Symantec™ Management Platform 7.1 SP2 User Guide

Symantec™ Management Platform 7.1 SP2 User Guide
Symantec™ Management
Platform 7.1 SP2 User Guide
Symantec™ Management Platform
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Altiris, and any Altiris or Symantec trademarks used in the
product are trademarks or registered trademarks of Symantec Corporation or its affiliates
in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
See “Symantec™ Management Platform 7.1 SP2 Third-Party Legal Notices” on page 805.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
■
A range of support options that give you the flexibility to select the right
amount of service for any size organization
■
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■
Upgrade assurance that delivers software upgrades
■
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■
Product release level
■
Hardware information
■
Available memory, disk space, and NIC information
■
Operating system
■
Version and patch level
■
Network topology
■
Router, gateway, and IP address information
■
Problem description:
■
Error messages and log files
■
Troubleshooting that was performed before contacting Symantec
■
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■
Questions regarding product licensing or serialization
■
Product registration updates, such as address or name changes
■
General product information (features, language availability, local dealers)
■
Latest information about product updates and upgrades
■
Information about upgrade assurance and support contracts
■
Information about the Symantec Buying Programs
■
Advice about Symantec's technical support options
■
Nontechnical presales questions
■
Issues that are related to CD-ROMs or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
[email protected]
Europe, Middle-East, and Africa
[email protected]
North America and Latin America
[email protected]
Contents
Technical Support ............................................................................................... 4
Chapter 1
Introducing the Symantec Management
Platform ..........................................................................
27
About the Symantec Management Platform ......................................
What's new in Symantec Management Platform 7.1 SP2 ......................
Components of the Symantec Management Platform ..........................
How the Symantec Management Platform works ...............................
About adding products to the platform .............................................
Where to get more information .......................................................
27
28
32
33
34
34
Section 1
Setting up the Symantec Management
Platform servers ..................................................... 37
Chapter 2
Using the Symantec Management Console ................... 39
About the Symantec Management Console ........................................
Accessing the Symantec Management Console ..................................
Accessing documentation in the Symantec Management
Console ................................................................................
About the search panel ..................................................................
Search Results page ......................................................................
Chapter 3
39
41
42
43
44
Configuring Notification Server ....................................... 45
About Notification Server ..............................................................
About configuring Notification Server .............................................
About the Configuration Management Database ................................
Configuring the Configuration Management Database ........................
Purging the Configuration Management Database ..............................
Saving resource data history in the CMDB ........................................
Configuring Notification Server settings ..........................................
Notification Server processing settings ......................................
Email server and address settings .............................................
Status message logging settings ................................................
46
46
47
48
49
50
51
52
54
54
8
Contents
Opening the Log Viewer ..........................................................
Proxy server settings ..............................................................
Distribution point credential settings ........................................
Configuring Notification Server settings with NS Configurator .............
Performing a first-time setup configuration ......................................
Discovering computers .................................................................
Installing the Symantec Management Agent .....................................
Agent and task setting options .......................................................
Collecting inventory information ....................................................
Deploying preboot environments ....................................................
Chapter 4
55
55
56
56
57
59
61
65
66
68
Configuring security ........................................................... 69
About Symantec Management Platform security ................................ 69
Setting up Symantec Management Platform security .......................... 71
About security roles ..................................................................... 74
Predefined security roles ............................................................... 75
Creating and configuring security roles ............................................ 76
Adding members to a security role ............................................ 79
Adding security roles as members of other security roles ............... 80
Assigning privileges to a security role ........................................ 81
About security privileges ............................................................... 82
Connection Profile privileges ................................................... 84
Management privileges ........................................................... 84
System privileges ................................................................... 86
Credential privileges ............................................................... 88
Workflow Directory privileges .................................................. 89
Symantec Management Console privileges .................................. 89
Software Management privileges .............................................. 90
Software Management Framework privileges .............................. 91
Right-click Menu privileges ...................................................... 92
Right-click Menu - Connector Samples privileges ......................... 94
Right-click Menu - Hierarchy privileges ..................................... 94
Right-click Menu - Actions privileges ......................................... 95
Right-click Menu - Set Asset Status privileges ............................. 97
About Symantec Management Platform user accounts ........................ 97
Creating and configuring Symantec Management Platform user
accounts ............................................................................. 282
Specifying general Symantec Management Platform user account
details .......................................................................... 101
Configuring credentials for a Symantec Management Platform
user account .................................................................. 101
Contents
Assigning a Symantec Management Platform user account to a
security role ..................................................................
Configuring password complexity and lockout settings .....................
Unlocking locked out credentials ...................................................
About security role permissions ....................................................
Resource Management permissions .........................................
System permissions ..............................................................
Task Server permissions ........................................................
Report permissions ...............................................................
Policy permissions ................................................................
Folder permissions ...............................................................
Filter permissions .................................................................
Connection Profile permissions ...............................................
Credential Manager permissions .............................................
About the Security Role Manager ..................................................
Accessing the Security Role Manager .......................................
Assigning security permissions to folders and items ...................
Customizing permission inheritance ........................................
Role Selection window ...........................................................
Taking ownership of a folder or item ........................................
About credential manager ............................................................
Creating a credential ...................................................................
Editing a credential .....................................................................
Chapter 5
Configuring schedules ...................................................... 121
About Symantec Management Platform schedules ............................
About schedule active periods and time zones ............................
About schedule triggers .........................................................
About schedule modifiers .......................................................
How Symantec Management Platform uses schedules .................
Managing shared schedules ..........................................................
Configuring a schedule ................................................................
Viewing the Notification Server internal schedule calendar ................
Chapter 6
104
104
107
107
109
109
110
110
111
111
111
111
112
112
113
114
115
117
117
118
118
119
121
122
122
124
125
126
127
128
Configuring site servers ................................................... 131
About site services ......................................................................
About site maintenance ...............................................................
Managing sites ...........................................................................
Creating a new site ...............................................................
Modifying a site ...................................................................
Managing manually assigned agents ........................................
Managing site servers .................................................................
131
132
133
135
135
136
137
9
10
Contents
Preparing a Windows 2008 R2/7 computer with IIS 7.0 for use
as a site server ...............................................................
Creating and modifying site servers .........................................
Assigning a site server to a site manually ..................................
Managing subnets ......................................................................
Creating a new subnet ...........................................................
About configuring the site service settings ......................................
About package service settings ...............................................
About removing automatic site assignments .............................
Configuring package service settings .......................................
About task service settings .....................................................
Configuring task service settings .............................................
Chapter 7
Configuring Package Server for Linux ........................... 151
About package server for Linux .....................................................
About integrating Apache Web Server with package server for
Linux .................................................................................
About detecting the Apache Web Server .........................................
Requirements to configure package server and the Apache Web
Server ................................................................................
Requirements to configure HTTPS and HTTP ..................................
Package server configuration example that uses main web directory
for package server links .........................................................
Package server configuration example using an alias for package
server links .........................................................................
Chapter 8
138
139
140
141
142
143
144
147
148
148
149
151
152
153
155
156
157
159
Configuring hierarchy ....................................................... 163
About hierarchy .........................................................................
Hierarchy requirements ..............................................................
Setting up a Notification Server hierarchy ......................................
About creating and managing hierarchical relationships ...................
Creating and managing hierarchical relationships ............................
Setting up a hierarchical relationship between two Notification Server
computers ...........................................................................
About hierarchy replication .........................................................
Configuring hierarchy replication .................................................
Hierarchy replication settings ......................................................
Setting up custom hierarchy replication .........................................
Configuring hierarchy replication rules ..........................................
Hierarchy replication rule settings ................................................
Overriding the hierarchy differential replication schedule .................
Replicating selected data manually ................................................
164
165
166
167
168
169
171
173
174
176
177
179
181
182
Contents
About hierarchy automation policies .............................................. 182
Running a hierarchy report .......................................................... 183
Updating summary data .............................................................. 184
Chapter 9
Configuring replication
.................................................... 187
About replication .......................................................................
Replication requirements .............................................................
About configuring replication .......................................................
Configuring replication rules ........................................................
Replication rule settings ..............................................................
Specifying destination Notification Servers in a replication rule .........
Adding or modifying an available Notification Server .......................
Specifying Notification Server credentials in a replication rule ...........
Chapter 10
187
189
189
191
192
194
195
196
Customizing the Symantec Management
Console .......................................................................... 199
About customizing the Symantec Management Console ....................
Saving console elements as XML files .............................................
Customizing the console menu ......................................................
Adding menu items ...............................................................
Adding submenus .................................................................
Managing menu items ...........................................................
Importing and exporting menu items .......................................
About the context menu ..............................................................
Adding user-defined actions to the context menu .............................
Removing user-defined actions from the context menu ...............
Command Line Right-Click Action Certificate page .....................
Filtering target resources .......................................................
About console views ....................................................................
Creating and modifying views .................................................
Adding new items directly to a view .........................................
About portal pages ......................................................................
About the My Portal page .......................................................
Accessing the Notification Server Management Home page ..........
Creating and modifying portal pages ........................................
Creating and modifying Web parts ...........................................
199
200
201
202
203
204
205
205
208
209
210
210
212
212
214
214
216
216
217
218
11
12
Contents
Section 2
Discovering Symantec Management
Platform resources ............................................. 221
Chapter 11
Discovering Windows computers ................................... 223
About resource discovery .............................................................
About discovering Windows computers ..........................................
About discovering computers with domain resource discovery ...........
Discovering computers with domain Resource Discovery ...................
Selecting domains ......................................................................
Domain discovery credentials .......................................................
Chapter 12
Importing resources from Active Directory .................. 231
About Microsoft Active Directory Import ........................................
About importing resources using Microsoft Active Directory
Import ................................................................................
Creating and modifying resource import rules .................................
Resource Selection dialog box .......................................................
Select Organizational Unit (OU) dialog box ......................................
Select Security Groups or Select Distribution Groups dialog box .........
Column Mappings dialog box ........................................................
Computer Import Constraints and User Import Constraints dialog
boxes .................................................................................
About importing resource associations ...........................................
Scheduling resource import rules ..................................................
Configuring the Directory Synchronization schedule ........................
Running resource import rules manually ........................................
Chapter 13
223
224
225
227
229
229
231
233
234
237
240
240
241
241
242
243
245
245
Discovering network devices ........................................... 247
About Network Discovery ............................................................
What’s new in Network Discovery .................................................
About Network Discovery configuration .........................................
About discovering network devices ................................................
Configuring discovery settings ......................................................
Methods for discovering network devices .......................................
Discovering network devices ........................................................
Creating Network Discovery tasks using the wizard ..........................
Manually creating and modifying Network Discovery tasks ................
Selecting network ranges to discover .............................................
Creating connection profiles with Network Discovery .......................
Scheduling Network Discovery tasks ..............................................
248
249
250
251
252
252
254
255
255
258
259
260
Contents
Network Discovery home page ......................................................
About discovery status and results ................................................
Viewing discovered devices in organizational views ..........................
Viewing discovery reports ............................................................
About classifying SNMP devices ...................................................
Classifying SNMP devices ............................................................
Importing MIB files .....................................................................
MIB browser page .......................................................................
MIB import task page ..................................................................
About Connection Profiles ............................................................
Updating a connection profile .......................................................
Creating or cloning a connection profile .........................................
Changing default SNMP alert severity ............................................
Define group settings page ...........................................................
Delegating Network Discovery tasks to non-administrators ................
Adding non-administrators to security roles for performing Network
Discovery tasks ....................................................................
Enabling non-administrator roles to create or run Network Discovery
tasks ..................................................................................
Granting non-administrator roles privileges to create credentials and
connection profiles ...............................................................
Granting non-administrator roles access to the default connection
profile ................................................................................
Enabling roles other than predefined security roles to create and run
tasks using the Network Discovery wizard ................................
Making a connection profile read-only ...........................................
260
262
262
263
263
264
265
266
266
267
267
268
268
269
277
281
283
286
287
288
289
Section 3
Installing and configuring the Symantec
Management Agent ............................................ 291
Chapter 14
Introducing the Symantec Management Agent .......... 293
About the Symantec Management Agent ........................................
Methods for installing the Symantec Management Agent ..................
Installing the Symantec Management Agent manually ......................
About selecting computers for a Symantec Management Agent manual
installation .........................................................................
Viewing the installation status report ............................................
Methods for upgrading the Symantec Management Agent .................
Methods for uninstalling the Symantec Management Agent ...............
About the Symantec Management Agent upgrade and uninstall
policies ...............................................................................
293
294
296
298
299
300
301
302
13
14
Contents
Configuring the Symantec Management Agent Upgrade and Uninstall
policies .............................................................................. 303
Configuring a Symantec Management Agent package ........................ 306
Chapter 15
Installing the Symantec Management Agent for
Windows ........................................................................ 307
Installing the Symantec Management Agent for Windows with a
manual push ........................................................................
Selecting Windows computers for a Symantec Management Agent
manual installation ...............................................................
Symantec Management Agent for Windows installation
prerequisites .......................................................................
Configuring Windows XP computers for a Symantec Management
Agent installation .................................................................
Symantec Management Agent for Windows installation options .........
Setting Symantec Management Agent for Windows installation
options ...............................................................................
Installing the Symantec Management Agent for Windows with a
manual pull .........................................................................
Scheduling a Symantec Management Agent for Windows
installation .........................................................................
Configuring the Symantec Management Agent for Windows
installation schedule .............................................................
Uninstalling the Symantec Management Agent for Windows
manually ............................................................................
Removing the Symantec Management Agent for Windows
manually ............................................................................
Chapter 16
308
308
310
310
311
313
313
314
315
316
317
Installing the Symantec Management Agent for
UNIX, Linux, and Mac ................................................. 319
Installing the Symantec Management Agent for UNIX, Linux, and
Mac with a manual push ........................................................
About the Symantec Management Agent for UNIX, Linux, and Mac
push installation ..................................................................
Selecting UNIX, Linux, and Mac computers for a Symantec
Management Agent manual installation ...................................
Creating a .csv file for importing UNIX, Linux, and Mac
computers ...........................................................................
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites .......................................................................
Specifying the Symantec Management Agent for UNIX, Linux, and
Mac installation settings .......................................................
320
321
323
324
325
327
Contents
Installation Settings dialog box .....................................................
Installation Settings: Connection and Authentication tab ...................
Try connect via SSH using SSH Key authorization settings ..........
Try connect via SSH using password authorization settings .........
Login and password settings ...................................................
Timeout settings ..................................................................
Platform detection ................................................................
Installation Settings: Agent settings tab .........................................
Installation Settings: Install XML tab .............................................
SSH Key Generator dialog box ......................................................
Installing the Symantec Management Agent for UNIX, Linux, and
Mac with a manual pull .........................................................
Chapter 17
328
329
330
330
331
334
335
335
337
337
338
Configuring the Symantec Management Agent .......... 341
About configuring the Symantec Management Agent ........................
Configuring the global agent settings .............................................
Symantec Management Agent Settings – Global: General
tab ...............................................................................
About the Tickle/Power Management settings ...........................
About the Package Multicast settings .......................................
Symantec Management Agent Settings – Global: Authentication
tab ..............................................................................
Symantec Management Agent Settings – Global: Events tab
...................................................................................
Configuring the targeted agent settings ..........................................
Targeted Agent Settings: General tab .......................................
Recommended Symantec Management Agent data update
intervals .......................................................................
Targeted Agent Settings: UNIX/Linux/Mac tab ..........................
Targeted Agent Settings: Downloads tab ..................................
About multicasting packages ..................................................
Targeted Agent Settings: Blockouts tab ....................................
Adding a blockout period to the targeted agent settings ...............
Targeted Agent Settings: User Control tab ................................
Targeted Advanced Settings: Advanced tab ..............................
About maintenance windows for managed computers .......................
Configuring maintenance window policies ......................................
341
342
343
345
346
346
347
348
351
352
352
354
357
358
358
359
360
361
361
15
16
Contents
Section 4
Managing Symantec Management
Platform resources ............................................. 365
Chapter 18
Configuring resource security ......................................... 367
About resource security ...............................................................
Configuring resource security .......................................................
About organizational views and groups ..........................................
About the Default organizational view ............................................
Creating organizational views .......................................................
Configuring organizational groups ................................................
Specifying the organizational groups displayed ...............................
Adding resources to an organizational group ...................................
Viewing and managing resources in an organizational group ..............
Setting security on organizational groups .......................................
Setting custom security permissions on organizational groups ...........
Configuring permission inheritance for organizational groups ...........
Chapter 19
Configuring resource filters and targets ...................... 385
About resource filters ..................................................................
Creating or modifying a filter .......................................................
Creating a new filter ...................................................................
Modifying an existing filter ..........................................................
Selecting the filter query type .......................................................
Defining a resource query for a filter ..............................................
Defining an SQL query for a filter ..................................................
Specifying filter inclusions and exclusions ......................................
Updating the membership of a filter ..............................................
Performing actions on filter resources ............................................
Viewing filter dependencies .........................................................
About resource targets ................................................................
Scheduling resource membership updates ......................................
Chapter 20
367
369
371
371
372
373
375
375
376
379
380
381
385
386
388
388
389
390
391
392
394
395
396
397
398
Configuring packages ....................................................... 401
Changing the configuration settings for a package ............................
Updating the distribution points for a package .................................
Package tab settings ....................................................................
Enabling access to a package at a UNC source location ......................
Managing package programs ........................................................
Programs tab settings .................................................................
Package Servers tab settings .........................................................
401
402
403
404
405
406
408
Contents
Advanced tab settings ................................................................. 409
Chapter 21
Using policies ..................................................................... 411
About Symantec Management Platform policies ...............................
About user-based policies ............................................................
Managing Symantec Management Platform policies .........................
Specifying the targets of a policy or task .........................................
Modifying a resource target ....................................................
Building a resource target ......................................................
Selecting an existing resource target ........................................
Saving a named resource target ..............................................
Specifying filtering rules for resource targets ............................
Selecting named resource targets ..................................................
Specifying a policy schedule .........................................................
Configuring the agent upgrade and uninstall policies ........................
About automation policies ...........................................................
Key components of automation policies ....................................
Managing automation policies ......................................................
Creating or modifying scheduled automation policies ........................
Creating or modifying message-based automation policies .................
Specifying the automation policy data source ............................
Specifying the automation policy action ...................................
Select Task window ...............................................................
Creating and modifying automation policy tasks ..............................
Assign to organizational group task .........................................
Email a report task ...............................................................
Send an email task ................................................................
Run a report task ..................................................................
Chapter 22
411
412
413
413
415
416
416
417
418
419
420
422
424
424
426
428
430
432
434
436
436
437
437
437
438
Using tasks .......................................................................... 439
About Task Management .............................................................
Task Management components .....................................................
Sequencing tasks ........................................................................
When to use tasks, jobs, and policies ..............................................
About the Jobs and Tasks Portal ....................................................
Accessing the Jobs and Tasks Portal ...............................................
Refreshing a Web part in the Jobs and Tasks Portal ..........................
Creating a task ...........................................................................
Creating a job ............................................................................
Deploying a task server ...............................................................
About deploying task servers ........................................................
About scaling task servers ............................................................
440
441
442
443
444
445
445
446
447
448
449
450
17
18
Contents
How task server uses the tickle mechanism .....................................
Running a job or task ..................................................................
Stopping a job or task ..................................................................
Adding a schedule to a policy, task, or job .......................................
New schedule dialog box ..............................................................
Creating tasks to input or to output task properties ..........................
Changing Client Task Agent settings ..............................................
Cleaning up task data ..................................................................
Update Summary Data page .........................................................
Update Task Service Assignments page .........................................
Viewing the task status on the Symantec Management Agent .............
Viewing and editing permissions on a task type ...............................
Task advanced options ................................................................
Sample tasks, jobs, and scripts provided by Task Management ............
Task Types ................................................................................
Assign to organizational group task page ..................................
Delete item task page ............................................................
Move item task page .............................................................
Purge report task page ..........................................................
Restart server services task page .............................................
Run hierarchy node replication schedule task page .....................
Run report task page .............................................................
Send basic inventory task page ...............................................
Tickle client task page ...........................................................
Update client configuration task page ......................................
Update filter membership task page .........................................
Write entry to server log task page ..........................................
File resource cleanup task page ...............................................
Call Web service client task page .............................................
Control service state client task page .......................................
Defragment computer client task page .....................................
Get IP configuration client task page ........................................
Power control task page .........................................................
Reset task agent page ............................................................
Run script task page ..............................................................
Call Web service on server task page ........................................
Enable/Disable policy task page ..............................................
Raise message task page ........................................................
Run script on server task page ................................................
Run SQL query on server task page ..........................................
Run Script on task server task page .........................................
Send E-mail server task page ..................................................
UNIX/Linux/Mac service control task page ................................
450
452
453
454
455
456
458
459
460
461
461
462
462
463
468
469
470
470
470
471
471
471
472
472
472
473
473
474
474
474
475
475
476
476
477
477
478
478
478
479
479
480
480
Contents
Tokens page ........................................................................ 481
Client task schedule page ....................................................... 482
Chapter 23
Using Resource Manager ................................................. 485
About resource management ........................................................
Resource Manager tasks ..............................................................
Accessing Resource Manager ........................................................
Viewing inventory data for a data class ..........................................
Viewing event data for a data class ................................................
Item Property Summary Web part .................................................
Adding a resource to an organizational group ..................................
Resource Manager summary pages ...............................................
Filter Summary page ...................................................................
Organizational Summary page ......................................................
Policy Summary page ..................................................................
Processing Summary page ...........................................................
Event History Web part .........................................................
Client Config Events Web part ................................................
Event History per Policy Web part ...........................................
Client Config Information (per status code) Web part ..................
Resource Summary page ..............................................................
General Web part .................................................................
Identification Web part .........................................................
Symantec Management Agent Details Web part .........................
Network Web part ................................................................
Chapter 24
Using Notification Server reports .................................. 499
About Notification Server reports ..................................................
Viewing and managing resource data with Notification Server
reports ...............................................................................
Extracting Notification Server report results ...................................
Viewing Notification Server report results ......................................
Using Notification Server report results .........................................
Saving Notification Server report results as a snapshot .....................
Saving Notification Server report results as a Web part .....................
Creating a static filter from Notification Server report results ............
Saving Notification Server report results as a file .............................
Chapter 25
485
486
488
489
489
490
490
491
492
492
492
493
493
494
494
495
495
496
496
497
497
499
500
501
502
504
505
505
506
507
Creating custom Notification Server reports ............... 509
About custom Notification Server reports ....................................... 510
Components of a custom Notification Server report .................... 510
19
20
Contents
Creating and modifying custom Notification Server reports .........
Custom Report Edit page ........................................................
Creating a new custom Notification Server report ......................
Modifying an existing custom Notification Server report .............
About defining report queries .......................................................
Defining a resource query for a custom report ...........................
Custom Report Edit page: Data Source tab .................................
Converting a resource query to an SQL query for a custom
report .................................................................................
Building a resource query for a custom report or filter ......................
