"The Users are unable to execute the Patch Analysis job against a Target. When they try to do execute the Job against some Targets & click ok they receive Access Denied PatchJob.Modify on Patching Job. "
-> they are just running the job, or they are trying to change the targets of the job and then run it ? can you clarify specifically what actions are being performed by the user ?
"The permissions that we had has not changed. Since they are trying to execute a job I dont think it required Job Modify permissions."
-> was this role previously able to perform the same actions w/ this job and have it work ?
what ip is 10.200.9.130 ? why do you think this has anything to do w/ the permission denied message ?
I think any action performed on the Console should be logged on the Config server. Since the Job was not executed & its failing even before the execution of the Job.
I dont see any other entries related on logs when the action was performed. I am trying to trace out what IP is that?
When they are able to perform the execute against Action this is the entry we generally notice
15 Nov 2016 09:58:32,790] [Client-Connections-Thread-2] [INFO] [email@example.com:ITSRC:10.200.6.2] [Client] Executing <Execute Against> Action against group targets: for job: /Security_Operations/Patches/ITSRC_Patch_Analysis_Windows.
This issue is intermittent too. Now when he tried we got this entry but earlier it was those messages we saw earlier.
IP belongs to the enduser from where he is trying to perform the Task. So the console is installed on that machine.
Ok, so are they doing ‘executeAgainst’ when they get the permission error or something else ?
All they did was just execute against
ok, so what permissions are granted to the role and what permissions is that role granted on the job ? i don't think executeAgainst should require modify permissions on the job.
it might be this:
QM001879336 Patch Analysis jobs with SMTP notifcations run using "Execute Against" needlessly require PatchingJob.Modify
The defect will occur when a Patch Analysis job satisfies all the following conditions:
1) A role without PatchingJob.Modify Authorization is used to execute a Patch Analysis job
2) The job has an SMTP (email) notification set
3) The job is executed using "Execute Against" as opposed to adding the Targts to the job and running.
Defect QM001879336 has been fixed for BSA 8.7.
As a workaround in BSA 8.5.x and 8.6.x, the issue can be avoided by avoiding just one of the above conditions i.e.
1) Add the PatchingJob.Modify Authorization to the role running the job
2) Remove the SMTP (email) notification from the job completely.
3) Run the job by adding the targets to the job and not using "Execute Against"