The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers. Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager. This includes WMI functionality as well as powerful AMT functionality.
Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager. It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled. No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.
RTSM contains limited functionality to configure access via WMI. AMT, on the other hand, can be configured at a function-granular level. Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.
NS Role Security
The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level. Without assignment to such a role, a user cannot gain access to RTSM.
Briefly I'll explain how NS Role and Scope security work together in Notification Server. Roles give feature access rights. For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'. The two options allow use of the Simple or Advanced Software Delivery Wizard. Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.
Scope security is much like the Windows File-System security model. In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files. Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.
The following steps show how to create a user with RTSM permissions.
In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.
Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.
Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.
Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.
Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.
Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM. Most functions are covered by this option.
Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.
Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.
Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.
Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.
Click the Membership tab.
Use the blue + icon to add users and/or groups to the Role. These can be digest users or local computer groups, or Domain users or groups.
Click Apply to save the Role.
Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role. Complete the below NS Scope Security section to give access to the Altiris Console
NS Scope Security
For Altiris Console access, scope security must be configured before a Role can access or login to the console. The security window is the same for any node, be it a folder or otherwise. The two screenshots below show the security window and the permission selection screens:
Note: Depending on the object type, the available permissions may differ
To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:
In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.
Right-click on the node ‘Manage' and choose Properties.
Click on the Security tab.
Click the ‘Add' button.
Check the option for ‘Full Control' and click ‘Select'.
Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node. This node can only be accessed for the function alone.
Click ‘Apply' to save the security changes made.
To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:
In the Altiris Console, browse to View > Resources > Collections.
Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.
Right-click on the folder or collection and choose Properties.
Click on the Security tab.
Click the ‘Add' button.
Check the following options:
Altiris System Permissions - Read
Altiris Resource Management Permissions - Read Resource Data
Altiris Resource Management Permissions - Read Resource Association
Click Select, and then click Apply on the permissions window.
Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems. To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.
RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology. Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI. An AMT connection can either use Kerberos integration or an inputted digest user when prompted. The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.
To configure who has rights to AMT, follow these steps:
In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.
Double-click on an existing profile, or create a new one.
Click on the ACL tab.
Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.
Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions. The boxes that are of importance to RTSM are:
Circuit Breaker - Now known as System Defense, or Network Filtering
Hardware Asset - For power management capabilities
Redirection - To allow IDE Redirection
Remote Control - Allows Serial Over LAN (SOL) remote connection
Event Manager - Allows viewing of AMT logs
General Info - Allows viewing of AMT data on the system
The ‘Access Permission' dropdown should be used to select either Network Access or Any. The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.
Click OK to save the changes.
To apply the updated or new profile to an AMT system Provisioning must occurred. If the system was already provisioned with this same profile previously, a reprovision will update the profile.
This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.
The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike. Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment. With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.