Adding resource type associations to a resource query for a
custom report ................................................................
Adding joins to a resource query for a custom report ...................
About setting up resource query fields for a custom report or
filter ..................................................................................
Adding fields and data class attributes to a resource query for a
custom report ................................................................
Modifying source fields in a resource query for a custom
report ...........................................................................
Edit Source Fields dialog box ..................................................
About setting up filter expressions to refine the query results ............
Adding a condition to the filter for a custom report ....................
Organizing the filter conditions for a custom report ...................
Switching to Advanced Mode for a custom report .......................
About using parameters in custom report and filter queries ...............
Creating a new parameter for a custom report or filter
query ...........................................................................
Adding an advanced type parameter to a custom report or filter
query ...........................................................................
Adding an existing parameter to a custom report or filter
query ...........................................................................
Modifying parameters for a custom report or filter query ............
Viewing the resolved query of a custom report or filter .....................
Viewing the query results of a custom report ...................................
Defining an SQL query for a custom report ......................................
Writing an SQL query for a custom report or filter ............................
About configuring the scoping fields in a custom report
snapshot .............................................................................
Configuring the scoping fields in a custom report snapshot ................
About defining parameters and value providers for a custom
report .................................................................................
Adding a parameter to a custom report .....................................
Adding an advanced type parameter to a custom report ...............
512
514
515
516
516
517
518
521
521
524
524
525
526
527
527
529
529
530
531
532
533
533
534
535
535
536
537
538
539
540
542
542
543
Contents
Creating a new parameter for a custom report ...........................
Modifying custom report parameters .......................................
About the Parameter Editing \ Creation Dialog dialog box ............
About the parameter type for a custom report ...........................
About the parameter value provider type settings for a custom
report ...........................................................................
About custom report views ...........................................................
Creating or modifying a chart view for a custom report ...............
Creating or modifying a grid view for a custom report .................
Setting up drilldown actions for a custom report ..............................
Specifying the drilldown action wireup for a custom report ..........
Adding parameters to a drilldown action for a custom
report ...........................................................................
Specifying the properties of a custom report ...................................
Chapter 26
544
545
546
547
551
559
560
566
571
572
573
574
Viewing resource information ......................................... 577
About resources .........................................................................
Viewing resource data class information .........................................
Viewing resource association type information ................................
Viewing resource type information ................................................
577
578
578
578
Section 5
Managing the Software Catalog and
Software Library ................................................... 581
Chapter 27
Introducing Software Management Framework ......... 583
About Software Management Framework .......................................
About the Software Catalog ..........................................................
Benefits of the Software Catalog ....................................................
About the Software Library ..........................................................
Benefits of the Software Library ....................................................
About the separation of software-related user roles ..........................
Components of Software Management Framework ...........................
What you can do with Software Management Framework ..................
Chapter 28
583
585
586
587
588
589
590
591
Setting up Software Management Framework ............ 595
Implementing Software Management Framework ............................
About the Software Management Framework Agent .........................
About Software Management Framework settings ............................
First time setup options for Software Management Framework ...........
About cleaning up file resources ....................................................
596
597
598
599
600
21
22
Contents
Scheduling a Clean up File Resources task .......................................
Running a Clean up File Resources task ..........................................
About installation error code descriptions .......................................
Adding descriptions to installation error codes ................................
Add or Edit Installation Error Code dialog box .................................
About known-as associations and wildcards ....................................
Defining known-as wildcards ........................................................
Add or Edit Known-As Wildcard dialog box .....................................
Editing or deleting a known-as association ......................................
Add or Edit Software dialog box ....................................................
Web parts for Software Management Framework .............................
Chapter 29
600
601
601
602
603
603
605
605
606
607
608
Configuring the Software Library ................................... 611
Setting up the Software Library .................................................... 611
Configuring the Software Library .................................................. 612
About relocating the Software Library ............................................ 614
Chapter 30
Viewing Software ............................................................... 617
About the Software Catalog window ...............................................
Accessing the Software Catalog window .........................................
About the Software view ..............................................................
Software view ............................................................................
Actions you can perform in the Software view and in the Software
Catalog ...............................................................................
Finding software in the Software view and in the Software
Catalog ...............................................................................
Saving a software search .............................................................
About search conditions and search operators of a software
search ................................................................................
Managing a saved software search .................................................
Chapter 31
617
619
619
620
624
626
628
629
630
Populating the Software Catalog ................................... 633
Methods for populating the Software Catalog ..................................
About importing a package to create a software resource ...................
Importing a package to create a software resource ............................
Import Software dialog box ..........................................................
Supported installation file types ....................................................
About Software Discovery ............................................................
Tasks that Software Discovery performs .........................................
Where Software Discovery finds information ..................................
Discovering software on managed computers ..................................
634
636
637
638
642
643
644
645
646
Contents
Configuring the Software Discovery policy ......................................
About the software resource types .................................................
Assigning a type to a software resource ..........................................
About duplicate software resources ...............................................
Resolving duplicate software resources ..........................................
Resolve Duplicate Software Resources dialog box .............................
Merge Software Resources wizard .................................................
About installed software filters .....................................................
Creating a filter for installed software ............................................
Create Installed Software Filter dialog box ......................................
About replicating the Software Catalog ...........................................
Software Catalog resources that you can replicate ............................
Chapter 32
Creating software resources ........................................... 659
About software resources .............................................................
About the unique identifier for software resources ...........................
About deliverable software resources .............................................
Adding or editing a software resource ............................................
Deleting a software resource ........................................................
Software resource page ...............................................................
Software resource: Properties tab ..................................................
Software resource: Package tab .....................................................
Software resource: Rules tab .........................................................
Software resource: Associations tab ...............................................
Add or Edit Product dialog box ......................................................
Add or Edit Company dialog box ....................................................
Add or Edit Software Category dialog box ........................................
About associations between software resources ...............................
Adding associations to a software resource .....................................
About file resources ....................................................................
Adding file resources to a software resource ....................................
Select Software dialog box ............................................................
Select resource dialog box ............................................................
Exporting a software resource and its details ...................................
Exporting dialog box ...................................................................
Chapter 33
648
649
650
650
651
652
653
654
655
655
656
657
660
661
662
662
663
665
666
667
669
671
671
672
673
673
675
676
676
677
678
678
679
Populating the Software Library .................................... 681
How the Software Library is populated ...........................................
About software packages .............................................................
Associating a package with a software resource ...............................
Add or Edit Package dialog box .....................................................
About assigning packages to package servers automatically ...............
681
683
684
685
688
23
24
Contents
Package Definition dialog box ....................................................... 690
Adding an existing package to the Software Library .......................... 690
Chapter 34
Creating command lines for software
resources ....................................................................... 693
About software resource command lines .........................................
Creating a command line for a software resource .............................
Add or Edit Command Line dialog box ............................................
About the Command Line Builder ..................................................
MSI Command Line Builder dialog box ...........................................
Command Line Builder dialog box for UNIX, Linux, and Mac
packages .............................................................................
Virtual Package command line builder dialog box .............................
Chapter 35
709
711
712
714
715
717
Importing data from a data provider ............................. 721
About data providers ...................................................................
Importing data from a data provider ..............................................
Methods for importing data from a data provider .............................
About the types of metadata you can import from a data
provider .............................................................................
Adding a data provider ................................................................
About the data provider precedence settings ...................................
Configuring the precedence settings for a data provider ....................
Data Provider Management page ...................................................
Set Data Provider Precedence dialog box .........................................
Importing data from a data provider with a schedule ........................
Importing data from a data provider manually .................................
About gathering available software resources ..................................
Data Provider Summary page .......................................................
Chapter 37
703
706
Creating inventory rules ................................................... 709
About inventory rules .................................................................
About detection and applicability rules ...........................................
Creating or editing inventory rules ................................................
Create Rule and Edit Rule dialog boxes ...........................................
Expression dialog boxes for smart rules ..........................................
Expression dialog boxes for standard rules ......................................
Chapter 36
693
694
695
698
699
721
722
724
725
726
728
729
729
730
731
733
735
736
Rolling out solution plug-ins ........................................... 739
About a Managed Rollout policy .................................................... 739
Configuring a Managed Rollout policy ............................................ 741
Contents
Policy Settings dialog box ............................................................
About schedule settings of a Managed Rollout policy ........................
About the execution of a Managed Rollout policy ..............................
About the Wake-on-Lan setting .....................................................
743
745
746
749
Section 6
Managing CMDB data with Data
Connector ................................................................. 751
Chapter 38
Introducing Data Connector ............................................ 753
About Data Connector ................................................................. 753
How Data Connector works .......................................................... 753
What you can do with Data Connector ............................................ 755
Chapter 39
Working with data sources .............................................. 757
Setting up data transfer ...............................................................
About data sources .....................................................................
Creating a data source definition ...................................................
CSV File Data Source page ............................................................
Custom File Export Data Source page .............................................
LDAP Data Source page ...............................................................
ODBC Data Source page ...............................................................
OLEDB Data Source page .............................................................
XML File Data Source page ...........................................................
About pre-processing data before data imports ................................
About virtual data classes ............................................................
Creating a virtual data class ...................................................
Edit Virtual Data Class page ...................................................
Chapter 40
757
758
759
760
762
763
765
765
768
770
770
771
771
Configuring the transfer of data .................................... 773
About configuring data transfer ....................................................
Configuring data transfer ............................................................
Running a data transfer rule as a task ............................................
Bulk Resource Export Rule page ....................................................
Filter Import Rule page ................................................................
Organizational Group Import Rule page .........................................
Report Export Rule page ..............................................................
Resource Import Export Rule page .................................................
Data class mappings table ......................................................
Edit AutoGenerate Column dialog box ......................................
Edit Expression dialog box .....................................................
773
774
775
776
777
779
781
782
785
787
788
25
26
Contents
Association and reverse association mappings tables ..................
Scriptable fields for modifying Resource Import Export and CMDB
rules ..................................................................................
Expression syntax ................................................................
User-defined values ..............................................................
Expression operators ............................................................
String operators ...................................................................
Wildcard characters ..............................................................
Aggregate Types ..................................................................
Expression functions ............................................................
Viewing data transfer summaries ..................................................
Checking the health of data transfer rules .......................................
Creating a new resource lookup key ...............................................
Configuring data connector verbose log purging options ....................
Chapter 41
790
790
791
791
792
792
792
793
796
796
797
797
Modifying CMDB data ....................................................... 799
About modifying CMDB data ........................................................
Editing CMDB data .....................................................................
Running a CMDB rule as a task ......................................................
CMDB Rule page .........................................................................
CMDB Rule Resources dialog box .............................................
Appendix A
789
799
799
800
801
803
Symantec™ Management Platform 7.1 SP2
Third-Party Legal Notices .......................................... 805
Third-Party Legal Notices ............................................................
Microsoft Silverlight 4 Toolkit ......................................................
Microsoft Prism .........................................................................
Apache HTTP Server ..................................................................
OpenSSL ...................................................................................
Microsoft Silverlight 3 Tool Kit .....................................................
Bouncy Castle ............................................................................
SQLite ......................................................................................
Net-SNMP .................................................................................
805
806
807
809
813
816
817
818
818
Index ................................................................................................................... 825
Chapter
1
Introducing the Symantec
Management Platform
This chapter includes the following topics:
■
About the Symantec Management Platform
■
What's new in Symantec Management Platform 7.1 SP2
■
Components of the Symantec Management Platform
■
How the Symantec Management Platform works
■
About adding products to the platform
■
Where to get more information
About the Symantec Management Platform
The Symantec Management Platform provides a set of services that IT-related
solutions can leverage. Solutions plug into the platform and take advantage of
the platform services, such as security, reporting, communications, package
deployment, and Configuration Management Database (CMDB) data. Because
solutions share the same platform, they can share platform services as well as
data. Shared data is more useful than data that is only available to a single solution.
For example, one solution collects data about the software that is installed on
company computers and another solution uses the data to manage software
licenses. A third solution can also use this data to help you update software. This
close integration of solutions and the platform makes it easier for you to use the
different solutions because they work in a common environment and are
administered through a common interface.
The platform provides the following services:
28
Introducing the Symantec Management Platform
What's new in Symantec Management Platform 7.1 SP2
■
Role-based security
■
Client communications and management
■
Execution of scheduled or event-triggered tasks and policies
■
Package deployment and installation
■
Reporting
■
Centralized management through a single, common interface
■
Configuration Management Database (CMDB)
■
Software Management Framework
When you install a solution or suite, the platform is also installed if it is not already
installed.
See “Components of the Symantec Management Platform” on page 32.
See “How the Symantec Management Platform works” on page 33.
See “About adding products to the platform” on page 34.
See “What's new in Symantec Management Platform 7.1 SP2” on page 28.
What's new in Symantec Management Platform 7.1
SP2
In the 7.1 SP2 release of Symantec Management Platform, the following new
features are introduced:
List of new features
Table 1-1
Component
Description
General
■
Symantec Help Center
The Symantec Management Platform 7.1 SP2 release provides Symantec
Help Center. This search-based Help system implements many Web 2.0
features, such as autosuggest and filtering. It also deploys the
customized search logic that helps you get more relevant answers to
your questions.
■ Symantec ServiceDesk no longer installed as a part of IT Management
Suite in Symantec Installation Manager
To install Symantec ServiceDesk, you must select the product separately
in the product listing in Symantec Installation Manager.
Introducing the Symantec Management Platform
What's new in Symantec Management Platform 7.1 SP2
List of new features (continued)
Table 1-1
Component
Description
Core
■
Symantec Installation Manager
Support for Microsoft MED-V virtualization
This enhancement adds the ability for Symantec Management Agents
on Microsoft MED-V virtual devices to communicate through devices
in NAT mode. It is now supported in 6.x or later.
■ NSE processing improvements enable faster inventory updates and
consume less processing power on Notification Server and Microsoft
SQL systems.
■ Registry keys can be used to change the path to Logs and the Event
queue.
■ Scalability - One Notification Server now supports up to 300 task servers.
■
Support for SQL 2008 R2 SP1
■
Support for SQL 2005 SP4
■
Support for Windows Internet Explorer 9 in compatibility mode
■
A 5,000-seat environment was tested and documented to provide
hardware recommendations and to minimize hardware expenses for
SMB environments.
For more information, see the IT Management Suite Planning and
Implementation Guide at http://www.symantec.com/docs/DOC4827
Ability to perform offline upgrades
You can export a server's installation history and import it to an
Internet-connected computer to create an installation package.
■ Log files for support packages
Symantec Installation Manager lets you create and view verbose and
non-verbose log files for inclusion in a support package.
■ Ability to create installation packages on Windows XP/7 computers
You can now run Symantec Installation Manager on the platforms that
Notification Server does not support. Examples of these platforms are
Windows XP/7, but only for the purpose of creating offline installation
packages.
■ Improvements to SSL configuration
New options for supplying a certificate during installation. The options
include Create self-signed, Import, and using a certificate available on
the computer.
■
For more information, see the Symantec Management Platform 7.1 SP2
Installation Guide.
http://www.symantec.com/docs/DOC4798
29
30
Introducing the Symantec Management Platform
What's new in Symantec Management Platform 7.1 SP2
List of new features (continued)
Table 1-1
Component
Description
Enhanced Console Views
■
Symantec Workflow
New Software Management privileges
Software Management privileges grant specific abilities to the user role.
They also allow the user to perform specific tasks in the Software view
and Software Catalog window from the enhanced console views.
■ Improved Licenses tab
Improvements in the Licenses tab, on the Software Product dialog box,
let you choose whether to license a software product. These
improvements also let you create additional licenses for the same
software product.
■
Improved Delivery tab
Improvements in the Delivery tab, on the Software Product dialog box,
let you import software packages, add software packages, and add
command lines.
■
Additional search options
Improvements in the Enhanced Views Setting dialog box let you
configure search settings for the Software view and Computer view
center panes (list panes).
See Altiris IT Management Suite 7.1 SP2 from Symantec Enhanced
Console Views Getting Started Guide at the following URL:
http://www.symantec.com/docs/doc4858
■
■
Symantec Workflow is delivered through Symantec Management
Platform.
The Configuration and Logging Tool in Workflow Designer was renamed
to Workflow Explorer.
Users can now enter platform credentials during installation, but AD
credentials were removed from the installation.
Improvements in Active Directory synchronization let you selectively
synchronize users with Symantec Workflow.
New import profiles and export profiles are available.
■
Symantec Workflow includes a refreshed Sharepoint component library.
■
■
■
All integration projects are now multi-generator container projects by
default.
■ A new application installer is included for partners.
■
Introducing the Symantec Management Platform
What's new in Symantec Management Platform 7.1 SP2
List of new features (continued)
Table 1-1
Component
Description
Software Management Framework
■
Support of virtualization package format XPF
This enhancement ensures that the software catalog adds support of
the default package format of Symantec Workspace Virtualization.
For more information on XPF, see topics on software virtualization in
the Software Management Solution User Guide at the following URL:
http://www.symantec.com/docs/DOC4661
Changes in Software Management Framework Agent inventory report
To prevent accidental loss of Software Management Framework
inventory data, a periodical send of full inventory data ia added.
For more information, see the following knowledge base article at the
following URL:
http://www.symantec.com/docs/HOWTO60920.
■ Automatically generate command lines when a package is created
checkbox in Add or Edit Package dialog box
This checkbox lets you generate appropriate command lines when a
new package is added to either a new software resource or an existing
software resource.
See “Add or Edit Package dialog box” on page 685.
■
UNIX, Linux, Mac Agent
NSE events
You can now select specific resource keys to be ignored when you
generate NSE events.
For more information, see the knowledge base article at the following
URL:
http://www.symantec.com/docs/HOWTO60919.
■ Support for 64-bit RHEL 6
A 64-bit bootstrap module is added to the solution package to support
installation on the RHEL 6 64-bit platforms without a 32-bit
compatibility layer.
■ Various enhancements for Client Task Agent
■
Changes in agent packaging for Mac platform
ULM Agent distribution for MacOS now contains signed files (libraries,
binary executables, and application bundles). Files are signed with the
official Symantec certificate.
■ Support for Mac OS X 10.7.x and Mac OS X Server 10.7.x
■
See “About the Symantec Management Platform” on page 27.
31
32
Introducing the Symantec Management Platform
Components of the Symantec Management Platform
Components of the Symantec Management Platform
The Symantec Management Platform includes the following core components:
■
Notification Server and Symantec Management Console
The Symantec Management Platform service that processes events, facilitates
communications with managed computers, and coordinates the work of the
other Symantec Management Platform services. The console is the Notification
Server computer's Web-based user interface that lets you manage the platform
and its solutions.
See “About Notification Server” on page 46.
See “About configuring Notification Server” on page 46.
See “About the Symantec Management Console” on page 39.
■
Configuration Management Database (CMDB)
The database that stores all of the information about managed computers.
See “About the Configuration Management Database” on page 47.
See “Configuring the Configuration Management Database” on page 48.
■
Site servers
The Symantec Management Platform can host several types of middleware
components, such as package services, task services, and deployment site
services. The official name for a middleware component is "site service." Any
component that hosts a site service is known as a site server. Site servers can
host one or more of these services.
See “About site services” on page 131.
■
Symantec Management Agent
The software that is installed on a computer to enable Notification Server to
monitor and manage it. After the Symantec Management Agent is installed,
that computer becomes a managed computer.
See “About the Symantec Management Agent” on page 293.
■
Software Management Framework
An interface that lets you create and manage the software resources that are
in the Software Catalog. It also lets you manage the packages that are in the
Software Library. The Software view provides a central location for initiating
the software-related tasks that are performed in your organization.
See “About Software Management Framework” on page 583.
See “About the Software view” on page 619.
■
Reports
A way to gather automated information. You can view reports for any managed
computer from the Symantec Management Console.
Introducing the Symantec Management Platform
How the Symantec Management Platform works
See “Viewing and managing resource data with Notification Server reports”
on page 500.
See “About the Symantec Management Platform” on page 27.
See “How the Symantec Management Platform works” on page 33.
How the Symantec Management Platform works
Products that are designed to plug into the Symantec Management Platform are
known as solutions. Multiple solutions that are installed as a unit are known as
suites. When you install a solution or suite, the platform is also installed if it is
not already installed.
During the platform installation, each of the platform services is installed. These
services include the Notification Server service. The services are installed on a
single computer that is known as the Notification Server computer. This computer
is the computer you access, through the Symantec Management Console, to
perform your administration and your management work.
See “About configuring Notification Server” on page 46.
The Symantec Management Console is a browser-based console that can be
accessed from the Notification Server computer or remotely. When you access
the console remotely, the computer must be on the network, running Microsoft
Internet Explorer, and have access to the Notification Server computer.
See “About the Symantec Management Console” on page 39.
As part of the platform installation, you set up the Configuration Management
Database (CMDB). The CMDB stores the data that the platform and your solutions
collect. The CMDB is a Microsoft SQL Server database.
See “Configuring the Configuration Management Database” on page 48.
After the platform and solutions are installed, you need to do some configuration.
If any of the solutions manage other computers (most solutions do), you must
install the Symantec Management Agent on the computers to be managed. The
agent facilitates communications between the managed computer and the platform
and solutions. The agent also receives tasks from the platform and solutions,
helps install software, and sends collected data from the managed computer to
the platform. There is an agent for managing UNIX, Linux, and Mac OS computers
and one for managing Windows computers.
See “About the Symantec Management Agent” on page 293.
As solutions and the agent collect data, the data is stored in the CMDB, where it
can be used in numerous ways. The data is used to generate the reports that help
33
34
Introducing the Symantec Management Platform
About adding products to the platform
you manage your network. The data can also be used to trigger the actions that
help prevent or address issues automatically.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
The data that is collected and the tasks that are performed depend on the solutions
and suites you install. The platform lets you run a single solution or numerous
solutions. Regardless of the number of solutions installed, they are all managed
through the Symantec Management Console. A single console means there is no
need to learn new interfaces as you add new solutions to your environment.
See “About the Symantec Management Platform” on page 27.
See “Components of the Symantec Management Platform” on page 32.
About adding products to the platform
A wide variety of products can run on the Symantec Management Platform.
Symantec and other companies provide additional products that run on the
platform. For example, Symantec Client Management Suite helps you manage
endpoint computers and Symantec Server Management Suite helps you manage
servers.
You use Symantec Installation Manager to manage the installation of additional
products on the platform. On the Install New Products page of Symantec
Installation Manager, you can view a list of available products. You can then easily
install and evaluate a product. Products generally have a 30-day evaluator’s license.
You can view a list of all of the installed products on the Installed Products page
of Symantec Installation Manager.
When you purchase products, Symantec Installation Manager also manages the
licenses. On the Product Licensing page, you can apply licenses to installed
products and view the status of applied licenses.
For more information, see the Symantec Management Platform Installation Guide.
See “About the Symantec Management Platform” on page 27.
See “Components of the Symantec Management Platform” on page 32.
See “How the Symantec Management Platform works” on page 33.
Where to get more information
Use the following documentation resources to learn about and use this product.
