpfull

Jan 29, 2014 03:37 AM

You're most welcome.

Jan 29, 2014 01:58 AM

This is helpful. :)

Thanks.

Related Entries and Links

No Related Resource entered.