I think I may have found it. Do you have to right mouse click on the different Property Classes and run Update Permissions?
1 of 1 people found this helpful
'DISA Windows Security Properties' - you can find this in the Property Dictionary (probably custom section). It probably has some instances. Your Role needs to have rights to at least the default instance.. preferably to all that you'll need access to.
something like that, or maybe it's the Instance you need to modify
Thanks Lazar. The only reference I can find to it is a Server Property called "DISA Windows Security Properties." My assumption is I have to update the permissions on each of the Property Classes. There is no instance under Server.
But I would like to verify that before I mess with the Built-In Property Classes.
yes. I don't have this in front of me, so don't remember if it's property or sub-classes. But I do know, you need to adjust permissions on those objects and add your new role.
1 of 1 people found this helpful
you would need to update the acls on any PSIs that are referenced by a property in the Server class. there could be multiple. you may want to run something like this script:https://communities.bmc.com/communities/docs/DOC-21728 to recurse through all of the custom classes and instances and update the permissions so the new role can read them.
How did you end up resolving this ? We have hit this same issue.
Tanveer, my customer is off this week so we have not implemented anything yet. I will follow Bill's suggestion next week.
No worries. It's fixed. This is how...
- Login with BlAdmins role to console.
- Go to Infrastructure Management--Property Dictionary View---Custom Property Class.
- 3.Right Click on "DISA Windows DC and Member server security settings" and click on Update Permission---Click the Green + button on Access Control List and ----select your using role ---and move PropertyClass.* permission----click on ok..
- Select Instances---Open Member server settings--on permission Tab---add the PropertyInstance.Read permission for your using role.
- Now try to add the server.
Also if you get the error for Exchange server permission issue. Follow the same for "DISA Windows Exchange" class and check the result.
Hope this helps
or use my script...which recursively applies the permissions...
Unfortunately Tanveer, that did not work for me. It seems to be an issue just with the Server Property Class.
As a quick way to update permissions on all Built-In Property Classes, we were able to select Built-In Property Classes on the left, and select all the Property Classes on the Right. We could then right mouse click on all the selected Property Classes and select Update Permissions. We were able to successfully append the permissions.
We can look at the Properties of all the Property Classes and they show the correct Authorizations. They all look like this:
However, when I try to view the Server Property Class permissions I receive the following error message:
"Cannot change property 'DISA Windows Security Properties' in class 'Class://SystemObject/Server' to required as it has no default value, and not all instances specify overriden values."
Any ideas what I need to do here? This is what is preventing us from adding servers using this Role.
I attached a screenshot of the error I'm seeing.
I've also just noticed that when I'm logged in with my PROD-Administrators Role, and I look at the Extended Properties on the servers we added with the BLAdmins Role and I see the following:
DISA Properties No access to this value
DISA Windows Exchange Poperties No access to this value
DISA Windows Security Properties No access to this value
There are custom property classes and/or instances that you don’t have access to. access to the SERVER class is fine.