Introducing the Symantec Management Platform
Where to get more information
Table 1-2
Documentation resources
Document
Description
Location
Release Notes
Information about new
features and important
issues.
The Supported Products A-Z page, which is available at the following
URL:
http://www.symantec.com/business/support/index?page=products
Open your product's support page, and then under Common Topics,
click Release Notes.
User Guide
Information about how
to use this product,
including detailed
technical information
and instructions for
performing common
tasks.
■
The Documentation Library, which is available in the Symantec
Management Console on the Help menu.
■ The Supported Products A-Z page, which is available at the
following URL:
http://www.symantec.com/business/support/index?page=products
Open your product's support page, and then under Common Topics,
click Documentation.
Help
Information about how
to use this product,
including detailed
technical information
and instructions for
performing common
tasks.
The Documentation Library, which is available in the Symantec
Management Console on the Help menu.
Context-sensitive help is available for most screens in the Symantec
Management Console.
You can open context-sensitive help in the following ways:
■
The F1 key when the page is active.
Help is available at the ■ The Context command, which is available in the Symantec
Management Console on the Help menu.
solution level and at the
suite level.
This information is
available in HTML help
format.
In addition to the product documentation, you can use the following resources to
learn about Symantec products.
Table 1-3
Symantec product information resources
Resource
Description
Location
SymWISE
Support
Knowledgebase
Articles, incidents, and
issues about Symantec
products.
http://www.symantec.com/business/theme.jsp?themeid=support-knowledgebase
35
36
Introducing the Symantec Management Platform
Where to get more information
Table 1-3
Symantec product information resources (continued)
Resource
Description
Location
Symantec
Connect
An online resource that http://www.symantec.com/connect/endpoint-management
contains forums, articles,
blogs, downloads, events,
videos, groups, and ideas
for users of Symantec
products.
Section
1
Setting up the Symantec
Management Platform
servers
■
Chapter 2. Using the Symantec Management Console
■
Chapter 3. Configuring Notification Server
■
Chapter 4. Configuring security
■
Chapter 5. Configuring schedules
■
Chapter 6. Configuring site servers
■
Chapter 7. Configuring Package Server for Linux
■
Chapter 8. Configuring hierarchy
■
Chapter 9. Configuring replication
■
Chapter 10. Customizing the Symantec Management Console
38
Chapter
2
Using the Symantec
Management Console
This chapter includes the following topics:
■
About the Symantec Management Console
■
Accessing the Symantec Management Console
■
Accessing documentation in the Symantec Management Console
■
About the search panel
■
Search Results page
About the Symantec Management Console
The Symantec Management Console (usually referred to as "the console") is a
Web-based user interface that is the primary tool for interacting with Notification
Server and its components, and for managing resources.
The Symantec Management Console is divided into the following areas:
40
Using the Symantec Management Console
About the Symantec Management Console
Header
The top portion of the console that includes the following:
Menus, which let you access console pages and dialogs that provide
the management functionality for Notification Server. Symantec
solutions that are installed on the system may add new items to
the menu.
■ Search box, which lets you search the resource data for the
resources that you want. When you perform a search, a search
panel appears under where you input the search.
See “About the search panel” on page 43.
■ A breadcrumb bar that shows the menu path to the currently
displayed page.
■
Content area
The portion of the console that is below the header can show one of
the following:
View
A view is composed of a tree view and content pane. The tree view,
in the left pane, shows a hierarchical arrangement of items that
you can select and work with. The content pane, on the right,
displays pages based on tree view selections.
■ Portal page
A portal page displays a collection of different pieces of information
that are contained in Web parts. Notification Server includes
predefined portal pages, and other portal pages might be included
with solutions. You can also create your own portal pages.
See “About portal pages” on page 214.
■ Full page
A full page has a single content pane without the treeview.
■
Some console pages support personalization, which is the ability for a console
page to preserve the state of its controls on a per-user basis. For example, one day
user A may open a filter page and, to suit their personal preference, re-order the
columns in the grid. Meanwhile, user B opens the same page but leaves the grid
in its default configuration. The following day, when the users open that filter
page, user A sees the page as they configured it on the previous day. User B still
sees the default view as they left it on the previous day.
Personalization is currently applied to the reporting pages and filter pages, and
to the state of the navigation tree in the view pages. In addition, the My Portal
page is personalized for each user.
Using the Symantec Management Console
Accessing the Symantec Management Console
Accessing the Symantec Management Console
The Symantec Management Console (usually referred to as "the console") can be
accessed from the computer that is running Notification Server or remotely. A
remote connection requires that the remote computer has access to the Notification
Server computer and is running a supported version of Microsoft Windows and
Microsoft Internet Explorer. Because the console is Web-browser-based , you do
not need to install any special software to use the console.
See “About the Symantec Management Console” on page 39.
You must be a member of one or more Notification Server security roles to access
the console.
See “About Symantec Management Platform security” on page 69.
Note: The Symantec Management Platform supports NTLM authentication for
remote connections. This lets you access the Symantec Management Console from
a remote computer without being prompted for a user name and password
(sometimes referred to as "single sign-on" to the console). You must be logged on
the remote computer with a Symantec Management Platform account, and you
should use the fully qualified domain name (FQDN) for the Notification Server
name.
If you are prompted for a user name and password when you connect to the
Symantec Management Console, you may need to add the Notification Server
name (FQDN) to the Trusted Sites zone on the remote computer. You can do this
through the Control Panel, on the Internet Properties dialog, in the Security tab.
The console supports 32-bit Microsoft Internet Explorer 7.0. All the Active-X
controls that are used are 32-bit, so 64-bit browsers are not supported. If you open
the console with an unsupported browser, a message is displayed in the top line.
The message warns you that the browser is not supported and that some features
may not be available. You use unsupported browsers at your own risk.
Some Active-X controls must be installed to enable the console to function
correctly. You need to have an administrator account on the console computer or
have the appropriate Active-X controls installed by your IT support.
41
42
Using the Symantec Management Console
Accessing documentation in the Symantec Management Console
Note: If you experience problems such as console pages showing error messages,
data being lost, or UI controls behaving in unexpected ways, check that the name
of the Notification Server is correctly specified. The Notification Server name
may contain only alphanumeric characters. Special characters, including the
underscore character, are not allowed.
For more information, refer to the Symantec Management Platform Installation
Guide.
To access the Symantec Management Console locally
◆
On the local computer, on the Start menu, click All Programs > Symantec >
Symantec Management Console 7.1.
To access the Symantec Management Console remotely
1
On a remote computer, open Internet Explorer, and go to the following URL:
http://Notification Server name/altiris/console
The Notification Server name should be the fully qualified domain name. You
can use https if necessary. If the Notification Server is not on port 80, you
need to include the appropriate port number after the Notification Server
name.
2
If you are logged on to the remote computer with an account that is not a
Symantec Management Platform account, you are prompted for your user
name and password.
If you are logged on to the remote computer with a Symantec Management
Platform account, the single sign-on feature handles this automatically. If
the prompt appears, you may need to add the Notification Server name (FQDN)
to the Trusted Sites zone on the remote computer.
Accessing documentation in the Symantec
Management Console
There are two ways you can access documentation within the Symantec
Management Console: context-sensitive help and the documentation library.
Context-sensitive help lets you access information specific to the location (page,
dialog, or tab) you are at within the console. When you access context-sensitive
help, the user’s guide for the product that is associated with the location opens
in a new window with the appropriate topic displayed.
The documentation library is a page within the Symantec Management Console
that lets you access the documentation that is provided with each installed product,
Using the Symantec Management Console
About the search panel
such as user’s guides, administration guides, implementation guides, and release
notes. The documentation can be located on the Notification Server computer,
such as the user’s guides, or on a Web site, such as the release notes. Some
documentation is in Adobe Acrobat format and requires Adobe Acrobat Reader
to view or print.
See “About the Symantec Management Console” on page 39.
To access context-sensitive help documentation
1
In the Symantec Management Console, make sure the location on which you
want to access help is active.
To make a location active, click somewhere in the location. For example, click
in the page or dialog.
2
Do one of the following:
■
In the Help menu, click Context.
■
Press the F1 key.
To access the documentation library
1
In the Symantec Management Console, in the Help menu, click
Documentation Library.
2
In the Documentation Library page, click the link that is associated with the
documentation you want to access.
About the search panel
When you perform a search in the Symantec Management Console, a search panel
appears below where you input the search. The search panel is divided into
different sections for the different types of search results that are returned. Results
are returned only if the user has privileges to view them.
The search panel can contain the following sections:
■
Resources
■
Policies
■
Jobs and Tasks
■
Filters
■
Reports
A section appears in the search panel only if search results were returned for that
type of result. A section is limited to the top five search results. If there are more
than five search results, you can click the link in the header of the section to view
43
44
Using the Symantec Management Console
Search Results page
them on the Search Results page. You can also click View all search results at
the bottom of the search panel to view all of the search results on the Search
Results page.
See “Search Results page” on page 44.
Each search result includes the name of the result and a description if it is
available. When you click a search result, its UI page opens.
See “About the Symantec Management Console” on page 39.
Search Results page
This page lets you view search results from a search that is performed in the
Symantec Management Console. When you perform a search, a search panel
appears. The search panel is divided into different sections for the different types
of search results that are returned. If you click a link in the header of a section,
the Search Results page appears and displays all of the search results of that
type. If you click View all search results at the bottom of the search panel, the
Search Results page appears and displays all of the search results.
See “About the search panel” on page 43.
When you click any search result, its UI page opens. If multiple pages of search
results are returned, you can use the controls at the bottom of the Search Results
page to access them.
Chapter
Configuring Notification
Server
This chapter includes the following topics:
■
About Notification Server
■
About configuring Notification Server
■
About the Configuration Management Database
■
Configuring the Configuration Management Database
■
Purging the Configuration Management Database
■
Saving resource data history in the CMDB
■
Configuring Notification Server settings
■
Configuring Notification Server settings with NS Configurator
■
Performing a first-time setup configuration
■
Discovering computers
■
Installing the Symantec Management Agent
■
Agent and task setting options
■
Collecting inventory information
■
Deploying preboot environments
3
46
Configuring Notification Server
About Notification Server
About Notification Server
Notification Server is the primary server component within the Symantec
Management Platform. Notification Server coordinates the various solutions and
provides the primary user interface, policy-based administration, reporting, and
notification. Notification Server hosts the Web-based management console that
lets you manage the components of your Symantec Management Platform.
See “Components of the Symantec Management Platform” on page 32.
See “About configuring Notification Server” on page 46.
Notification Server is responsible for managing the predefined policies and tasks
that are available in each installed solution. These policies and tasks activate
components of Notification Server that process several functions.
Notification Server functions include the following:
■
Discovering resources on the network
■
Installing and configuring the management agent on the endpoints
■
Collecting client-reported information and storing it in the CMDB
■
Generating detailed Web Reports
■
Sending policy information to the endpoints
■
Distributing software packages
About configuring Notification Server
The default Notification Server configuration settings are suitable for most
purposes and you do not normally need to change them. These default settings
are specified when you install the Symantec Management Platform. However, as
the needs of your organization change, you can make the appropriate configuration
changes.
See “About Notification Server” on page 46.
For more information, see the Symantec Management Platform Installation Guide.
You can perform the following types of configurations:
Configure the Configuration
See “Configuring the Configuration Management
Management Database (CMDB) settings. Database” on page 48.
Set up database purging.
See “Purging the Configuration Management
Database” on page 49.
Configuring Notification Server
About the Configuration Management Database
Configure resource data history
retention.
See “Saving resource data history in the CMDB”
on page 50.
Configure Notification Server settings. See “Configuring Notification Server settings”
These settings include event
on page 51.
processing, status message logging, the
email message server and default
addresses, and a proxy server.
Configure the Notification Server
settings that do not appear in the
Symantec Management Console.
See “Configuring Notification Server settings with
NS Configurator” on page 56.
Specify the software delivery package See “Distribution point credential settings”
distribution point credentials.
on page 56.
About the Configuration Management Database
Database processing is one of the largest consumers of resources on the Symantec
Management Platform. The number of solutions that are installed in your
environment and how they are used influences the database requirements. The
number of managed computers that report to each Notification Server computer
also influences the database requirements.
Each Notification Server computer can be configured to use a local Configuration
Management Database (CMDB) or to use a remote CMDB. A Notification Server
computer with a local database requires more resources than a Notification Server
computer with a remote database configuration.
See “Configuring the Configuration Management Database” on page 48.
You can use the following configurations for the CMDB:
■
Local CMDB configuration
In a local CMDB server configuration, you install the CMDB on the same
computer as Notification Server. This configuration is acceptable for the
environments that have 1,000 to 5,000 endpoints. In these environments there
is minimal contention of resources between Notification Server services and
the CMDB services.
■
Remote CMDB configuration
In a remote CMDB configuration, you install the CMDB on a different computer
from the Notification Server computer. This configuration is recommended
for most environments. In this configuration the workload of the CMDB is
offloaded from the Notification Server computer. The CMDB server and
Notification Server computer must have a high-speed network connection
between them. Symantec recommends 1GB Ethernet.
47
48
Configuring Notification Server
Configuring the Configuration Management Database
Configuring the Configuration Management Database
Notification Server has a database, called the Configuration Management Database
(CMDB). Both Notification Server and solutions use the CMDB to store
configuration items and resource data.
See “About the Configuration Management Database” on page 47.
See “About configuring Notification Server” on page 46.
You can make any necessary changes to the CMDB configuration settings. When
Notification Server is installed, the CMDB is configured as part of the installation
process. You do not normally need to make any further changes.
However, there may be occasions when you need to change the CMDB configuration
settings. For example, if you upgrade the hardware on which your Microsoft SQL
Server runs, or if you are instructed to do so by Symantec Support.
Table 3-1
Configuration Management Database settings
Setting
Description
Database Server name
The name of the SQL server that contains the CMDB.
Use the format servername\instancename. For example, SydNS\sql_cp1_cs_as.
Database Credentials
The user name and password that are required to access the CMDB.
You can use Notification Server application credentials for Windows authentication.
You may want to use this method to avoid being affected by any password change
policy that is enforced in your organization.
The application credentials are specified in the Processing tab of the Server Settings
page.
See “Notification Server processing settings” on page 52.
You also have the option to use SQL authentication. To use SQL authentication you
can specify the appropriate SQL login user name and password.
Note: If you want to switch database authentication to SQL, you must make this
change on both tabs (General and Reports). The General tab is the default tab that
appears when you open the Database Settings page. If you make the change only on
the General tab, Notification Server is not fully functional, and you may experience
errors with some operations.
Database Name
You can select an existing database from the list of those available or create a new
database.
If you select an existing database, ensure that it is the same version as Notification
Server.
Configuring Notification Server
Purging the Configuration Management Database
Table 3-1
Configuration Management Database settings (continued)
Setting
Description
Repair Database
Lets you repair the CMDB. You may need to do this procedure when you restore
Notification Server from a backup to a new computer.
Command Timeout
The length of time that Notification Server attempts to process a query, such as
running a report or updating a filter.
You may want to change this value for performance reasons, such as a high load on
the SQL server causing queries to time out.
We recommend that you set the ASP Script timeout value in Microsoft IIS to a value
equal to or greater than the command timeout value. Consult your database
administrator before making any changes.
Public report credentials
The security context to be used for running report queries on the CMDB.
These credentials provide less security than the database credentials (which are for
the database administrator). These credentials are used to access the database and
run the appropriate SQL query when a user runs a report.
To configure the Configuration Management Database
1
In the Symantec Management Console, in the Settings menu, click
Notification Server > Database Settings.
2
On the Database Settings page, on the General and Reports tabs, make the
appropriate configuration changes.
3
Click Apply.
Purging the Configuration Management Database
To manage the size of the Configuration Management Database (CMDB), you can
specify how long certain types of data are stored. You can specify storage length
for data such as reports, managed computers, and event data. For example, if you
experience poor performance when running reports, try purging your events or
configure the event purging options to save less data.
See “About configuring Notification Server” on page 46.
See “Configuring the Configuration Management Database” on page 48.
The data that can be purged from the CMDB includes the following:
■
Report snapshots
Snapshots older than a specified amount of time can be deleted.
49
50
Configuring Notification Server
Saving resource data history in the CMDB
■
Managed computers that have not communicated with Notification Server for
longer than a specified amount of time
These can be deleted or set as retired. The CMDB is updated when the CMDB
purging schedule is run.
■
Resource event data
Event data older than a specified amount of time can be deleted. You can
optionally specify a maximum number of rows to retain. If the event data table
reaches this size, new rows continue to be added until the next scheduled
update. When the CMDB purging schedule runs, the table is trimmed back to
its maximum size. The table is trimmed by removing the oldest rows, even if
the oldest data has not been retained for the specified time.
You can have the same settings for all data classes, or you can set custom
settings for some or all data classes. A custom setting for a data class overrides
the global setting. If no custom setting is made for a data class, the global
setting is used for that data class. The same CMDB purging schedule is used
in all cases.
The CMDB purging schedule is a Windows schedule that you set when you install
Notification Server. You cannot change it through the Symantec Management
Console. If you want to make any changes, you can do so through the Windows
Control Panel.
To purge the Configuration Management Database
1
In the Symantec Management Console, in the Settings menu, click
Notification Server > Purging Maintenance.
2
In the left pane, in the Purging Maintenance folder, click Purging
Maintenance.
3
On the Purging Maintenance page, on the Purging Maintenance tab, specify
the report purge settings and computer data purge settings that you want.
4
On the Resource Event Data Purge Settings tab, specify the resource event
data purging settings that you want.
5
To override the purging schedule and purge the CMDB immediately, on the
Purging Maintenance tab, click Purge Now.
6
Click Save Changes.
Saving resource data history in the CMDB
Notification Server captures resource data in real time as it collects inventory
data. You can choose to create a resource data history for each type of resource
Configuring Notification Server
Configuring Notification Server settings
and resource association. For each history, you can specify how long to retain the
history data in the CMDB.
See “About configuring Notification Server” on page 46.
See “Configuring the Configuration Management Database” on page 48.
A resource data history can include data from any of the data classes. A resource
association history can include data from any of the resource association types.
To save resource data history in the CMDB
1
In the Symantec Management Console, in the Settings menu, click
Notification Server > Purging Maintenance.
2
In the left pane, in the Purging Maintenance folder, click Resource History.
3
On the Resource History page, for each resource data class type and resource
association type that you want to configure, take the following actions on the
appropriate tabs:
■
Expand the data class or association type.
■
Select the data classes or associations for which you want to create
resource data history.
■
For each data class or association, specify the period for which you want
to keep the resource data history.
In the corresponding drop-down list, select the time period (Days, Weeks,
or Months). Then enter the appropriate number of days, weeks, or months.
Any resource data older than the time that is specified for its type is deleted
from the CMDB on the purging schedule.
4
Click Save Changes.
Configuring Notification Server settings
Notification Server settings that you can configure include event processing,
status message logging, and the email message server and default addresses.
See “About configuring Notification Server” on page 46.
You can also configure other Notification Server settings with NS Configurator.
See “Configuring Notification Server settings with NS Configurator” on page 56.
51
52
Configuring Notification Server
Configuring Notification Server settings
To configure Notification Server settings
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, in the Settings folder, click Notification Server > Notification
Server Settings.
3
On the Server Settings page, make the appropriate changes in the following
tabs:
Processing
You can enable or disable Notification Server Event (NSE)
processing, specify the application identity of Notification Server,
and restart Notification Server services manually.
See “Notification Server processing settings” on page 52.
Email
You can specify the mail server that Notification Server uses and
set the default To and From email addresses.
See “Email server and address settings” on page 54.
Logging
You can specify the types of status messages, such as Notification
Server errors, warnings and information messages, that you want
logged by Notification Server.
See “Status message logging settings” on page 54.
Proxy
If you don’t want to allow Notification Server users direct access
to the network, you can configure a proxy server.
See “Proxy server settings” on page 55.
Distribution Point You can specify the credentials that Notification Server uses to
Credential
access your package distribution points.
See “Distribution point credential settings” on page 56.
4
To confirm your changes, click OK.
Notification Server processing settings
You can enable or disable Notification Server Event (NSE) processing, and specify
the application identity of Notification Server. An NSE is an XML file that is passed
between Notification Server and the Symantec Management Agent (including
solution plug-ins).
See “Configuring Notification Server settings” on page 51.
Notification Server Events contain information such as the following:
■
Communication with the Symantec Management Agent
Configuring Notification Server
Configuring Notification Server settings
■
Events processing
■
Basic inventory or full inventory
■
Success or failure of package download
NSE processing is enabled by default when you install Notification Server, but
there may be occasions when you need to disable or reenable it. For example,
when you install a solution, all event processing is automatically paused. After
installation completes, event processing should restart automatically. If that does
not happen, a warning message appears in the Symantec Management Console,
and you are prompted to reenable NSE processing manually. Any NSEs that are
received while NSE processing is disabled are stored on the Notification Server
computer so are not lost.
To reenable NSE processing, click on the warning message and then, in the dialog
box that appears, click Resume.
The application identity of Notification Server is the account under which
Notification Server runs. You specify the appropriate user name and password
when you install Notification Server, and you only need to update it when
necessary. For example, if your organization has a password change policy, the
CMDB access credentials may be forced to change. The application identity no
longer has permission to log on to the SQL server.
Warning: You cannot use special characters in the application identity user name
or password. You may use only alphanumeric characters.
The user ID that you define requires the following permissions:
■
Local administrator permissions on Notification Server and any remote
Windows 2000/XP/2003/Vista computers to which you want to install the
Symantec Management Agent.
■
Permission to act as part of the operating system and log on as a batch job and
a service.
■
Permission to log on to the SQL server.
If the user ID does not have this permission, you can specify a different user
name and password to log on to the CMDB.
■
Permission to connect to any SQL server to which Notification Server may
attach.
For example, an SMS database for Web Administrator for SMS or Lease
database for Contract Management Solution.
Notification Server services are restarted automatically when the application
identity is changed. However, the Restart Services option lets you manually restart
53
54
Configuring Notification Server
Configuring Notification Server settings
the services when necessary. For example, if you make a change to the database,
you need to restart the services to make the changes take effect.
If the application identity password fails, Notification Server is unable to access
the CMDB. You cannot reset the application identity through the Symantec
Management Console, as the console uses the same password to access Notification
Server. You need to use the ASConfig utility to access the Web services directly
and reset the application identity password using the appropriate command line.
Email server and address settings
You can define a mail server and the To and From email addresses for Notification
Server email messages. Notification Server uses SMTP to send email messages.
The email address can be any valid SMTP address that your SMTP server
recognizes.
See “Configuring Notification Server settings” on page 51.
You can enable Symantec solutions to send you the email messages that are based
on the data that Notification Server receives. The email address that you specify
can receive notices of reports successfully run, automation actions executed, and
system scalability checks. These emails help you monitor and manage your
Notification Server activities.
The email settings are configured when you install Notification Server, and you
do not normally need to change them. However, if the SMTP server changes, or
if you want someone else to receive the email messages, you need to make the
appropriate changes.
The Send Test Email option lets you test the email server and address settings
by sending a message using the current settings. You need to confirm the changes
by clicking OK before you send the test email.
Status message logging settings
You can specify the types of status messages, such as Notification Server errors,
warnings, and information messages, that you want logged by Notification Server.
Log messages that Notification Server generates are written to log files in the
installation path\Altiris\Notification Server\Logs directory (by default).
Note: When you upgrade Notification Server from 6.x to 7.x, the migration wizard
writes any messages to the 6.x log file location rather than the 7.0 log file location.
The 6.x log file location is C:\WINDOWS\system32\Altiris Logs. You need to look
in this log file to see any migration errors. The Log Viewer displays only the logs
that are filed at the default 7.0 location. The migration log entires are not included.
Configuring Notification Server
Configuring Notification Server settings
See “Configuring Notification Server settings” on page 51.
You can log any of the following message types:
■
Errors
■
Warnings
■
Information
■
Trace
You can also choose to archive log files that are older than a particular time. If
you set this option, the relevant log files are archived daily at 05:00 a.m.
See “Opening the Log Viewer” on page 55.
Opening the Log Viewer
You can view all status messages in the Log Viewer. Being able to view messages
can be helpful in troubleshooting and monitoring your Notification Server.
See “Status message logging settings” on page 54.
To open the Log Viewer
◆
In the Start menu, click All Programs > Symantec > Diagnostics > Altiris
Log Viewer.
Proxy server settings
If you don’t want Notification Server users to have direct access to the network,
you can configure a proxy server. For example, if you have Notification Server
and your managed computers inside your organization's firewall, a proxy server
provides security. You can set up a proxy server to provide a safe way through
the firewall without exposing Notification Server. This setup helps Notification
Server safely obtain patches or download solutions from external Web sites.
See “Configuring Notification Server settings” on page 51.
Using a proxy server may improve Notification Server performance by using less
bandwidth and filtering requests when requesting files from the Internet. One
example is PMImport data.
The Test Settings option validates the proxy server settings by attempting to
connect to an external Web site.
If error messages appear when you test the settings, ensure that your
authentication credentials are correct. Ensure that your proxy server is running
and that no general network errors exist.
55
56
Configuring Notification Server
Configuring Notification Server settings with NS Configurator
Distribution point credential settings
You can specify the distribution point credentials (DPC) that Notification Server
uses to access software delivery packages. These packages are located on a network
share that is accessed through a UNC path. Notification Server publishes these
packages to a virtual HTTP directory that uses the DPC to connect to the UNC
share.
See “Configuring Notification Server settings” on page 51.
You must specify the distribution point credentials before you create a software
package that is accessed from an existing UNC path. The credentials must have
permission to validate user accounts and have read permission on all the files on
the remote distribution points.
Notification Server can use either of the following credentials:
Agent Connectivity
Credential
All Symantec Management Agents use the Agent
Connectivity Credential (ACC) to connect to a secured
resource. The ACC is set in the Global Agent Settings policy.
See “Symantec Management Agent Settings – Global:
Authentication tab ” on page 346.
User-specified credentials
If the packages are stored in a location that is not accessible
with the Agent Connectivity Credential, you can make them
accessible. To make packages accessible, specify the user
name and password of an account that does have the
appropriate access.
You cannot use special characters in the user name or
password. You may use only alphanumeric characters.
Configuring Notification Server settings with NS
Configurator
The NS Configurator is a configuration tool that lets you change most core
Notification Server configuration settings. These settings include many that are
not accessible from the Symantec Management Console. You should only use NS
Configurator to change these settings if you know the effect that each setting has
on the system.
See “About configuring Notification Server” on page 46.
When a user starts NS Configurator, a security check is performed to determine
if the user has permission to view or modify Notification Server settings. If a user
does not have permission, a warning message appears and the tool closes.
Configuring Notification Server
Performing a first-time setup configuration
To configure Notification Server settings with NS Configurator
1
To start NS Configurator, run the NSConfigurator.exe file.
This file is at Program Files\Altiris\Notification Server\Bin\Tools. When you
run this tool, it opens the CoreSettings.config file that is at Program
Files\Altiris\Notification Server\Config.
2
3
Do one of the following to find the setting you want to change:
■
In the navigation tree in the left pane, locate the setting.
■
In the search field in the upper right-hand corner, enter your search text
and click Search. In the list of search results, click the Show link for that
setting.
In the right pane, change the setting and click Save.
If you enter an invalid value for a setting, an error message appears. You can
only save your changes if you enter a valid value.
4
To restore the default value, click Restore Default.
The Restore Default option appears only if the setting had a default value.
Performing a first-time setup configuration
When you install Symantec Management Platform, you configure Notification
Server as part of the installation process. No further configuration is needed
before you can start using Notification Server.
In the unlikely event that you install Symantec Management Platform without
accompanying versions of certain products, you see a number of links to
configuration pages. In this scenario, you must configure the platform manually.
See “About configuring Notification Server” on page 46.
However, when you install Symantec Management Platform 7.1 and accompanying
versions of certain products, you see enhanced console views. In this scenario,
your first-time setup configuration provides a Welcome to the Symantec
Management Console portal page to simplify the initial configuration process.
Some of the solutions that are included in your suite may require configuration
before you can use them. The Welcome to the Symantec Management Console
portal page is a single point of entry for performing key configuration actions for
solutions in the suites that you have installed. These actions represent the essential
settings that you need to configure to start using the solutions.
You see the Welcome to the Symantec Management Console page if you install
any of the following products:
57
58
Configuring Notification Server
Performing a first-time setup configuration
■
Deployment Solution
■
IT Management Suite
■
Server Management Suite
■
Client Management Suite
In the left pane of the Welcome to the Symantec Management Console page, the
key configuration actions are listed. In the right pane, a color key lists each task
next to an associated color. As you perform each action, a vertical bar on the right
changes color to show progress through the setup process, from discovery to
deployment.
See Table 3-2 on page 58.
After you perform the first-time setup configuration, you may need to perform
additional configuration tasks. The need to perform additional steps depends on
the solutions and suites that you have installed initially or that you install after
the first-time setup. Additional, advanced settings are available from the Settings
menu and may be available from other areas of individual solutions.
For more information about the configuration options for the individual solutions
and products, see the documentation for those products.
Table 3-2
Process for performing a first-time setup configuration
Step
Task
Description
Step 1
Discover computers.
Ping all connected computers.
See “Discovering computers”
on page 59.
Configuring Notification Server
Discovering computers
Table 3-2
Process for performing a first-time setup configuration (continued)
Step
Task
Description
Step 2
Installing the Symantec
Management Agent.
After you roll out the agent to
computers, those computers become
managed computers. Notification
Server can send information and data
to managed computers. It also receives
information from managed computers.
If you have installed the products that
make enhanced console views visible
in Symantec Management Console,
rolling out the agent includes an
auto-tuning step. This step lets you
automatically optimize the Symantec
Management Agent settings based on
the number of computers that are in
your environment.
See “Installing the Symantec
Management Agent” on page 61.
Step 3
Collect inventory.
In this step, Notification Server collects
the information that the newly
deployed agents gather from managed
computers.
See “Collecting inventory information”
on page 66.
Step 4
Deploy preboot
environments.
Finally, you can deploy preboot
environments.
See “Deploying preboot environments”
on page 68.
Discovering computers
Discovering computers means identifying the computers that are in your
environment. Before you can manage computers, you must first identify the
available computers and select those that you want to manage using the Symantec
Management Agent.
To discover computers, you first select the type of computers on which you want
to install the Symantec Management Agent. You discover Windows computers
with Active Directory Import. You discover UNIX, Linux, and Mac computers with
a ping sweep for an IP range that you select.
59
60
Configuring Notification Server
Discovering computers
Discovering computers is a step in the process for performing a first-time setup
configuration.
See “Performing a first-time setup configuration” on page 57.
To discover computers
1
If you do not already see the Welcome to the Symantec Management Console
page, in Symantec Management Console click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Discover
Computers.
3
In the Discover Computers dialog box, complete the discovery steps.
Step 1 Windows
Lets you import Windows computers by either domain or
workgroup.
Note: If you prefer to discover computers using a network scan,
select nothing on this page, but click Next.
To import Windows computers by domain:
1
Check the box to import Windows computers.
2
Click a radio button to choose whether to import from
Microsoft Active Directory or through domain
membership/WINS.
3
Click the down-arrow next to Domain or Workgroup to
select a domain or a workgroup. Or, you can enter a domain
name or a workgroup name manually.
4
Enter the domain credentials.
5
Click the option next to Schedule recurring import to On
or Off.
If you expect to add new computers to your network, leave
this setting on. Leaving this setting on means that as you
add computers to your network, they are discovered
automatically.
6
Click Schedule.
Select a preset shared schedule for the recurring import.
This list is populated from the Shared Schedules page. You
modify, create, and use shared schedules at Settings >
Notification Server > Shared Schedules.
7
Click Next.
Configuring Notification Server
Installing the Symantec Management Agent
Step 2 Network
Lets you discover computers using a network scan (ping sweep).
Note: If you prefer to import Windows computers by domain or
workgroup, select nothing on this page, but click Back.
To discover computers using a network scan:
1
Check the box to discover networked computers and devices.
2
Enter a ping sweep range.
Consider whether you need to scan all IP addresses. For a
first-time setup, you may need to include all subnets to
ensure that you identify every device. However, you can
limit the scope as needed. For example, you can run multiple
scans on specific subnets if that simplifies the discovery
task.
3
If you want to communicate with network devices and
classify them more accurately, click turn on additional
ranges.
Note: If you cannot connect remotely, your network or
computers may have firewalls turned on. You may need to
turn these off to perform discovery.
4
4
If you want to proceed immediately to the second first-time
setup configuration step, check Run the Roll Out Symantec
Agent wizard.
After you have made all your selections in the Discover Computers dialog
box, click Discover.
See “Installing the Symantec Management Agent” on page 61.
Installing the Symantec Management Agent
The process of installing the agent includes the following procedures, which must
be completed in order:
■
Rolling out the agent to the network computers that you want to manage.
You select the computers on which you want to install the agent. You can select
all computers automatically or select from a list of discovered computers.
See “To roll out the agent” on page 62.
■
Rolling out the agent plug-ins.
Certain plug-ins are turned on by default. You can select additional plug-ins
to install. Plug-ins are installed to the list of computers to which you installed
61
62
Configuring Notification Server
Installing the Symantec Management Agent
the agent. Note that if you choose to deselect all plug-ins and select plug-ins
manually, the default plug-ins are also deselected.
See “To roll out the agent plug-ins” on page 63.
■
Optimizing the agent for the number of computers in your environment.
Optimizing the agent is an auto-tuning feature.
If you have installed a suite, you have a setup option for auto-tuning your
network. You can auto-tune the settings for the agents that you installed.
In the agent rollout wizard, you see a slider that lets you select from 0 to
15,000+ computers. Based on the number of computers you select, the wizard
auto-tunes your system to optimize performance.
See “To optimize the agent” on page 64.
Rolling out the Symantec Management Agent is a step in the process for
performing a first-time setup configuration.
See “Performing a first-time setup configuration” on page 57.
To roll out the agent
1
If you do not already see the Welcome to the Symantec Management Console
page, in Symantec Management Console click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Rollout
Agent.
3
In the rollout wizard, click Step 1 Computers.
Configuring Notification Server
Installing the Symantec Management Agent
4
In the Roll Out Symantec Agent dialog box, select an installation option.
Automatically
install to all
discovered
computers
Lets you install the agent to all discovered computers.
Only on selected
discovered
computers
Lets you type the name of or search for specific computers on
which to install the agent.
This installation option also lets you select a recurring
installation schedule from a drop-down list. This list is populated
from the Shared Schedules page. You modify, create, and use
shared schedules at Settings > Notification Server > Shared
Schedules.
This option presents a typical pick list. The left-hand column is
where you search and your discovered computers are listed. This
column is referred to in this topic as the discovery column. The
right-hand column is where you build your list of computers on
which to install the agent. This column is referred to as the
selected column.
In the discovery column, type all or part of a computer name.
You can also use search criteria such as XP, Win, or other letters
that a group of your preferred computer names contains. The
discovery column lists the discovered computers that match your
search criteria.
Use the arrow keys to move computers from the discovery column
to the selected column. As you move computers into the selected
column, you see the number of selected computers change in the
bottom right of the column.
This installation option also lets you add search criteria for
selected discovered computers. You can refine the results in the
selected column by searching for computers by name or IP
address.
5
Click Next.
The agent plug-in rollout opens.
To roll out the agent plug-ins
1
If you do not already see the Welcome to the Symantec Management Console
page, in the Symantec Management Console click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Rollout
Agent.
3
In the rollout wizard, click Step 2 Plug-ins.
63
64
Configuring Notification Server
Installing the Symantec Management Agent
4
In the Rollout Agent dialog box, select the plug-ins that you want to install.
Click a plug-in to see its description. Review the plug-ins that you want to
install.
Select plug-ins for all of the solutions that you have installed. You should
also select plug-ins based on the management functions that you want
perform. For example, you want to collect inventory. You must ensure that
the Inventory plug-ins that are relevant for your environment are turned on.
5
Turn on all
Lets you turn on all plug-ins that are listed. When you turn on
all plug-ins, you see green shading along the left side of the list.
When you turn off all plug-ins, you see red shading.
On/Off bar
Lets you turn selected plug-ins on or off. Red or green shading
indicates which plug-ins are off (red) and which plug-ins are on
(green).
Click Next.
To optimize the agent
1
If you do not already see the Welcome to the Symantec Management Console
page, in the Symantec Management Console click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Rollout
Agent.
3
In the rollout wizard, click Step 3 Optimize.
Configuring Notification Server
Agent and task setting options
4
In the Rollout Agent dialog box, select the rollout environment:
Production
Environment
Lets you install the agent to your production environment. Select
the number of computers in your production environment.
The number of computers in your production environment
determines the optimal intervals for downloading agent settings
and checking for new tasks. When you select the number of
computers that operate in your environment, the intervals adjust
automatically. This automatic adjustment tunes your network
for optimal performance.
Using the slider, select the number of computers that are in your
production environment.
See “Agent and task setting options” on page 65.
To see details of the agent settings and the task settings, click
Show Details, and then click OK.
Testing
Environment (1 50 computers)
5
Lets you test the rollout on a subset of installed computers.
When you are satisfied with the settings, click Rollout Agent.
Agent and task setting options
In the agent rollout wizard, you see a slider that lets you select from 0 to 15,000+
computers. Based on the number of computers you select, the wizard auto-tunes
your system to optimize performance.
Click Show details to view the optimized settings. The Optimized Settings dialog
box shows how often a new configuration is downloaded for agent settings. It also
lists the maximum time between tickle attempts for task settings.
The details in the wizard apply to the discovered computers on which you chose
to install the agent. If you need to set or modify agent setting options or task
setting options for other computers, you can do so. To modify agent settings, in
Symantec Management Console navigate to Settings > Agents/Plug-ins > Targeted
Agent Settings - Download new configuration every ___. To optimize task settings,
click Settings > Notification Server > Site Server Settings, and then in the left
pane click Site Management > Settings > Task Service > Task Service Settings.
In the right pane, set Minimum time between tickle attempts.
See “Installing the Symantec Management Agent” on page 61.
65
66
Configuring Notification Server
Collecting inventory information
Table 3-3
Options for optimal agent and task settings
Number of computers in
production environment
Optimized agent settings Optimized task settings
0 - 100
5 minutes
1 minute
100 - 5000
one hour
5 minutes
5000 - 10000
two hours
5 minutes
10000 - 15000
three hours
5 minutes
15000 +
four hours
5 minutes
Collecting inventory information
Collecting initial inventory information is key to managing your network. All
solutions use inventory, and the information that inventory collects populates
the computer views, software views, and other pages and fields in the console.
Knowing what is installed on your network is critical to gathering the right data
so that you can make essential management decisions.
Your network is unique. Therefore, you must determine which information you
want to collect, which resources you want to collect information about, and how
often to collect the information.
In the Collect Inventory policy window you can turn off the policy or turn on the
policy. You also select a default schedule or a custom schedule on which to ensure
that the policy is current. Before collecting inventory information, consider which
information you need to keep track of and how often you want to update that
information. You should also consider whether any circumstance exists under
which you would want to turn off the inventory policy. The default is to leave the
policy on.
You can collect the following types of inventory information:
Hardware and operating
system
Lets you collect inventory of CPUs, hard drives, memory,
firmware, users, and groups.
Software
Lets you collect inventory about Windows programs and
UNIX/Linux/Mac software packages.
File properties
Lets you collect information about manufacturers, versions,
size, and internal name.
Server applications
If you have Inventory Pack for Servers installed, lets you
collect information about server applications.
Configuring Notification Server
Collecting inventory information
Collecting inventory information is a step in the process for performing a first-time
setup configuration.
See “Performing a first-time setup configuration” on page 57.
To collect inventory information
1
In the Symantec Management Console, click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Collect
Inventory.
The Collect Full Inventory policy shows the default settings and also shows
policy compliance.
3
In the Collect Full Inventory policy window next to Policy Rules/Actions,
leave the policy turned on.
If you have a particular need to stop running the policy for a time, click Off
to turn off the policy.
4
Select a schedule for keeping the policy current. You can select a default
schedule or create a custom schedule.
This list of schedules is populated from the Shared Schedules page. You
modify, create, and use shared schedules at Settings > Notification Server >
Shared Schedules.
5
In the Collect Full Inventory policy window, review the inventory details
and select the types of inventory to gather. Make changes as necessary.
To see details about the types of inventory you selected, in the Policy
Rules/Actions area of the window click Advanced. You can select additional
items about which you want to collect inventory data. If you make changes,
click OK.
6
In the Collect Full Inventory policy window in the Applies To/Compliance
area, review the details.
This area shows details about the inventory that is collected on targeted
computers. You can verify compliance to the inventory policy, modify which
computers collect inventory, and make other changes as needed.
7
Click Save changes.
8
After the window refreshes, click x in the upper right to close the policy
window.
67
68
Configuring Notification Server
Deploying preboot environments
Deploying preboot environments
You choose which PXE preboot environments you want to build and turn on the
PXE server rollout policy. The preboot configurations that you build during
first-time setup are available to use later for deployment tasks.
Deploying preboot environments is a step in the process for performing a first-time
setup configuration.
See “Performing a first-time setup configuration” on page 57.
To deploy preboot environments
1
In the Symantec Management Console, click Home > Notification Server
Management > First Time Setup.
2
On the Welcome to the Symantec Management Console page, click Setup
Deployment.
3
In the Setup Deployment window, select which PXE Preboot Automation
environments you want to build.
Step 1 PXE Image Lets you choose one or more of the following operating systems:
■
WinPE x86
■
WinPE x64
■
Linux
The PXE Preboot Automation environments table lists the
available operating systems with their architecture and OEM
extensions.
After you choose the operating system or operating systems,
click Next.
If you need to create other preboot environments at a later time,
you can do so. In Symantec Management Console, navigate to
Settings > Deployment > Create Preboot Configurations.
Step 2 PXE
Servers
4
Lets you choose whether to roll out PXE servers to your site
servers. If you plan to perform deployment tasks, you want to
roll out PXE servers to site servers.
Click Setup Deployment.
Chapter
4
Configuring security
This chapter includes the following topics:
■
About Symantec Management Platform security
■
Setting up Symantec Management Platform security
■
About security roles
■
Predefined security roles
■
Creating and configuring security roles
■
About security privileges
■
About Symantec Management Platform user accounts
■
Creating and configuring Symantec Management Platform user accounts
■
Configuring password complexity and lockout settings
■
Unlocking locked out credentials
■
About security role permissions
■
About the Security Role Manager
■
About credential manager
■
Creating a credential
■
Editing a credential
About Symantec Management Platform security
The Symantec Management Platform uses role-based security, which means that
user access is based on the user's security role. A security role is a set of privileges
70
Configuring security
About Symantec Management Platform security
and permissions that is granted to all members of that role. Using role-based
security lets you create and maintain a small number of security roles. You can
then assign each Symantec Management Platform user account to the appropriate
role, rather than assign specific privileges and permissions to each individual
user. However, you can also assign specific permissions to individual user accounts.
See “About security roles” on page 74.
See “Setting up Symantec Management Platform security” on page 71.
User accounts, which are sometimes referred to as users, are not the same as user
resources in Symantec Management Platform. A user resource is an entity that
is used to associate managed devices with the owner of the device. The existing
user resources and the user accounts that can log on to the Symantec Management
Console or run a workflow are separate entities.
A security role controls user access to the Symantec Management Platform using
the following:
■
Privileges
A privilege applies system-wide. Privileges are assigned only to roles and
cannot be assigned directly to individual user accounts. A privilege assigned
to a role lets a user account that is a member of that role perform a particular
action on the Symantec Management Platform or in the Symantec Management
Console. In some cases, the user's role requires the corresponding permissions.
See “About security privileges” on page 82.
■
Permissions on folders and items
Permissions specify the access that a security role or user account has to a
Symantec Management Console folder or item. A permission on a security role
applies to all members of that role. A permission on a folder applies to all of
the items that are contained directly in that folder.
See “About security role permissions” on page 107.
■
Permissions on organizational views and groups
An organizational view is a hierarchical grouping of resources (as
organizational groups) that reflects a real-world structure or view of your
organization. You can set up resource security by assigning the appropriate
permissions for each security role on each organizational view. You also assign
the appropriate permissions on the organizational groups within each view.
A permission that is assigned to an organizational group applies to all resources
in that group. By default, the permission applies to all of its child groups. You
cannot assign permissions directly to a particular resource.
See “About resource security” on page 367.
Privileges, permissions on folders and items, and permissions on organizational
views and groups work together. You need to assign the appropriate combination
Configuring security
Setting up Symantec Management Platform security
to each security role to grant user accounts the access that they need to perform
their activities.
Setting up Symantec Management Platform security
To give user accounts access to the Symantec Management Platform, installed
solutions, and the data that is contained in the CMDB, you need to set up your
security roles. You assign the appropriate privileges and permissions to each role.
You need to create your Symantec Management Platform user accounts and then
add each user account to the appropriate role (or roles). You configure and maintain
Symantec Management Platform security through the Symantec Management
Console.
See “About Symantec Management Platform security” on page 69.
Table 4-1
Process for setting up Symantec Management Platform security
Step
Action
Description
Step 1
Create and configure the security Security roles control access to the Symantec Management
roles that you require.
Platform, installed solution functionality, and all the data that
is contained in the CMDB.
You can create new security roles in the following ways:
■
Create completely new security roles.
■
Clone existing security roles.
■
Import domain groups and users from Active Directory.
See “Creating and configuring security roles” on page 76.
Step 2
Assign the appropriate privileges A privilege allows a role member to perform a particular action
to your security roles.
on the Symantec Management Platform, or on items in the
Symantec Management Console. To perform an action on an
item, the role must have the necessary permission on the item.
See “Assigning privileges to a security role” on page 81.
71
72
Configuring security
Setting up Symantec Management Platform security
Table 4-1
Process for setting up Symantec Management Platform security
(continued)
Step
Action
Description
Step 3
Create and configure the user
accounts that you require.
Each Symantec Management Platform user account contains the
credentials that the user needs to access the Symantec
Management Console or to run a workflow. The credentials may
be internal Symantec Management Platform user names and
passwords or Windows accounts.
Internal credentials are currently used for workflow integration
only. Windows credentials are required to access the Symantec
Management Console.
You can create new user accounts in the following ways:
■
Create completely new user accounts.
■
Clone existing user accounts.
■
Import domain groups and users from Active Directory.
See “Creating and configuring Symantec Management Platform
user accounts” on page 282.
Step 4
Add user accounts to the
appropriate security roles.
A user gains access to the Symantec Management Platform,
installed solutions, and the data that is contained in the CMDB
through their security role membership.
You can assign a user to any number of security roles. A user
who is a member of multiple security roles has the union of all
the privileges and permissions that those roles grant.
See “Adding members to a security role” on page 79.
Step 5
For each security role, assign
permissions on the folders and
items that are contained in the
Symantec Management Console.
Permissions specify the access that each security role has to a
Symantec Management Console folder or to a particular item. A
permission on an item applies only to the item. A permission on
a folder applies to all of the items that are contained directly in
that folder. By default, the contents of a folder inherit all the
permissions on the folder.
See “Assigning security permissions to folders and items”
on page 114.
Configuring security
Setting up Symantec Management Platform security
Table 4-1
Process for setting up Symantec Management Platform security
(continued)
Step
Action
Description
Step 6
(Optional) For each security role,
modify the permission inheritance
on the Symantec Management
Console folder structure.
Modifying permission inheritance lets you customize permissions
on the Symantec Management Console folder structure. This
means that you can grant a particular permission on a parent
folder but remove that permission from some or all of the folder
contents.
Remember that you configure permissions on folders and the
items within those folders. If you configure a folder and grant
Write permissions for a particular role, that role has the Write
permission to the folder and all its contents. If the folder contains
100 items, and you do not want those items to inherit the Write
permission from the parent folder, you can break permission
inheritance. In that case, users who are members of the role to
which you granted the Write permission have the Write
permission on the folder only. However, they do not have the
Write permission on the items that the folder contains.
The permission inheritance on a folder or item applies to all
security roles. You cannot customize permission inheritance per
role.
See “Customizing permission inheritance” on page 115.
Step 7
(Optional) Configure resource
security.
By default, all the predefined security roles have the Read
permission on resources.
Security-related resources are specially controlled in Symantec
Management Platform: Only users who are members of the
Symantec Administrators role have full access to security
resources by default. Users who are members of the Symantec
Supervisors role have Read permissions on security resources
by default. No other predefined security role has permissions on
any security resources.
See “Predefined security roles” on page 75.
If you want to restrict or otherwise control access to resources,
you can configure resource security. You configure resource
security by creating one or more organizational views that model
your resource structure. You control access to the resources by
assigning permissions to each security role on the appropriate
organizational views and groups.
See “About resource security” on page 367.
73
74
Configuring security
About security roles
About security roles
A security role is a set of privileges and permissions that is granted to all members
of the role. Using role-based security lets you create and maintain a small number
of security roles and assign each user account to the appropriate role. You do not
need to assign privileges and permissions to each individual user account (although
you can if you want). You can assign a user account to multiple security roles: a
member of multiple security roles has the union of all the privileges and
permissions that those roles grant.
See “About Symantec Management Platform security” on page 69.
See “Setting up Symantec Management Platform security” on page 71.
See “Creating and configuring security roles” on page 76.
Security roles may be nested: a role may be a member of one or more other roles,
and its membership may include both roles and user accounts. The only restriction
is that you cannot create a circular role membership where a role is a member of
itself.
Privileges, permissions on folders and items, and permissions on organizational
views and groups work together. You need to assign the appropriate combination
to each security role to grant user accounts the access that they need to perform
their activities. Privileges can only be assigned to security roles, but permissions
may be assigned to security roles and user accounts.
You should decide what security roles to set up based on logical IT worker or user
groups in your organization. For example, you might want an IT level 1 worker
role, an upper-level management role, and a human resources role. All user
accounts in a security role receive the same privileges and permissions, therefore
they have the same level of access to the Symantec Management Platform.
The Symantec Management Platform and some solutions include predefined
security roles. If the predefined security roles do not meet the needs of your
organization, you can create new ones. You can also edit the predefined security
roles by specifying different privileges and permissions.
See “Predefined security roles” on page 75.
During Symantec Management Platform installation, the administrator installing
the Symantec Management Platform is automatically assigned to the Symantec
Administrators role. The administrator can then create any new security roles
that are required and assign each role the appropriate privileges and permissions.
The administrator can then assign each user to one or more roles.
You should set up security roles before Notification Server is deployed to your
production network.
Configuring security
Predefined security roles
Predefined security roles
The Symantec Management Platform includes a set of predefined security roles
that you can use. If the predefined security roles do not meet the needs of your
organization, you can create new ones. You can also edit the predefined security
roles by specifying different privileges and permissions.
See “About Symantec Management Platform security” on page 69.
See “Setting up Symantec Management Platform security” on page 71.
See “About security roles” on page 74.
See “Creating and configuring security roles” on page 76.
Table 4-2
Predefined Symantec Management Platform security roles
Security role
Description
Everyone
A top-level role that contains all roles and user accounts.
This role replaces the Windows built-in groups Everyone
and Authenticated Users.
The membership of this role is calculated automatically and
cannot be modified manually. By default, this role has no
privileges assigned.
Symantec Administrators
Has all security privileges and permissions assigned, so it
has complete access to all aspects of the Symantec
Management Platform and any installed solutions. You can
modify the membership of this security role, but you cannot
change its privileges and permissions.
Symantec Supervisors
Has the complete Management and most of the Right-click
Menu privileges. Has limited System privileges assigned.
Has the Read permission on resources, including security
resources.
Symantec Level 2 Workers
Has the complete Management privileges and most of the
Right-click Menu privileges assigned.
Has the Read permission on resources, excluding security
resources.
Symantec Level 1 Workers
Has no privileges assigned.
Has the Read permission on resources, excluding security
resources.
75
76
Configuring security
Creating and configuring security roles
Table 4-2
Predefined Symantec Management Platform security roles
(continued)
Security role
Description
Symantec Software
Librarian
Has the Software Management Framework privileges and
the Right-click Menu Actions privileges assigned. The
privileges are limited to those needed to create and manage
software packages.
Symantec Guests
Has no privileges assigned.
Creating and configuring security roles
You can configure your security roles to meet the requirements of your
organization. You can also modify the privileges and permissions of most of the
predefined security roles that are supplied with the Symantec Management
Platform. The exception is the Symantec Administrator role, which has full access
to all the Symantec Management Platform functionality and data and cannot be
modified.
See “About Symantec Management Platform security” on page 69.
You can create and configure any new security roles that you require. If the
predefined security roles do not meet the needs of your organization, you can
create entirely new roles or clone the existing roles to create new roles. You can
then modify the privileges and permissions as appropriate. You can also import
domain groups and users through Active Directory.
See “About security roles” on page 74.
Create and configure a security role in one of the following ways:
■
Create a completely new security role or clone an existing security role.
See “To create a completely new security role or clone an existing security
role” on page 77.
■
Import domain groups and users through Active Directory.
See “To import domain groups and users from Active Directory” on page 78.
When you import domain groups from Active Directory, a security role is created
in the Symantec Management Platform server for the domain group that you want
to import. Members of this domain group, including users and subgroups, are also
imported. Users are created as accounts, and subgroups are created as roles. The
membership relationship is retained during the import.
Creating and configuring security roles is a step in the process of setting up
Symantec Management Platform security.
Configuring security
Creating and configuring security roles
See “Setting up Symantec Management Platform security” on page 71.
To create a completely new security role or clone an existing security role
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Roles.
3
On the Roles page, in the left pane, take one of the following actions:
To create a new role
Click Add.
In the New Role dialog box, type the new security role
name, and then click OK.
The new role appears in the list of roles and the default
settings are shown in the right pane.
To clone an existing role
Select the security role that you want to clone.
Right-click the role, and click Clone.
4
In the right pane, configure the appropriate settings in the following tabs:
Members
The roles and user accounts that are assigned to the role. A
role membership may include any number of user accounts
and roles. The members of a role have all of the privileges
and permissions that the role grants.
See “Adding members to a security role” on page 79.
Member Of
The security roles to which the role belongs. The role has the
union of the permissions and privileges of these roles,
combined with any additional permissions and privileges
that are assigned directly to the role.
See “Adding security roles as members of other security
roles” on page 80.
Privileges
The privileges that the role grants its members. A privilege
lets a user account perform a particular action on the
Symantec Management Platform, or on items in the Symantec
Management Console. In some cases, the user account must
also have a corresponding permission on the item.
See “Assigning privileges to a security role” on page 81.
77
78
Configuring security
Creating and configuring security roles
5
(Optional) If you want to access the Security Role Manager to view or set
permissions for the security role, click Show Security Role Manager Console.
6
Click Save changes.
To import domain groups and users from Active Directory
1
In Symantec Management Console, on the Actions menu, click Discover >
Import Microsoft Active Directory.
2
On the Microsoft Active Directory Import page, in the description that is
labeled Import Role and Account resources from <data source>, from (none).
Perform this import on the specified schedule, click the user group (none).
3
(Optional) Create your own Role and Account import rules.
4
In the Select Security Groups dialog box, search for the domain groups that
you want to add; for example, Administrators and Users.
5
Click Add and then OK to add the selected groups.
6
Run the rule as a full import to import the selected domain group.
7
(Optional) You can also schedule a full import to run at appropriate intervals.
You can use this schedule to synchronize your security role membership with
the domain group membership. This means that if you remove a domain user
from the domain group, the corresponding Security Account is removed from
the corresponding security role. Likewise if you add a domain user to the
domain group, the corresponding Security Account is created and added to
the corresponding security role. Note that if a domain user is removed from
a domain group, the corresponding security account is not deleted. Only the
membership to the security role is removed.
Configuring security
Creating and configuring security roles
8
In Symantec Management Console on the Settings menu, under Security >
Account Management > Roles, in the right pane, configure the appropriate
settings under the following tabs:
Members
The roles and user accounts that are assigned to the role. A
role membership may include any number of user accounts
and roles. The members of a role have all of the privileges
and permissions that the role grants.
See “Adding members to a security role” on page 79.
Note that you should not manually modify members of the
roles that you imported from Active Directory. This
constraint exists because any subsequent rule executions
overwrite the membership configuration.
Roles that you import from Active Directory are designed to
maintain the same membership as the corresponding domain
groups.
Member Of
The security roles to which the role belongs. The role has the
union of the permissions and privileges of these roles,
combined with any additional permissions and privileges
that are assigned directly to the role.
See “Adding security roles as members of other security
roles” on page 80.
Privileges
The privileges that the role grants its members. A privilege
lets a user account perform a particular action on Symantec
Management Platform or on items in Symantec Management
Console. In some cases, the user account must also have a
corresponding permission on the item.
See “Assigning privileges to a security role” on page 81.
9
(Optional) If you want to access the Security Role Manager to view or set
permissions for the security role, click Show Security Role Manager Console.
10 Click Save changes.
Adding members to a security role
You need to assign the appropriate members---user accounts and other security
roles---to each of your security roles. You need to be a member of the Symantec
Administrators role or a member of a role that has the Change Security privilege
to add members. You can assign a user account to any number of security roles.
The members of a role have all of the privileges and permissions that are granted
to the role.
79
80
Configuring security
Creating and configuring security roles
You can add a role to multiple security roles, but you cannot create a circular
membership where a particular role becomes a member of itself. A member of
multiple security roles has the union of all the privileges and permissions that
those roles grant.
Adding members to a security role is part of configuring security roles. This task
is a step in the process of setting up Symantec Management Platform security.
See “Creating and configuring security roles” on page 76.
See “Setting up Symantec Management Platform security” on page 71.
To add members to a security role
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Roles.
3
On the Roles page, in the left pane, click the security role that you want to
configure.
4
In the right pane, on the Members tab, click Add Member and then take one
of the following actions:
To add a user account to the role
Click Add Account.
To add another security role to the role
Click Add Role.
5
In the Select Account(s) or Select Role(s) dialog box, select the user accounts
or security roles that you want to add, and then click OK.
6
On the Members tab, verify that the list of members is correct. You can
remove any that you do not want.
7
Click Save changes.
Adding security roles as members of other security roles
You can add a role as a member of other security roles. You need to be a member
of the Symantec Administrators role or a member of a role that has the Change
Security privilege to assign role membership. You can add a role to multiple
security roles, but you cannot create a circular membership where a particular
role becomes a member of itself. A role is granted the union of all the privileges
and permissions that the roles to which it belongs provide.
Adding a role as a member of another role is the same as the other role adding
the role to its membership. This method lets you add a particular role to a number
Configuring security
Creating and configuring security roles
of roles in a single procedure. The alternative would be to configure all of the
other roles and specifically add the role to the membership of each.
Adding security roles as members of other security roles is part of configuring
security roles. This task is a step in the process of setting up Symantec
Management Platform security.
See “Creating and configuring security roles” on page 76.
See “Setting up Symantec Management Platform security” on page 71.
To add a security role as a member of other security roles
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Roles.
3
On the Roles page, in the left pane, click the security role that you want to
configure.
4
In the right pane, on the Member Of tab, configure the appropriate settings.
5
Click Add Role.
6
In the Select Role(s) dialog box, select the security roles to which you want
to add the role, and then click OK.
7
On the Member Of tab, verify that the list of security roles is correct. You
can remove any that you do not want.
8
Click Save changes.
Assigning privileges to a security role
You need to specify the privileges that each security role grants to its members.
A privilege allows a user to perform a particular action on the Symantec
Management Platform, or on items in the Symantec Management Console. To
perform an action on an item, the user's role must have the necessary permission
on the item. For example, if you give a role the Start Task and Stop Task privileges,
you still need to assign the Run Task permission to the role for the appropriate
tasks. The role cannot access any tasks that do not have the Run Task permission
assigned for that role.
See “Assigning security permissions to folders and items” on page 114.
Assigning privileges to a security role is part of configuring security roles. This
task is a step in the process of setting up Symantec Management Platform security.
See “Creating and configuring security roles” on page 76.
See “Setting up Symantec Management Platform security” on page 71.
81
82
Configuring security
About security privileges
To assign privileges to a security role
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Roles.
3
On the Roles page, in the left pane, click the security role that you want to
configure.
4
In the right pane, on the Privileges tab, select the privileges that you want
to assign to the role.
To select a privilege, check the corresponding check box.
See “About security privileges” on page 82.
5
Click Save changes.
About security privileges
A privilege allows a user to perform a particular action on the Symantec
Management Platform, or on items in the Symantec Management Console. To
perform an action on an item, the user's role must have the necessary permission
on the item. The privileges that you can assign to a security role are grouped into
categories. However, when you assign privileges to a security role, you need to
select the appropriate privileges individually.
See “Assigning privileges to a security role” on page 81.
Table 4-3
Security privilege categories
Privilege category
Description
Connection Profile
Privileges
Lets you create and modify connection profiles.
Management Privileges
Lets you create management items, such as filters, targets, reports, and tasks, on the
Symantec Management Platform.
See “Connection Profile privileges” on page 84.
See “Management privileges” on page 84.
System Privileges
Lets you perform management activities, such as setting up security, managing
hierarchy, and importing XML files, on the Symantec Management Platform.
See “System privileges” on page 86.
Configuring security
About security privileges
Table 4-3
Security privilege categories (continued)
Privilege category
Description
Credential Privileges
Lets you use the Credential Manager to create and modify credentials. These
credentials are not the same as the Internal credentials and Windows credentials
that are associated with user accounts.
Note: The Credential Manager is a component of the extended Symantec Management
Platform, so may not be installed in your environment.
See “Credential privileges” on page 88.
Workflow Directory
Privileges
Lets you publish workflows from the workflow designer into Notification Server as
a task or item action (an option on the right-click menu).
See “Workflow Directory privileges” on page 89.
Console Privileges
Lets you customize the Symantec Management Console. These privileges include the
ability to edit the menu, and to create portal pages, Web parts, and views.
See “Symantec Management Console privileges” on page 89.
Software Management
Privileges
Lets you grant specific abilities to the user role and allow the user to perform specific
tasks in the Software view and Software Catalog window.
See “Software Management privileges” on page 90.
Software Management
Framework Privileges
Lets you manage the Software Management Framework. These privileges are the
ability to create the Software Library and to create and import software resources.
See “Software Management Framework privileges” on page 91.
Right-click Menu Privileges Lets you perform general actions on items in the Symantec Management Console.
When you right-click on an item, the options that are relevant to that item type are
available on the right-click menu. These privileges include the ability to delete an
item, edit views, Web links, and item links, and start, stop, and schedule tasks.
See “Right-click Menu privileges” on page 92.
Right-click Menu Connector Samples
Privileges
Examples of user-creatable right-click actions.
Right-click Menu Hierarchy Privileges
Lets you manage hierarchy replication. These privileges let you include or exclude
specific items from hierarchy replication, and let you replicate items immediately.
See “Right-click Menu - Connector Samples privileges” on page 94.
See “Right-click Menu - Hierarchy privileges” on page 94.
Right-click Menu - Actions
Privileges
Lets you perform the actions that are relevant to the Software Management
Framework. Additional solutions that are installed on the Symantec Management
Platform may add further privileges to this category.
See “Right-click Menu - Hierarchy privileges” on page 94.
83
84
Configuring security
About security privileges
Table 4-3
Privilege category
Security privilege categories (continued)
Description
Right-click Menu - Set Asset Lets you change the status of an asset. These privileges let you set the status of a
Status Privileges
resource to Active or Retired.
Solutions that are installed on Symantec Management Platform may add more
privileges.
See “Right-click Menu - Set Asset Status privileges” on page 97.
Connection Profile privileges
Connection Profile privileges let you create and modify connection profiles.
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols. These protocols include SNMP, WMI, WSMan, and several others.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-4
Connection Profile privileges
Privilege
Description
Create Connection Profile
Lets you create and modify connection profiles.
See “About Connection Profiles” on page 267.
Management privileges
Management privileges let you create management items, such as filters, targets,
reports, and tasks, on the Symantec Management Platform.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-5
Management privileges
Privilege
Description
Create Agent Settings
Lets you create a new targeted agent settings policy, or clone an existing policy. The
targeted agent settings are the general parameters that control the Symantec
Management Agent, including how the agent communicates with Notification Server.
See “Configuring the targeted agent settings” on page 348.
Configuring security
About security privileges
Table 4-5
Privilege
Management privileges (continued)
Description
Create Automation Policies Lets you create new automation policies. An automation policy is dynamic and
specifies automated actions to perform on the Notification Server computer. It targets
the appropriate computers when the policy is activated and performs whatever action
is required based on the current state of each target computer.
See “About automation policies” on page 424.
Create Filters
Lets you create new resource filters. A resource filter, usually known as a filter, is a
dynamic definition of a set of resources. Filters are used with organizational groups
to identify the resources (a resource target) that a task or policy applies to.
See “About resource filters” on page 385.
Create Jobs or Tasks
Lets you create a new job or task, or clone an existing job or task. Jobs can contain
multiple tasks, multiple tasks, and multiple conditions, which gives you great
flexibility in setting up the job sequence that you need.
See “Creating a task” on page 446.
See “Creating a job” on page 447.
Create Maintenance
Windows
Lets you create a new maintenance window policy, or clone an existing policy. A
maintenance window is a scheduled time and duration when maintenance operations
may be performed on a managed computer. A maintenance window policy defines
one or more maintenance windows.
See “About maintenance windows for managed computers” on page 361.
Create New Client Job
Lets you create a new client job. Client jobs are deployed to managed computers by
a task server. The managed computer then runs the job and reports back to
Notification Server.
See “Creating a job” on page 447.
Create New Server Job
Lets you create a new server job. Server jobs run on Notification Server.
See “Creating a job” on page 447.
Create Organizational
Groups
Lets you create new organizational views and groups. An organizational view is a
hierarchical grouping of resources (as organizational groups) that reflects a real-world
structure or view of your organization.
See “About organizational views and groups” on page 371.
Create Reports
Lets you create a new report, or clone an existing report.
See “Creating and modifying custom Notification Server reports” on page 512.
85
86
Configuring security
About security privileges
Table 4-5
Management privileges (continued)
Privilege
Description
Create Resource Targets
Lets you create new resource targets. A resource target, usually known as a target,
is a framework that lets you apply tasks and policies to a dynamic collection of
resources. A target consists of at least one organizational view or group, and a number
of filters. The filters refine the available resources to identify those that you want.
See “About resource targets” on page 397.
Discovery Task
Management
Lets you perform Network Discovery tasks.
See “Network Discovery home page” on page 260.
System privileges
System privileges let you perform management activities, such as setting up
security, managing hierarchy, and importing XML files, on the Symantec
Management Platform.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-6
System Privileges
Privilege
Description
Change Security
Lets you change the security configuration on the Symantec Management Platform.
You can create security roles, assign privileges and user accounts to security roles,
and assign permissions to management items for each role.
See “Setting up Symantec Management Platform security” on page 71.
Create CMDB Rules
Lets you create CMDB rules in Data Connector.
You use Data Connector to transfer data between the CMDB and a data source, and
manipulate data within the CMDB. Data Connector is part of the extended Symantec
Management Platform.
See “About Data Connector” on page 753.
Configuring security
About security privileges
Table 4-6
System Privileges (continued)
Privilege
Description
Edit SQL Directly
Lets you create or modify SQL queries in reports and filters. If a user is proficient in
SQL and familiar with the CMDB, this privilege lets them write very specific, efficient
reports. However, it can also be used to avoid security checks. For example, a user
can write a query that accesses resources that are outside their scope. That is, the
resources are not contained in the organizational groups that the user has permission
to view.
Warning: Poorly written SQL queries can return incorrect results or be inefficient,
consuming excessive memory and CPU time on the CMDB computer. Also, a malicious
SQL query can delete, modify, or add data anywhere in the CMDB. Therefore, this
privilege is very security sensitive and is only granted to the Symantec Administrators
role by default.
If you let security role members edit SQL directly, you should use the report-specific
application credentials to force reports to use an account with restricted CMDB access.
See “Defining an SQL query for a custom report” on page 537.
Import/Export XML
Lets you import items and resources from specially structured XML files, and export
items and resources to XML files.
Take care when you create an item or resource in the Symantec Management Platform
by importing information that is stored in an XML file. Creating an item this way
bypasses all security checks.
For example, a user can create a report by importing its XML even when the user does
not have the necessary privileges and permissions. In this example the user needs
the Create Reports privilege and the Create Children permission to the folder in which
the report is stored.
This privilege is very security sensitive. By default, it is granted only to the Symantec
Administrators role and should not be granted to non-administrators.
See “Saving console elements as XML files” on page 200.
Manage Data Connector
Lets you manage Data Connector. Data Connector is part of the extended Symantec
Management Platform.
You use Data Connector to transfer data between the CMDB and a data source, and
manipulate data within the CMDB.
See “About Data Connector” on page 753.
Manage Hierarchy
Replication
Lets you create and run hierarchy replication rules. The hierarchy replication rules
specify what is replicated to the parent Notification Server and to any child
Notification Servers.
See “Configuring hierarchy replication” on page 173.
87
88
Configuring security
About security privileges
Table 4-6
System Privileges (continued)
Privilege
Description
Manage Hierarchy
Lets you add your Notification Server to a hierarchy, or remove it from a hierarchy.
You can add your Notification Server to a hierarchy as a child of an existing remote
Notification Server, or as its parent. Remember that your Notification Server is the
one that you are logged into, which may be a remote logon.
You require this privilege on both Notification Servers to create or change a
hierarchical relationship between them.
See “About creating and managing hierarchical relationships” on page 167.
Take Ownership
Lets you take ownership of a security entity. This privilege grants the new owner full
permissions on the entity. For example, you would need to take ownership if all
permissions on the entity were accidentally removed.
See “Taking ownership of a folder or item” on page 117.
View Security
Lets you view the security configuration on the Symantec Management Platform.
This information includes details of the security roles, and the user accounts,
privileges, and permissions that are assigned to each role.
See “About security roles” on page 74.
Credential privileges
Credential privileges let you create new credentials in Credential Manager.
Credential Manager provides a secure storage location for user names and
passwords. The types of credentials that the Credential Manager stores are defined
by the solutions that are installed on Symantec Management Platform.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
When a credential is created, only the creator is granted access. If other users
need to perform a management operation that requires a credential, you need to
assign this privilege to the appropriate user account or role that contains the user
account.
Table 4-7
Credential privileges
Privilege
Description
Create Credential
Lets you create and modify credentials in Credential Manager.
See “About credential manager” on page 118.
Configuring security
About security privileges
Workflow Directory privileges
Workflow Directory privileges let you publish workflows from the workflow
designer into Notification Server as a task or item action (an option on the
right-click menu).
Workflow Designer is part of Workflow solution. When you install Workflow
solution, it adds a page to the Symantec Management Console that lets you
download and install the Workflow Designer. It is not included in the Symantec
Management Platform by default.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-8
Workflow Directory privileges
Privilege
Description
Register/Unregister
Workflows
Lets you publish workflows from the workflow designer into Notification Server as
a task or item action (an option on the right-click menu).
For more information, refer to the Workflow solution documentation.
Symantec Management Console privileges
Symantec Management Console privileges let you customize the Symantec
Management Console. These privileges include the ability to edit the menu, and
to create portal pages, Web parts, and views.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-9
Symantec Management Console privileges
Privilege
Description
Create Portal Pages
Lets you create new portal pages. A portal page is a Symantec Management Console
page that you can customize to suit your requirements. You can use a portal page to
consolidate key information into a single, easy-to-view page. A portal page can display
the status of the Symantec Management Platform and managed computers, or any
other information that you want to make available. For example, you can include
external Web pages, intranet pages, RSS feeds, or your own applications.
You need to have the Create Children permission on the folder in which you want to
create the new portal page.
See “About portal pages” on page 214.
89
90
Configuring security
About security privileges
Table 4-9
Symantec Management Console privileges (continued)
Privilege
Description
Create Web Parts
Lets you create new Web parts. Web parts are the mini Web pages that you can use
as the building blocks for portal pages. A Web part can display a report or the contents
of a Web page .
You need to have the Create Children permission on the folder in which you want to
create the new Web part.
See “Creating and modifying Web parts” on page 218.
Create Views
Lets you create new views. A view is a two-pane layout with a navigation tree in the
left pane and content in the right pane. The navigation tree contains links to Symantec
Management Console items and lets you group items from different parts of the
console into a suitable structure. An item may appear multiple times in a view, and
in any number of different views. A view can include folders, item links, and Web
links.
See “About console views” on page 212.
Edit Console Menu
Lets you customize the Symantec Management Console menus. The menu options
that are supplied with the Symantec Management Platform are read-only and cannot
be modified. You can add new submenus, and can modify them as necessary. You can
move or delete any menu item, except those that have been designated as read-only.
See “Customizing the console menu” on page 201.
Software Management privileges
Each Software Management privilege grants specific abilities to the user role and
allows the user to perform specific tasks in the Software view and Software
Catalog window from the enhanced console views. These Software Management
privileges are not by default part of any user role. You must assign the relevant
privilege to a user role.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
See “Actions you can perform in the Software view and in the Software Catalog”
on page 624.
Configuring security
About security privileges
Table 4-10
Privilege
Software Management privileges
Description
Create software products
This privilege allows the user to use the Newly Discovered Software saved search
and Define software product in the Software view to find newly discovered software.
inventory filters
This privilege allows the user to use the Newly discovered / undefined software and
Unmanaged software panes in the Software Catalog to manage software.
To have these abilities, you must assign the user role both the Create software
products and Define software products privileges.
Create software products
This privilege allows the user to use the Add Product button to open the Software
Product dialog box.
This privilege also allows the user to input data into the Name, Company, Version,
and Category areas of the Software Product dialog box to create software products.
If you do not assign this privilege to the user role, the user is unable to enter
information into the Name, Company, Version, and Category areas of the Software
Product dialog box.
Define software product
inventory filters
This privilege allows the user to use the Identify Inventory tab to define software
product inventory filters.
Configure software usage
tracking
This privilege allows the user to use the Add program files hyperlink and Meter /
track usage tab to configure software usage tracking.
Create software licenses
This privilege allows the user to use the Manage Licenses button to create software
licenses.
Software Management Framework privileges
Software Management Framework privileges let you manage the Software
Management Framework. These privileges are the ability to create the Software
Library and to create and import software resources.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
91
92
Configuring security
About security privileges
Table 4-11
Privilege
Software Management Framework privileges
Description
Manage Software Resources Lets you create, import, edit, and delete software resources.
A software resource is the metadata that describes a specific instance of a software
product. A software resource provides a common way to describe the software so
that all software-related actions can identify it accurately.
See “About software resources” on page 660.
Typically, you should give software resource privileges to the user accounts who
deliver and manage software. The Symantec Software Librarian and Asset Manager
security roles has this privilege by default.
Manage Software Library
Settings
Lets you create and edit the Software Library Settings.
The Software Library is the physical directory location of the package files that are
associated with the software in the Software Catalog. Because the Software Library
is a repository of the definitive, authorized versions of the packages, you should
restrict library access to maintain its integrity.
The Symantec Software Librarian and Asset Manager security roles has this privilege
by default.
See “Setting up the Software Library” on page 611.
Create software deliveries
Lets you create software deliveries (Quick Delivery or Package Delivery tasks and
Manage Software Delivery policy) for selected software resource from the available
software list.
Lets you use the drag-and-drop feature to initiate software delivery from any software
list.
This privilege also allows the user to use the Delivery tab to create software deliveries.
Right-click Menu privileges
The Right-click Menu privileges (sometimes referred to as item action privileges)
let you perform general actions on items in the Symantec Management Console.
When you right-click on an item, the options that are relevant to that item type
are available on the right-click menu. These privileges include the ability to delete
an item, edit views, Web links, and item links, and start, stop, and schedule tasks.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Configuring security
About security privileges
Table 4-12
Right-click Menu privileges
Privilege
Description
Applies to Item
Types
Add to
organizational
group
Lets you add a resource to an organizational group. All resources
Clone
Lets you clone an item.
All item types
Clone permission on
the item.
Delete
Lets you delete an item.
All item types
Delete permission on
the item.
Edit Item Link
Lets you modify an item link.
Item links only.
Write permission on
the item link.
Inventory rules
only.
Write permission on
the inventory rule.
Views only.
Write permission on
the view.
Web links only.
Write permission on
the Web link.
Policies only.
Write permission on
the policy.
See “Adding resources to an organizational group”
on page 375.
See “About console views” on page 212.
Edit Rule
Lets you edit an inventory rule.
See “Creating or editing inventory rules”
on page 712.
Edit View
Lets you edit a view.
See “Creating and modifying views” on page 212.
Edit Web Link
Lets you modify a Web link.
See “About console views” on page 212.
Schedule
Lets you schedule a policy.
See “Specifying a policy schedule” on page 420.
Schedule Task
Lets you schedule a task. You can set the task to Tasks only.
run once at a particular time, or to repeat at regular
intervals.
Additional
Requirements
Write permission on
the organizational
group.
Run Task permission
on the task.
See “Adding a schedule to a policy, task, or job”
on page 454.
Security Role
Manager
Lets you open the Security Role Manager.
Start Task
Lets you start a task immediately.
All item types
Write permission on
the item.
Tasks only.
Run Task permission
on the task.
Tasks only.
Run Task permission
on the task.
See “About the Security Role Manager” on page 112.
See “Running a job or task” on page 452.
Stop Task
Lets you stop a task immediately.
See “Stopping a job or task” on page 453.
93
94
Configuring security
About security privileges
Right-click Menu - Connector Samples privileges
The Connector Samples privileges are examples of user-creatable right-click
actions.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-13
Right-click Menu - Connector Samples privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Ping Computer
Lets you perform a TCP/IP ping on a computer.
Computer
resources only
Read permission on
the organizational
group that contains
the computer.
Right-click Menu - Hierarchy privileges
The Hierarchy privileges let you manage hierarchy replication. These privileges
let you include or exclude specific items from hierarchy replication, and let you
replicate items immediately.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-14
Right-click Menu - Hierarchy privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Disable
Replication
Lets you prevent an item from participating in
hierarchy replication.
All item types
Manage Hierarchy
Replication privilege,
Write permission on
the item.
All configuration items and management items,
and security roles and privileges are replicated by
default. This option is available only when custom
hierarchy replication rules are used.
See “Setting up custom hierarchy replication”
on page 176.
Configuring security
About security privileges
Table 4-14
Right-click Menu - Hierarchy privileges (continued)
Privilege
Description
Applies to Item
Types
Replicate Now
Lets you replicate selected data directly from a
All item types
Notification Server to all its child Notification
Servers without including it in a replication rule.
This operation is a once-off replication that takes
place immediately.
Additional
Requirements
Manage Hierarchy
Replication privilege,
Write permission on
the item.
See “Replicating selected data manually”
on page 182.
Enable
Replication
Lets you allow an item to participate in hierarchy All item types
replication.
All configuration items and management items,
and security roles and privileges are replicated by
default. This option is available only when custom
hierarchy replication rules are used.
Manage Hierarchy
Replication privilege,
Write permission on
the item.
See “Setting up custom hierarchy replication”
on page 176.
Right-click Menu - Actions privileges
The Actions privileges let you perform the actions that are relevant to the Software
Management Framework. Additional solutions that are installed on the Symantec
Management Platform may add further privileges to this category.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-15
Right-click Menu - Actions privileges
Privilege
Description
Assign Type
Assigns a type to an unassigned software resource Software resources
in the Software Catalog.
only
An unassigned software resource is one that is not
categorized as a software release, an update, or a
service pack.
See “About the software resource types”
on page 649.
Applies to Item
Types
Additional
Requirements
95
96
Configuring security
About security privileges
Table 4-15
Right-click Menu - Actions privileges (continued)
Privilege
Description
Applies to Item
Types
Create Installed
Software Filter
Creates filters to find managed computers by the Software resources
software that is installed on them.
only
See “About installed software filters” on page 654.
Detailed Export
Exports a software resource and any of its
Software resources
associated resource information to a detailed XML only
file.
See “Exporting a software resource and its details”
on page 678.
Edit Command
Line
Opens the selected command line for editing within Software resources
the software resource editing page.
only
See “Creating a command line for a software
resource” on page 694.
Edit Package
Opens the selected package for editing within the Software resources
software resource editing page.
only
See “About software packages” on page 683.
Edit Software
Resource
Opens the selected software resource for editing. Software resources
only
See “Adding or editing a software resource”
on page 662.
Import Package
Changes a package’s source to the Software Library Software resources
from a different source such as a directory on the only
server or a UNC path.
See “Adding an existing package to the Software
Library” on page 690.
Merge Company
Resource
Merges the selected company resource with
another company resource. This privilege is useful
if you have two entries for the same company that
might be spelled slightly differently, such as
“Symantec” and “Symantec Corporation”. You can
select the items to merge and specify the
appropriate name to use.
Additional
Requirements
Configuring security
About Symantec Management Platform user accounts
Table 4-15
Privilege
Right-click Menu - Actions privileges (continued)
Description
Applies to Item
Types
Additional
Requirements
Resolve Duplicate When two software resources represent the same Software resources
Software
software but have different identifiers, this dialog only
Resources
box lets the user associate both identifiers with
one software resource.
See “About duplicate software resources”
on page 650.
Right-click Menu - Set Asset Status privileges
The Set Asset Status privileges let you set the status of a resource to Active or
Retired.
Solutions that are installed on Symantec Management Platform may add more
privileges to this category. For example, Asset Management solution adds three
or four privileges here.
See “About security privileges” on page 82.
See “Assigning privileges to a security role” on page 81.
Table 4-16
Right-click Menu - Set Asset Status privileges
Privilege
Description
Applies to Item
Types
Additional
Requirements
Active
Sets the status of the selected resource as active.
Resources only
Write permission on
the organizational
group that contains
the resource.
Retired
Sets the status of the selected resource as retired. Resources only
Write permission on
the organizational
group that contains
the resource.
About Symantec Management Platform user accounts
Symantec Management Platform 7.1 has its own user accounts. Previous versions
of Symantec Management Platform used Windows users and groups for user
security. Windows users are still used, but they are no longer the only security
mechanism.
97
98
Configuring security
About Symantec Management Platform user accounts
User accounts, which are sometimes referred to as users, are not the same as user
resources in Symantec Management Platform. A user resource is an entity that
is used to associate managed devices with the owner of the device. The existing
user resources and the user accounts that can log on to the Symantec Management
Console or run a workflow are separate entities.
A Symantec Management Platform user account is linked to the Windows
credentials that the user requires to access the Symantec Management Console.
The user account may also be linked to internal credentials that it can use to
access other Symantec Management Platform services, such as workflows. The
user account can be added to the appropriate security roles: an account has the
union of all the privileges and permissions that are granted by the roles to which
it belongs.
See “Creating and configuring Symantec Management Platform user accounts”
on page 282.
A credential is something that a user account provides to prove its identity. In
Symantec Management Platform, a credential may be a user name and password
or a Windows account. The user account associates one or more credentials with
a particular user and lets the user access the Symantec Management Console or
Symantec Management Platform services.
Symantec Management Platform uses two types of credentials:
Internal credential
Lets a user access the appropriate Symantec Management Platform
services using a user name and password that is stored in the
CMDB. For security reasons, only the hash value of the password
is stored.
A user account cannot use internal credentials to access the
Symantec Management Console. The internal credentials are
currently used only for workflow integration.
Windows credential
Lets a user access the Symantec Management Console and
Symantec Management Platform services using a Windows user
name and password. To use Windows credentials, Notification
Server must be in the user's domain, or the user's domain must
be trusted by the Notification Server domain.
You should configure Windows credentials if your organization
uses Windows accounts internally. Using Windows credentials
lets you enforce password complexity requirements, periodically
change passwords, keep password history, and perform other
password management tasks in Windows.
Configuring security
Creating and configuring Symantec Management Platform user accounts
Creating and configuring Symantec Management
Platform user accounts
You can configure your Symantec Management Platform user accounts to meet
the requirements of your organization. You need to create all of the accounts that
you want and assign them to the appropriate security roles. Each account has the
union of all the privileges and permissions that the roles to which it belongs
grants.
See “About Symantec Management Platform user accounts” on page 97.
See “About Symantec Management Platform security” on page 69.
Creating and configuring Symantec Management Platform user accounts is a step
in the process of setting up Symantec Management Platform security.
See “Setting up Symantec Management Platform security” on page 71.
Create and configure a user account in one of the following ways:
■
Create a completely new user account or clone an existing user account.
See “To create a completely new user account or clone an existing user account”
on page 99.
■
Import domain groups and users from Active Directory.
See “To import domain groups and users from Active Directory” on page 100.
To create a completely new user account or clone an existing user account
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Accounts.
3
On the Accounts page, in the left pane, take one of the following actions:
To create a new account
Click Add.
In the New Account dialog box, type the new Symantec
Management Platform account name, and then click
OK.
The new account appears in the list of accounts. By
default, the new account status is Inactive.
To clone an existing account Right-click the Symantec Management Platform
account that you want to clone and configure.
Enter the name of the new copy of this account, and
click OK.
99
100
Configuring security
Creating and configuring Symantec Management Platform user accounts
4
In the right pane, configure the appropriate settings in the following tabs:
General
The general account details. These include the full name and
email address of the user for whom the account is created,
the account status, and the account credentials.
See “Specifying general Symantec Management Platform
user account details” on page 101.
See “Configuring credentials for a Symantec Management
Platform user account” on page 101.
Member Of
The security roles to which the account belongs. The account
has the union of all the privileges and permissions that the
roles to which it belongs grants.
See “Assigning a Symantec Management Platform user
account to a security role” on page 104.
5
Click Save changes.
To import domain groups and users from Active Directory
1
In Symantec Management Console, on the Actions menu, click Discover >
Import Microsoft Active Directory.
2
On the Microsoft Active Directory Import page, in the description that is
labeled Import Role and Account resources from <data source>, from (none).
Perform this import on the specified schedule, click the user group (none).
3
(Optional) Create your own Role and Account import rules.
4
In the Select Security Groups dialog box, search for the domain groups from
which you want to import user accounts; for example, Administrators and
Users.
5
Click Add and then OK to add the selected groups.
6
Run the rule as a full import to import the selected domain groups.
7
(Optional) You can also schedule a full import to run at appropriate intervals.
You can use this schedule to synchronize your security role membership with
the domain group membership. This means that if you remove a domain user
from the domain group, the corresponding Security Account is removed from
the corresponding security role. Likewise if you add a domain user to the
domain group, the corresponding Security Account is created and added to
the corresponding security role. Note that if a domain user is removed from
a domain group, the corresponding security account is not deleted. Only the
membership to the security role is removed.
Configuring security
Creating and configuring Symantec Management Platform user accounts
Specifying general Symantec Management Platform user account
details
You need to specify the full name and email address of the user for whom the
account is created. You can also change the account status from Inactive to Active
when appropriate.
See “About Symantec Management Platform user accounts” on page 97.
See “Creating and configuring Symantec Management Platform user accounts”
on page 282.
See “Setting up Symantec Management Platform security” on page 71.
To specify general Symantec Management Platform user account details
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Accounts.
3
On the Accounts page, in the left pane, click the account that you want to
configure.
4
In the right pane, on the General tab, specify the account details by editing
the appropriate boxes:
Full Name
The full name of the user to whom the account belongs.
Email
The email address of the account user.
5
(Optional) If you want to activate or deactivate the account, click the status
icon in the title bar and then select Active or Inactive.
6
Click Save changes.
Configuring credentials for a Symantec Management Platform user
account
You need to configure the appropriate credentials to each Symantec Management
Platform user account. You can add one Symantec Management Platform internal
credential and one Windows credential to a user account. The Windows credential
emulates the behavior of previous versions of Symantec Management Platform.
See “About Symantec Management Platform user accounts” on page 97.
See “Creating and configuring Symantec Management Platform user accounts”
on page 282.
See “Setting up Symantec Management Platform security” on page 71.
101
102
Configuring security
Creating and configuring Symantec Management Platform user accounts
An internal credential lets a user access the appropriate Symantec Management
Platform services using a user name and password that is stored in the CMDB.
Currently, internal credentials are used only for workflow integration.
A Windows credential lets a user account access the Symantec Management
Console and Symantec Management Platform services using a Windows user
name and password. To use Windows credentials, Notification Server must be in
the user's domain, or the user's domain must be trusted by the Notification Server
domain.
You should configure Windows credentials if your organization uses Windows
accounts internally. Using Windows credentials lets you enforce password
complexity requirements, periodically change passwords, keep password history,
and perform other password management tasks in Windows.
To configure credentials for a Symantec Management Platform user account
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Accounts.
3
On the Accounts page, in the left pane, click the account that you want to
configure.
Configuring security
Creating and configuring Symantec Management Platform user accounts
4
In the right pane, on the General tab, under Credentials, click Add Credential
and then do one of the following:
To add a Windows credential Click Windows and then, in the Windows Credential
to the account
dialog box, specify the appropriate Windows user name
in Domain/Username format.
If the Windows account is in the same domain as
Notification Server, you can omit the Domain and
specify the Username only.
If you specify a Windows account that is already
assigned to a user account, the Windows credential is
removed from the existing account. The Windows
credential is then added to the new user account.
To add an internal credential Click Internal and then, in the Create Internal
to the account
Credential dialog box, specify the appropriate
password.
The password must meet the password complexity
settings.
See “Configuring password complexity and lockout
settings” on page 104.
The credential user name is the name of the Symantec
Management Platform account and you cannot change
it.
5
Click OK.
The new credential is added to the Credentials list.
6
(Optional) If you want to modify a credential, select it in the Credentials list
and then click Edit. In the Edit Windows Credential dialog box or the Edit
Internal Credential dialog box, make the appropriate changes and then click
OK.
For security reasons, the Edit Internal Credential dialog box does not display
the current password. If you specify a new password, the credential is updated
accordingly. If you leave the Password box empty, the original password is
preserved.
7
(Optional) If you want to delete a credential, select it in the Credentials list
and then click Delete.
8
Click Save changes.
103
104
Configuring security
Configuring password complexity and lockout settings
Assigning a Symantec Management Platform user account to a security
role
You need to assign each Symantec Management Platform user account to the
appropriate security roles. You need to be a member of the Symantec
Administrators role, or a member of a role that has the Change Security privilege,
to assign role membership. The account has the union of all the privileges and
permissions that the roles to which it belongs grants.
See “About Symantec Management Platform user accounts” on page 97.
See “Creating and configuring Symantec Management Platform user accounts”
on page 282.
See “Setting up Symantec Management Platform security” on page 71.
To assign a Symantec Management Platform account to a security role
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Accounts.
3
On the Accounts page, in the left pane, click the account that you want to
configure.
4
In the right pane, on the Member Of tab, make the appropriate settings.
5
Click Add Role.
6
In the Select Role(s) dialog box, select the security roles to which you want
to add the account, and then click OK.
7
On the Member Of tab, verify that the list of security roles is correct. You
can remove any that you do not want.
8
Click Save changes.
Configuring password complexity and lockout settings
The Password Settings page lets you configure the password complexity and
lockout settings for internal credentials. These settings apply to internal
credentials only: they do not apply to passwords that are managed externally,
such as a Windows account. These complexity and lockout settings are often
required to comply with an organization’s access control policy.
See “About Symantec Management Platform security” on page 69.
See “Setting up Symantec Management Platform security” on page 71.
See “Unlocking locked out credentials” on page 107.
Configuring security
Configuring password complexity and lockout settings
You need to specify appropriate password complexity requirements to prevent
Symantec Management Platform user accounts from creating weak passwords.
Any changes that you make to the password complexity settings do not affect
existing passwords. The password complexity rules are applied only when
passwords are created or changed.
You cannot specify temporal restrictions such as allowing user accounts to log
on only during certain time periods or on particular days of the week. To configure
this type of restriction, you can use a scheduled task, a workflow, or an automation
policy that disables and enables accounts at the appropriate times.
You cannot configure the maximum password age for internal credentials. The
maximum password age for Windows credentials should be managed using a
Windows policy.
Table 4-17
Settings on the Password Complexity tab
Setting
Description
Allow blank password
Specifies whether to allow a credential to have an empty
password.
If you enable this setting, the minimum password length is
disabled.
By default, this setting is disabled.
Minimum password length Specifies the minimum number of characters that the
password must contain.
If you want to set the length to zero (0), you must also enable
the allow blank password setting.
The default is six (6).
Minimum number of
non-alphabetic characters
Specifies the minimum number of non-alphabetic characters
that the password must contain.
Non-alphabetic characters are numbers (such as 1, 2, 3, etc.)
and special characters (such as !, ?, &, etc.)
The default is one (1).
Contain account name
Specifies whether to allow the password to contain the user
account name.
Note that this is not case sensitive.
By default, this setting is disabled.
You need to specify appropriate password lockout conditions to prevent
unauthorized access to Symantec Management Platform. Any changes that you
105
106
Configuring security
Configuring password complexity and lockout settings
make to the password lockout settings are applied to all subsequent failed logon
attempts. The maximum allowable unsuccessful attempts setting is not applied
to the number of previous failed logon attempts.
Table 4-18
Settings on the Password Lockout tab
Setting
Description
Enable Credential Lockout
Specifies whether to lock the credentials when the specified
maximum number of unsuccessful logon attempts is
reached.
By default, this setting is enabled.
Internal Credential Lockout Specifies the maximum number of logon attempts that a
Threshold
user may make with any particular credential. If a user
attempts to authenticate with an incorrect password more
than this number, the credential is locked for the specified
lockout period.
Unsuccessful logon attempts are counted from when the
credential is created. The failed attempts do not need to
happen within a minimum time period. There is no
maximum time after which a failed attempt is no longer
counted.
If you change this setting to reduce the maximum number
of unsuccessful attempts allowed, the new value is not
applied to any account until the next logon attempt. If the
next attempt is successful, the count is reset to zero (all
previous failures are erased). However, if the next attempt
fails, the count of failed attempts is evaluated. If the
maximum number is reached (or possibly already exceeded),
the account is locked.
Lockout Duration
Specifies the duration that a locked out credential cannot
be used. The default period is 1800 minutes (30 hours).
All logon attempts that the user makes during this time
period fail, even if the correct credentials are supplied. When
the lockout period expires, the same credentials are valid
again. No automatic password reset is required.
You can specify an infinite lockout period by entering a
value of -1. In this scenario, a locked credential remains
locked until an administrator manually unlocks the
credential.
See “Unlocking locked out credentials” on page 107.
Configuring security
Unlocking locked out credentials
To configure password complexity and lockout settings
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Password Settings.
3
On the Password Settings page, make the necessary configuration changes
in the appropriate tabs.
Password Complexity
Lets you specify the password complexity rules that
you want to apply to Internal credentials.
See Table 4-17 on page 105.
Password Lockout
Lets you specify the conditions that cause Symantec
Management Platform to lock Internal credentials.
See Table 4-18 on page 106.
4
Click Save changes.
Unlocking locked out credentials
The Unlock Credentials page lets you unlock internal credentials that have become
locked out after the maximum number of unsuccessful logon attempts has been
exceeded.
See “About Symantec Management Platform security” on page 69.
See “Setting up Symantec Management Platform security” on page 71.
See “Configuring password complexity and lockout settings” on page 104.
To unlock locked out credentials
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Unlock Credentials.
3
On the Unlock Credentials page, in the list of locked credentials, select the
credential that you want to unlock.
4
Click Unlock Credentials.
About security role permissions
The permissions on an item in the Symantec Management Console determine the
access that a security role has to that item. Permissions on items are applied to
107
108
Configuring security
About security role permissions
security roles, not to individual user accounts. For example, the Read permission
on an item lets a user view it, and the Write permission on the item lets the user
modify it.
See “Setting up Symantec Management Platform security” on page 71.
See “Assigning security permissions to folders and items” on page 114.
Permissions are used with privileges to determine what actions a security role
may perform on an item. For example, to delete an item a security role must have
both the Delete privilege and the Delete permission on that particular item. Having
only the Delete privilege, or the Delete permission on the item, is not sufficient.
You can specify the permissions that apply to each folder or item for each security
role. Permissions that are applied directly to a folder or item (non-inherited
permissions) are combined with the permissions that are inherited from the parent
folder. The combined permissions determine the access that the security role has
to that particular folder or item.
By default, child items and folders inherit all permissions on a folder. You can
modify permission inheritance to suit your requirements.
Table 4-19 lists and describes the categories of security permissions that you can
set for each role.
Table 4-19
Security permission categories
Permission category
Description
Resource Management
These permissions apply to resources.
See “Resource Management permissions” on page 109.
System
These permissions apply to the system, such as reading,
writing, and deleting items.
See “System permissions” on page 109.
Task Server
These permissions apply to Task Server.
See “Task Server permissions” on page 110.
Report
These permissions apply to reports.
See “Report permissions” on page 110.
Policy
These permissions apply to policies.
See “Policy permissions” on page 111.
Folder
These permissions apply to folders.
See “Folder permissions” on page 111.
Configuring security
About security role permissions
Table 4-19
Security permission categories (continued)
Permission category
Description
Filter
These permissions apply to filters.
See “Filter permissions” on page 111.
Connection Profile
These permissions let you use connection profiles.
See “Connection Profile permissions” on page 111.
Credential Manager
These permissions let you use the Credential Manager.
See “Credential Manager permissions” on page 112.
Resource Management permissions
These permissions apply to resources.
See “About security role permissions” on page 107.
Table 4-20
Resource Management permissions
Permission
Description
Read Resource Data
Lets you read resource data.
Read Resource Association Lets you read resource association data.
Write Resource Data
Lets you write resource data.
Write Resource Association Lets you write resource association data.
System permissions
These permissions apply to the system, such as reading, writing, and deleting
items.
See “About security role permissions” on page 107.
Table 4-21
System permissions
Permission
Description
Full Control
Lets you take full control of an item that another user owns.
See “Taking ownership of a folder or item” on page 117.
Delete
Lets you delete items
109
110
Configuring security
About security role permissions
Table 4-21
System permissions (continued)
Permission
Description
Write
Lets you create or modify items.
Clone
Lets you clone an existing item.
Read
Lets you open an item and views the item contents.
Change Permissions
Lets you change permissions on items.
Read Permissions
Lets you read the permissions for an item.
Task Server permissions
These permissions apply to Task Server.
See “About security role permissions” on page 107.
Table 4-22
Task Server permissions
Permission
Description
Create New Task
Lets you create new tasks.
Run Script
Lets you run a script.
Run Power Control
Lets you run power control tasks.
Run Task
Lets you run tasks.
Run Control Service State
Lets you run a control service state.
Report permissions
These permissions apply to reports.
See “About security role permissions” on page 107.
Table 4-23
Report Permissions
Permission
Description
Run Reports
Lets you run a report.
Save Reports
Lets you save a report.
Configuring security
About security role permissions
Policy permissions
These permissions apply to policies.
See “About security role permissions” on page 107.
Table 4-24
Policy permissions
Permission
Description
Apply to Resource Targets
Lets you apply resource targets to policies.
Enable Policy
Lets you enable or disable a policy.
Folder permissions
These permissions apply to folders.
See “About security role permissions” on page 107.
Table 4-25
Folder permissions
Permission
Description
Create Children
Lets you add items and subfolders to a folder.
Filter permissions
These permissions apply to filters.
See “About security role permissions” on page 107.
Table 4-26
Filter permissions
Permission
Description
Apply Agent Settings
Lets you change a targeted agent settings policy and apply
it to a resource target.
Apply Software Delivery
Tasks
Lets you apply software delivery tasks.
Connection Profile permissions
These permissions let you use connection profiles. Connection profiles store the
information that is required to communicate with computers and other network
devices using standard network monitoring protocols. These protocols include
SNMP, WMI, WSMan, and several others.
111
112
Configuring security
About the Security Role Manager
See “About security role permissions” on page 107.
Connection profiles are associated with devices during network discovery. During
discovery, a connection profile is selected to define the protocols and credentials
to use. When discovery completes, this connection profile is then associated with
each discovered resource. When information is required, the associated connection
profile is used to connect.
Table 4-27
Connection Profile permissions
Permission
Description
Use
Lets you use connection profiles.
See “About Connection Profiles” on page 267.
Credential Manager permissions
Credential Manager provides a secure storage location for user names and
passwords. The types of credentials that the Credential Manager stores are defined
by the solutions that are installed on Symantec Management Platform. These
permissions let you use the Credential Manager.
See “About security role permissions” on page 107.
Table 4-28
Credential Manager permissions
Permission
Description
Use
Lets you use the Credential Manager.
See “About credential manager” on page 118.
About the Security Role Manager
The Security Role Manager is a special console that lets you view and set
permissions for security roles. The console lets you select a particular security
role and view the permissions that are associated with each item for that security
role. You can view the items by type, or view all the available items, and select the
folder or item on which to set permissions. By default, child items and folders
inherit all permissions on a folder. You can modify permission inheritance to suit
your requirements.
You can also use the Security Role Manager to take ownership of an item. You
may need to take ownership if permissions on an item are removed accidentally
so that the owner no longer has access to it. By taking ownership of an item, you
can reset the appropriate permissions and restore access for the original owner.
Configuring security
About the Security Role Manager
See “About security role permissions” on page 107.
See “Accessing the Security Role Manager” on page 113.
See “Assigning security permissions to folders and items” on page 114.
See “Customizing permission inheritance” on page 115.
See “Taking ownership of a folder or item” on page 117.
Accessing the Security Role Manager
You can access the Security Role Manager in the following ways:
Directly from the Symantec
Management Console Settings
menu.
The Security Role Manager opens with your security
role selected, and the All Data Classes view shown.
From the right pane of the Roles
page.
The Security Role Manager opens with the appropriate
security role selected, and the All Data Classes view
shown.
From the Actions menu for a
security role.
The Security Role Manager opens with the appropriate
security role selected, and the All Data Classes view
shown.
From the right-click menu for an
item or folder in the left pane.
You would normally use this method to set
permissions on a particular item or folder.
The Security Role Manager opens with your security
role selected, and the appropriate folder selected.
See “About the Security Role Manager” on page 112.
See “Assigning security permissions to folders and items” on page 114.
See “Customizing permission inheritance” on page 115.
See “Taking ownership of a folder or item” on page 117.
To access the Security Role Manager from the Symantec Management Console
menu
◆
In the Symantec Management Console, on the Settings menu, click Security
> Permissions.
To access the Security Role Manager for a specific security role
1
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
2
In the left pane, click Account Management > Roles.
113
114
Configuring security
About the Security Role Manager
3
On the Roles page, in the left pane, click the security role that you want to
configure.
4
Do one of the following:
■
In the right pane (the Security Role Name page), click Show Security Role
Manager Console.
■
Click Actions > Security Role Manager.
■
Right-click the security role that you want to configure and then click
Security Role Manager.
To access the Security Role Manager for a specific folder
1
In the Symantec Management Console, open a view that contains the folder
on which you want to set security permissions.
2
In the left pane, right-click the folder and then click Security.
Assigning security permissions to folders and items
You can specify the non-inherited permissions that apply to each folder or item
for each security role. These are combined with the permissions that are inherited
from the parent folder. The combined permissions determine the access that the
security role has to that particular folder or item. By default, any child folders or
items inherit the combined set of permissions.
See “About security role permissions” on page 107.
See “About the Security Role Manager” on page 112.
See “Accessing the Security Role Manager” on page 113.
Assigning security permissions to folders and items is a step in the process of
setting up Symantec Management Platform security.
See “Setting up Symantec Management Platform security” on page 71.
To assign security permissions to folders and items
1
In the Security Role Manager, in the Role drop-down list, select the security
role for which you want to set permissions.
2
(Optional) In the View drop-down list, select an item category to view the
folder structure that contains the relevant items.
If you want to view the full folder structure, select All Items.
3
In the left pane, select the folder or item for which you want to set
permissions.
Configuring security
About the Security Role Manager
4
On the right pane, in the Noninherited panel, make the appropriate changes
to the permission settings.
5
(Optional) If you want to configure permission inheritance for this folder or
item, click Advanced.
See “Customizing permission inheritance” on page 115.
6
Click Save changes.
Customizing permission inheritance
By default, permission inheritance is enabled for all folders and items. Child folders
and items inherit the security permissions for each role that is assigned to a folder.
The inherited permissions cannot be modified on the child folders and items, but
additional non-inherited permissions can be specified. The non-inherited
permissions are applied directly to the folder or item and can be modified at any
time. The permission settings on each folder or item are the combination of both
the inherited and non-inherited settings. The combined set of permissions is then
applied to any child folders or items. Any changes to permission settings for a
folder are immediately applied to all of its child folders or items.
See “About security role permissions” on page 107.
See “About the Security Role Manager” on page 112.
See “Accessing the Security Role Manager” on page 113.
See “Assigning security permissions to folders and items” on page 114.
You can disable permission inheritance for any folder or item. This lets you remove
some of the inherited permissions from the folder or item, but preserve them on
its parent folder. The permission inheritance settings that you apply to a folder
or item apply to every security role. You cannot customize inheritance settings
for particular roles.
Warning: Disabling permissions inheritance on a folder or item can cause
unexpected denials of access for user accounts. If you disable permissions
inheritance, ensure that there are explicitly specified permissions on the folder
or item for user accounts to have the appropriate access.
You can also remove all non-inherited permissions from folders or items, leaving
only the inherited permissions. You may want to remove all non-inherited
permissions to remove custom permissions that have been added to child folders
or items. You may also use this feature to restore a standard set of permissions
on all child folders and items.
115
116
Configuring security
About the Security Role Manager
Customizing permission inheritance is an optional step in the process of setting
up Symantec Management Platform security.
See “Setting up Symantec Management Platform security” on page 71.
To customize permission inheritance for a folder or item
1
In the Security Role Manager, in the left pane, select the folder or item for
which you want to configure permission inheritance.
2
In the right pane, click Advanced.
3
In the Permissions for: Item Name window, in the Account/Group/Role list,
select the security role or user account for which you want to configure
permissions.
If you want to add another security role or user account to the list, click Add.
In the Role Selection window, choose the appropriate security role or user
account.
See “Role Selection window” on page 117.
4
(Optional) In the Permissions for panel, change the permissions that are
assigned to the selected security role for this folder or item.
You can use this feature only for the non-inherited permissions. You cannot
edit the inherited permissions.
5
Take any of the following actions:
To inherit permissions from Check Inherit the permission entries from parent
the parent folder
object that apply to child objects.
The inherited permission settings on the folder or item
are updated to reflect the current permission settings
on the parent folder.
To disable permissions
inheritance
Uncheck Inherit the permission entries from parent
object that apply to child objects.
You have the choice of copying the current inherited
permissions from the parent folder, or removing all
inherited permissions.
Any subsequent changes to the permission settings on
the parent folder do not affect the permission settings
on the folder or item.
To remove all non-inherited Check Replace permissions on all child objects.
permissions from child
The non-inherited permissions settings are cleared on
folders and items
all child folders and items, leaving only the inherited
permissions.
Configuring security
About the Security Role Manager
6
Click Save changes.
7
(Optional) If you have disabled permission inheritance, in the Inherited
Permissions Behavior dialog box, click the appropriate option:
Copy
The current inherited permissions are merged with the
non-inherited permission settings on this folder or item.
Remove
The current inherited permissions are cleared, leaving only the
non-inherited permissions.
Ensure that you have the appropriate non-inherited permissions
on the folder or item before you select this option.
8
Click Cancel to close the Permissions for: Item Name window.
Role Selection window
The Role Selection window lets you choose a security role to add to the list of
those available in the Permissions for: Item Name window.
See “Customizing permission inheritance” on page 115.
Table 4-29
Options on the Role Selection window
Option
Description
Role list
The list of security roles that are available for selection.
Select
Adds the selected security role to the list of those available
in the Permissions for: Item Name window
Advanced
Opens the Select Accounts or Groups window, letting you
select the appropriate user accounts.
Taking ownership of a folder or item
You can also use the Security Role Manager to take ownership of an item. This
may be required if permissions on an item are removed accidentally so that the
owner no longer has access to it. By taking ownership, you can reset the
appropriate permissions and restore access for the original owner.
To take ownership of a folder or item, you require the Take Ownership privilege
and the Full Control permission on the folder or item. The Symantec Administrator
role has this privilege, and has this permission on all items and folders.
See “About the Security Role Manager” on page 112.
117
118
Configuring security
About credential manager
See “About security role permissions” on page 107.
See “Accessing the Security Role Manager” on page 113.
See “Assigning security permissions to folders and items” on page 114.
See “Customizing permission inheritance” on page 115.
To take ownership of a folder or item
1
In the Security Role Manager, in the left pane, select the folder or item for
which you want to take ownership.
2
In the right pane, click Advanced.
3
In the Permissions for: Item Name window, click Take Ownership.
4
Click Save changes.
5
Click Cancel to close the Permissions for: Item Name window.
About credential manager
Credential manager provides a secure storage location for user names and
passwords. Your installed management solutions define the types of credentials
that the credential manager stores.
See “About security role permissions” on page 107.
See “Credential Manager permissions” on page 112.
Access to credentials is controlled with the built-in role-based security of the
Symantec Management Platform. When a credential is created, only the creator
is granted access. If other users need to perform a management operation that
requires a credential, then they must be assigned the rights.
See “Creating a credential” on page 118.
Before you delete a credential, make sure that the credential is not required as
part of an active management task.
See “Editing a credential” on page 119.
Creating a credential
Management solutions typically create credentials when they are needed to
perform a task. To define a credential manually, you need to know the credential
type that is used and the information that is required for that credential type.
See “About credential manager” on page 118.
Configuring security
Editing a credential
When a credential is created, only the creator is granted access. Additional users
and groups are assigned access by editing the credential after it is created.
To create a credential
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Credential Settings >
Credentials Management.
3
In the right pane, click Add Credentials.
4
In the Add Credential dialog box, select a credential type and then provide
the required values.
5
Click OK.
Editing a credential
Editing a credential lets you update the password and lets you grant access to
additional users and groups.
See “About credential manager” on page 118.
To edit a credential
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Credential Settings >
Credentials Management.
3
In the right pane, select a credential and then click Edit.
4
In the Edit Credential dialog box, update the credential, and then click OK
to save your changes.
119
120
Configuring security
Editing a credential
Chapter
5
Configuring schedules
This chapter includes the following topics:
■
About Symantec Management Platform schedules
■
Managing shared schedules
■
Configuring a schedule
■
Viewing the Notification Server internal schedule calendar
About Symantec Management Platform schedules
Symantec Management Platform schedules let you perform both once-off and
repeating operations on the Notification Server computer and the managed
computers at appropriate times, without requiring manual intervention. For
example, resource filters need to be updated frequently, the CMDB needs to be
purged regularly, and packages must be refreshed at appropriate intervals. All of
these tasks should be scheduled to run at whatever times and frequencies best
suit the needs of your organization.
See “Viewing the Notification Server internal schedule calendar” on page 128.
See “How Symantec Management Platform uses schedules” on page 125.
Symantec Management Platform uses two types of schedules:
Shared
These are defined on Notification Server as shared items that are
available for any scheduled operation to use.
See “Managing shared schedules” on page 126.
Custom
These are configured independently within each task, policy, or rule
that is scheduled. They cannot be shared with any other tasks, policies,
or rules.
122
Configuring schedules
About Symantec Management Platform schedules
Table 5-1
Component
Components of a schedule
Description
Active period and time The active period and time zone define the time period within
zone
which a schedule may occur.
See “About schedule active periods and time zones” on page 122.
Triggers
A trigger is an event that causes the schedule to become active.
A trigger may be a specific time and date, or an event such as a
user logging on to a computer. Triggers control when the schedule
occurs and repeats. If a schedule contains multiple triggers, it
runs each time that any one of its triggers occurs.
See “About schedule triggers” on page 122.
Modifiers
Modifiers are the additional conditions that are required for the
schedule to be triggered.
See “About schedule modifiers” on page 124.
About schedule active periods and time zones
A schedule may occur only within its active period.
See “About Symantec Management Platform schedules” on page 121.
All schedules, triggers, and modifiers have the following properties:
Time Zone
The time zone in which the task is scheduled to run. The time
zone may be Local, Server, or UTC.
Start Date
The date and time when the schedule's active period begins. A
schedule cannot be triggered before its start date.
End Date
The date and time when the schedule's active period ends. If the
end date is not specified, the schedule remains active indefinitely.
A schedule cannot be triggered after its end date.
A schedule cannot run outside its active period. This applies even if the schedule
was triggered within its active period, but was prevented from running at that
time by a modifier.
About schedule triggers
A trigger is an event that causes the schedule to become active.
See “About Symantec Management Platform schedules” on page 121.
Configuring schedules
About Symantec Management Platform schedules
Table 5-2
Schedule triggers
Trigger
Description
Once
The task occurs at a specified date and time.
Daily
The task recurs on a daily basis. The frequency can be
specified to be a particular number of days. For example, a
task can be scheduled every second day.
Weekly
The task recurs on a weekly basis. The day of the week can
be specified, as can the frequency of the weeks.
Monthly by date
The task recurs on specified dates of the month.
Monthly by day of week
The task recurs on specified days of the week, in specified
weeks.
Yearly by date of month
The task recurs on specified dates of the month, in specified
months.
Yearly by day of week
The task recurs on specified days of the week, in specified
weeks, in specified months.
At system startup
The task recurs at system startup.
At user logon
The task recurs whenever a user logs on.
Schedule triggers may have the following properties:
123
124
Configuring schedules
About Symantec Management Platform schedules
Table 5-3
Schedule trigger properties
Property
Description
Exact
Determines the behavior when a scheduled task cannot be
performed at the exact time at which it is scheduled:
True - Perform the scheduled task at the exact time, or
not at all.
If the conditions are such that the task cannot be
performed at the exact scheduled time, the scheduled
task is not performed.
■ False - Perform the scheduled task at the exact time, or
as soon as possible afterwards.
If the task cannot be performed at the exact time for any
reason, it is performed as soon as possible after the
scheduled time. For example, a task is scheduled to run
every night at 2:00 A.M., but the computer is always off
at that time. The Exact setting lets you run the task
whenever the computer is turned on after that time.
■
This property applies to logon, startup, and other events,
as well as specified times.
Duration
The length of time that the schedule is active. The duration
may be up to 24 hours.
Repetition
The interval at which the task should be repeated during
the schedule's active period. The repetition interval may be
up to 24 hours.
About schedule modifiers
A schedule may contain one or more modifiers. Modifiers are the conditions that
must be true to enable any of the triggers to start the schedule. All of the modifiers
apply to all of the triggers.
See “About Symantec Management Platform schedules” on page 121.
Table 5-4
Schedule modifiers
Modifier
Description
Only when a user is logged
on
When the trigger occurs on a target computer, the Symantec
Management Agent on that computer checks to ensure that
a user is logged on before it runs the schedule. If no user is
logged on, the schedule is not run on that computer.
Configuring schedules
About Symantec Management Platform schedules
Table 5-4
Schedule modifiers (continued)
Modifier
Description
Only when no user is logged When the trigger occurs, the target computer is checked to
on
ensure that no user is logged on. If a user is logged on, the
schedule is not run on that computer.
How Symantec Management Platform uses schedules
Symantec Management Platform uses schedules for tasks and policies.
See “About Symantec Management Platform schedules” on page 121.
Table 5-5 describes how Symantec Management Platform uses schedules.
Table 5-5
Use
Schedule uses
Description
Scheduling server tasks and Many Symantec Management Platform operations are scheduled to occur at regular
server policies
intervals. Some of these operations need to be performed frequently. For example,
updating the membership of resource groups and filters, or they may be less frequent,
such as purging old records from the CMDB.
These schedules are usually configured to repeat at regular intervals, and they remain
active for an indefinite period.
Scheduling agent tasks
Schedules may be used when you want to perform operations on managed computers.
For example, rolling out a patch to fix a vulnerability in an application or gathering
inventory for compliance purposes. You would usually want to perform the operation
as soon as possible, and you would want to perform it one time only.
You can schedule agent tasks to run:
■
Immediately
■
Immediately, if a maintenance window is open
■
The next time a user logs on to the computer
■
The next time the computer is started.
On some occasions you may want to schedule the operation to take place at a specific
date and time. For example, 9:00 P.M. next Sunday evening, to ensure that it does
not interfere with the user's ability to work.
On rare occasions you may need to schedule a task to repeat. However, a repeating
operation would usually be considered a task-based policy.
125
126
Configuring schedules
Managing shared schedules
Table 5-5
Schedule uses (continued)
Use
Description
Scheduling agent policies
An agent policy is a statement about how a computer should be managed.
For example, an agent policy may do the following:
■
Disallow software from being run
■
Require software to be installed
■
Require that inventory information about a computer be no older than N days
To function correctly, some agent policies need to be scheduled to run at appropriate
intervals. For example, a software compliance policy needs to periodically check that
the computer is in compliance, and perform the appropriate remediation if it is not.
Likewise, an inventory policy needs to ensure that the inventory data is current.
These schedules are usually recurring schedules with a possible repetition during
the working day. Agent policies are often scheduled to run when the computer starts
up, or when a user logs on. When you set up these schedules, you also need to consider
how they interact with the maintenance windows that are configured on the managed
computers.
See “Configuring the global agent settings” on page 342.
See “Configuring the targeted agent settings” on page 348.
Scheduling agent
maintenance windows
A maintenance window schedule is essentially a recurring schedule that has a
duration. You do not need to schedule maintenance windows using computer startup,
user logon, or other events. Maintenance windows have no need for any repetition
during the working day.
See “About maintenance windows for managed computers” on page 361.
Managing shared schedules
Any number of scheduled items (such as policies, tasks, or replication rules) may
use a shared schedule. The alternative to using a shared schedule is to define a
custom schedule within the policy or task.
See “About Symantec Management Platform schedules” on page 121.
Shared schedules cannot override maintenance windows. If you want a scheduled
item to run outside a maintenance window, you need to configure the appropriate
custom schedule.
A set of default shared schedules is supplied with Symantec Management Platform.
You can modify these to suit your requirements, but you cannot delete them. For
example, you can configure the business hours schedule to run at regular intervals
during your normal working hours. You may configure the package refresh
Configuring schedules
Configuring a schedule
schedule to run at a suitable time outside working hours. You can also create any
new shared schedules that you require and delete them when they are no longer
required.
You can enable or disable each shared schedule as appropriate. All enabled shared
schedules are available to any scheduled item. If you disable a shared schedule,
any scheduled item that uses the schedule is disabled.
See “About maintenance windows for managed computers” on page 361.
See “Viewing the Notification Server internal schedule calendar” on page 128.
To manage shared schedules
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Shared Schedules.
2
In the Shared Schedules page, do any of the following:
To add a new schedule Click Add Schedule and then, in the Schedule Editor, specify
the appropriate details.
See “Configuring a schedule” on page 127.
To edit a schedule
Click the schedule name and then, in the Schedule Editor,
specify the appropriate details.
See “Configuring a schedule” on page 127.
To enable a schedule
Check the appropriate check box. If you want to disable the
schedule, clear the check box.
To delete a schedule
At the right end of the appropriate row, click Delete.
To see which items
currently use a
schedule
In the Items Currently Using drop-down list, select the
appropriate schedule.
The names of all the items (such as tasks, policies, and
replication rules) that use the selected schedule are shown
in the lower panel.
Configuring a schedule
The Schedule Editor lets you configure a schedule to suit your requirements.
See “About Symantec Management Platform schedules” on page 121.
See “Managing shared schedules” on page 126.
127
128
Configuring schedules
Viewing the Notification Server internal schedule calendar
To configure a schedule
1
In the Schedule Editor window, in the Name box, type the schedule name.
2
Under Schedule Task, select the schedule frequency or trigger.
3
In the Details tab, specify the schedule start time, and the days, weeks, or
months on which to run.
4
If you want the schedule to be active for a particular range of dates, in the
Advanced tab, specify the appropriate start and end dates.
By default a new schedule is active as soon as it is created (from the current
date). The schedule remains active indefinitely (no end date is specified).
5
If you want the schedule to repeat a task at regular intervals each time the
schedule runs, in the Advanced tab, check Repeat Task.
Specify the appropriate frequency and duration.
6
If you want this schedule to contain multiple schedules, check Use Multiple
Schedules.
7
For each additional schedule that you want to add to this schedule, click New,
and then complete steps 2 to 5.
8
If you want to remove a schedule, in the Will Occur drop-down list, select
the appropriate schedule and then click Delete.
9
Click OK.
Viewing the Notification Server internal schedule
calendar
You can view Notification Server schedule information in the Notification Server
internal schedule calendar. The scheduled items that you can view in the Calendar
include tasks running on Notification Server, policies, and automation policies.
They also include shared schedules, blockout periods, maintenance windows, and
Notification Server internal schedules. Symantec solutions may add additional
scheduled items to the calendar.
See “About Symantec Management Platform schedules” on page 121.
The following types of scheduled items are displayed:
Period items
These define only a start time, and run for an indefinite period.
Examples include maintenance windows, blockout periods, and shared
schedules.
Configuring schedules
Viewing the Notification Server internal schedule calendar
Event items
These have a defined end time. Examples include tasks, jobs, custom
schedules, and policies.
Note that policies are not always run at the times that are shown in
the calendar. Policies are not as deterministic as tasks, so may be
subject to delay. Tasks and jobs are always run at the times that are
shown in the calendar.
The Calendar view lets you see what schedules are configured for particular time
periods, such as specific days, weeks, or months. In both the Week view and the
Month view, you can click a particular day to open the Day view for that day.
Some scheduled items use shared schedules, rather than define their own
schedules. Shared schedule relationships are represented in the left pane of the
Day view. The scheduled items are grouped under the shared schedule to which
they refer.
Each schedule has an associated symbol that links it to the appropriate
configuration page, if one is available. You can click the symbol to drill down to
the configuration page, which opens in a new window. If no configuration page
is available for a schedule, the default calendar symbol is used and no drill-down
functionality exists.
See “Managing shared schedules” on page 126.
See “Configuring a schedule” on page 127.
To view the Notification Server schedule calendar
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, expand Settings > Notification Server and then click Internal
Schedules Calendar.
3
On the Calendar View for Internal NS Schedules page, in the View drop-down
list, select the view that you want to use:
Automation Policies
Shows the details of automation policies only.
Tasks/jobs
Shows the details of scheduled tasks and jobs only.
Shared schedules
Shows the details of shared schedules only.
Internal NS schedules
Shows the details of internal Notification Server
schedules only.
All server schedules
Shows the details of all schedules.
129
130
Configuring schedules
Viewing the Notification Server internal schedule calendar
4
Select the time period that you want to view by clicking the appropriate
symbol:
Day
Shows the details of each schedule that runs one or more times per
day. The schedules are listed in order of their start times. The left
pane lists the schedules, and the right pane shows their occurrences
in the calendar. Day view is the default view.
Each occurrence of a period item is displayed as a diamond. Each
occurrence of an event item is normally displayed as a bar, but those
that occur with very short intervals are displayed as small diamonds.
For clarity on screen, events with an interval less than 15 minutes
(by default) are omitted.
The background color identifies the business hours that are defined
for the organization.
Week
Shows the details of each schedule that runs less than one time per
day but at least one time per week.
Month
Shows the details of each schedule that runs less than one time per
week are displayed.
Period items are omitted and event items are summarized to their
start times, end times, and titles.
5
To view earlier or later time periods, click Previous or Next, whichever is
appropriate.
Chapter
6
Configuring site servers
This chapter includes the following topics:
■
About site services
■
About site maintenance
■
Managing sites
■
Managing site servers
■
Managing subnets
■
About configuring the site service settings
About site services
The Symantec Management Platform can host several types of middleware
components, such as package servers, task servers, and boot servers. Middleware
components can be installed on computers other than the Notification Server
computer. These services act as the first point of contact for the Symantec
Management Agents, thus reducing the load on Notification Server.
The official name for a middleware component is “site service.” Any computer
that hosts a site service is known as a site server. A site server can have one or
more site services installed on it. For example, if you install the package server
site service (the "package service") onto a computer, that computer becomes a
site server.
Site servers can assist Notification Server. Site servers can extend the architecture,
improve distribution efficiency, and reduce network bandwidth requirements.
Notification Server handles the deployment, configuration, and ongoing
maintenance of site services. Package service, task service, and the boot service
132
Configuring site servers
About site maintenance
provide the Symantec Management Agents with packages, tasks, and PXE
broadcasts.
Notification Server performs the following functions for site management:
■
Handles the deployment and removal of site services to and from site servers
■
Ensures that the site service is installed only on the computers that satisfy
the minimum system requirements
You use site maintenance to create logical groups of endpoints to balance the load
on site servers. For example, you can distribute packages efficiently to your
Symantec Management Agents with multiple package servers. The package servers
handle most of the package distribution functions, which frees up Notification
Server to perform other activities.
See “About site maintenance” on page 132.
About site maintenance
Site maintenance is the management of sites, subnets, and site services in your
organization. You can manage your computers according to site and subnet, which
lets you control groups of computers while you minimize bandwidth consumption.
A site is typically a physical location in your organization (such as a particular
building, or a level of a building). A subnet is a range of logical addresses on your
network.
Under normal operating conditions, each package server or task server services
only the Symantec Management Agents that exist within the assigned sites. If no
sites have been defined, all site servers are available to service all Symantec
Management Agents (although this method is not recommended).
If no sites are defined for a package server or a task server, Notification Server
uses the following rules:
■
Notification Server first tries to find any site servers on the same subnet as
the requesting computer. If any are found, these site servers are returned to
the Symantec Management Agent.
■
If no site servers are in the same subnet as the requesting computer, all site
servers are returned to the Symantec Management Agent.
■
If no site servers are available, the agent is directed to the Notification Server
computer.
You can assign site servers to sites by using the following methods:
■
Assign the subnet that contains the site server to a site.
See “Managing subnets” on page 141.
Configuring site servers
Managing sites
■
Assign the site server to a site.
See “Assigning a site server to a site manually” on page 140.
■
Use Connector for Active Directory to perform the task.
Connector for Active Directory overrides any subnets and sites that conflict
with it. For example, if you manually assign subnets to a site that conflicts
with what is in Connector for Active Directory, the Active Directory information
is used.
After the list of available site servers is returned to the Symantec Management
Agent, the agent chooses the most suitable site server.
Site servers and managed computers may have multiple NICs and IP addresses;
therefore, they may belong to more than one site through subnet assignment.
See “About site services” on page 131.
See “Managing sites” on page 133.
See “Managing site servers” on page 137.
See “Managing subnets” on page 141.
Managing sites
You need to set up all the sites that you require in your organization. You can run
a site import rule to automatically collect the site information for your organization
from Active Directory. You can also create sites manually and assign the
appropriate subnets and site servers to them.
133
134
Configuring site servers
Managing sites
To manage sites
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
Configure the sites to suit your requirements.
You can do any of the following:
Create a new site
In the left pane, click New > Site.
See “Creating a new site” on page 135.
Modify a site
In the left pane, select the site that you want to modify, and
then click Configure.
See “Modifying a site” on page 135.
Delete a site
In the left pane, select the site that you want to delete, and
then click Del.
Any subnets that are assigned to the site are not deleted.
They become unassigned and may be assigned to a different
site. Any site servers inside the affected subnets are not used
until they are assigned to a different site.
Remove a manually
assigned site server
from a site
In the left pane, under the site server, select the site that you
want to remove, and then click Del.
The site server is not affected, and it continues to serve any
other sites to which it is assigned. This option applies only
to the site servers that are manually assigned to sites. A site
server that belongs to a site through its subnet membership
cannot be removed from that site.
Remove a subnet from In the left pane, under the site, select the subnet that you
a site
want to delete, and then click Del.
Deleting a subnet makes the subnet unassigned to any site.
Any encompassed subnets that are not manually assigned
to a site also become unassigned. Any site servers on the
subnet, or the encompassed subnets, no longer serve the site.
However, they continue to serve any sites to which they are
manually assigned.
Manage manually
assigned agents
You can assign agents to a site and remove any that you no
longer require.
See “Managing manually assigned agents” on page 136.
Configuring site servers
Managing sites
Creating a new site
You can create sites manually. When you create a site, you can assign the
appropriate subnets to the site immediately. If you create a new site from the
context of a subnet, then the subnet is assigned to the new site by default. If you
create a site from the context of a site server, then that site server is manually
assigned to the new site by default.
To create a new site
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, click New > Site.
3
In the New Site window, in the Name box, type the new site name.
4
If you want to assign subnets to the site immediately, specify the appropriate
subnets by doing one or more of the following:
Click Add.
Add a new subnet and assign it to the site.
See “Creating a new subnet” on page 142.
Click Edit.
Assign existing subnets to the site.
In the Select Subnets window, select the appropriate subnets,
and then click OK.
Click Delete.
5
Remove the selected subnets from the list of those to be
assigned to the site.
Click OK.
Modifying a site
You can modify existing sites as required. You can change the site name, the
subnets that are assigned to it, and the site services that are installed on its site
servers.
To modify a site
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, select the site that you want to modify.
3
Click Configure.
135
136
Configuring site servers
Managing sites
4
If you want to modify the site servers that are manually assigned to the site,
in the Add/Remove Services window, make the appropriate selections.
Adding or removing services manually does not affect site servers that are
assigned to the site by subnet IP address encompassment.
5
If you want to change the site name, in the Edit Site window, in the Name
box, type the new name.
6
If you want to change the subnets that are assigned to the site, specify the
appropriate subnets by doing one or more of the following:
Click Add.
Add a new subnet and assign it to the site.
See “Creating a new subnet” on page 142.
Click Edit.
Assign existing subnets to the site.
In the Select Subnets window, select the appropriate subnets,
and then click OK.
Click Delete.
Remove the selected subnets from the list of those to be
assigned to the site.
7
When the subnet list is complete, click OK.
8
Click OK.
Managing manually assigned agents
A manually assigned agent is a computer that has been manually assigned to a
site rather than assigned through its subnet. You may want to manually assign
particular computers to a site to break away from the subnet assignment. You
can manually assign new agents to a site by assigning the relevant resource targets
to the site. You can remove any agents that you don’t want in the site by assigning
the appropriate resource targets to a different site.
Note: When the manually assigned agent is a Task Server, the change does not
formalize unless you reset the Symantec Management Agent on the computer.
One way to reset the Symantec Management Agent is to click Reset Agent in the
Task Status tab in the Symantec Management Agent. Another way is to run the
Reset Task Agent task on the computer.
See “Reset task agent page” on page 476.
Configuring site servers
Managing site servers
To manage manually assigned agents
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, expand the site or site server that you want to modify, and
then click Manually Assigned Agents.
3
On the Manually Assigned Agents page, do any of the following:
Add manually assigned
agents to a site
Click New and then, in the Select a group window,
select or create the appropriate resource targets.
See “Selecting named resource targets” on page 419.
Reassign manually assigned This option is available only under the Site node, not
agents to another site
the Site Services node.
Select the appropriate resource targets, and then click
Assign to Site.
In the Select a site window, select the appropriate site,
and then click OK.
Remove manually assigned
agents from a site
Select the appropriate resource targets, and then click
Delete.
Managing site servers
You need to create all the site servers that you require in your organization and
assign them to the appropriate sites. You can also modify existing site servers by
adding or removing site services.
See “About site services” on page 131.
When a site server is selected, the Site Services page shows statistics for each site
service that is installed on it. The collapsed view shows summary details, while
the expanded view opens a pane for each site service that shows full details and
graphical information. Each site service pane also includes a link to the
corresponding global settings configuration page.
See “About package service settings” on page 144.
The title bar for each site service contains a symbol that shows its current status:
Green
The service is installed and running on the site server.
Yellow
The service is not currently installed on the site server.
137
138
Configuring site servers
Managing site servers
Orange
The service is in a warning state.
Red
The service is unusable. A package is invalid.
To manage site servers
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
Configure the site servers to suit your requirements.
You can do any of the following:
Create a site server
In the left pane, click New > Site Server.
See “Creating and modifying site servers” on page 139.
Modify a site server
In the left pane, select the site server that you want to modify,
and then click Configure.
See “Creating and modifying site servers” on page 139.
Manually assign a site Select the appropriate site server, and then click Assign to
server to a site
Site.
See “Assigning a site server to a site manually” on page 140.
Remove a manually
assigned site server
from a site
In the left pane, under the site server, select the site that you
want to remove, and then click Del.
The site server is not affected, and it continues to serve any
other sites to which it is assigned. This option applies only
to the site servers that are manually assigned to sites. A site
server that belongs to a site through its subnet membership
cannot be removed from that site.
Preparing a Windows 2008 R2/7 computer with IIS 7.0 for use as a
site server
Site services such as task service and package service require certain conditions
to be met to work correctly on IIS 7.0. You must therefore perform the following
steps before you install a site server on a computer that runs Windows 2008 R2/7.
The steps should be performed on the target computer.
See “Creating and modifying site servers” on page 139.
See “Managing site servers” on page 137.
Configuring site servers
Managing site servers
To prepare a Windows 2008 R2 computer with IIS 7.0 for use as a site server
1
In Windows on the Start menu, click Administrative Tools > Server Manager.
2
On the Server Manager page, in the left pane click Roles.
3
On the Roles page, click Add Roles.
4
In the Add Roles Wizard dialog box, check the Web Server (IIS) checkbox,
and then click Next.
5
Under Select Role Services make sure that you check IIS 6 Compatibility,
ASP.NET, ASP and Windows Authentication Role Services.
6
Click Next, and then click Install, and after installation is completed, click
Close.
7
On the Server Manager page, in the left pane click Features.
On the Features page, click Add Features.
8
In the Select Features dialog box, check the .Net Framework 3.5 checkbox.
9
Click Next and follow the steps in the wizard to completion.
To prepare a Windows 7 computer with IIS 7.0 for use as a site server
1
In Windows on the Start menu, click Control Panel.
2
In the Control Panel window click Programs > Programs and Features.
In the left pane, click Turn Windows features on or off.
3
In the Windows Features dialog box, check the Internet Information Services
and Microsoft .Net Framework 3.5 checkboxes.
Creating and modifying site servers
You can create the site servers that you require by selecting the computers that
you want to use and specifying the site services that you want to install on each.
You can modify existing site servers by adding or removing site services.
Notification Server deploys the appropriate installation packages to the selected
computers, and removes any that are no longer required. The changes are made
when the Symantec Management Agents on the target computers make their next
configuration request, so it may not happen immediately.
See “Preparing a Windows 2008 R2/7 computer with IIS 7.0 for use as a site server”
on page 138.
See “About site services” on page 131.
See “Managing site servers” on page 137.
139
140
Configuring site servers
Managing site servers
To create and modify site servers
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
Do one of the following:
Create a new site
server
1
In the left pane, click New > Site Server.
2
In the Select Computers window, select the computers
to which you want to add site services.
The list in the left panel contains all the computers that
are available to be used as site servers. When you install
the Symantec Management Platform, you need to allow
a few minutes for the system to populate this list.
Modify a site server
3
3
Click OK to confirm your selection.
1
In the Detailed Information table, ensure that the Site
Servers view is selected, and then select the appropriate
site server.
2
Click the Edit symbol.
In the Add/Remove Services window, check the appropriate check boxes to
select the site services that you want to install on each computer.
All of the available site services are listed under each computer, allowing you
to select any combination of services for each computer. The check boxes for
any service types that are not allowed to be installed on a particular computer
are grayed out. You can group the list by site servers or by services. Selecting
a parent node on the list selects all of its children.
If any check box is already checked, that indicates the corresponding site
service is already installed. If you want to remove it, uncheck the check box.
4
Click Next.
The installation and uninstallation actions that you have specified are
displayed. If necessary, click Back to return to the previous page and change
your selection.
5
Click OK.
Assigning a site server to a site manually
Site servers automatically serve the site to which their parent subnet is assigned.
Site servers may have multiple NICs/IPs and be in more than one subnet, so may
therefore belong to more than one site. You can also manually assign each site
Configuring site servers
Managing subnets
server to one or more other sites. The Manually Assigned column in the Detailed
Information table indicates whether the site server is manually assigned to the
site.
See “Managing site servers” on page 137.
When you manually assign a site server to a site, only the site server is assigned
to the selected site. The subnet to which the site server belongs is not affected.
To assign a site server to a site manually
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the Detailed Information table, ensure that the Site Server view is selected,
and then select the appropriate site servers.
3
Click Assign to Site.
4
In the Select a Site window, select the site to which you want to assign the
site server.
5
Click OK.
Managing subnets
You need to create all the subnets in your organization and assign them to the
appropriate sites. You can resynchronize subnets when necessary and delete any
subnets that no longer exist.
Subnets can be determined from basic inventory data, imported from Active
Directory, or added manually. You can run a subnet import rule to automatically
collect the subnet information from Active Directory.
Subnets are always suffixed with the number of bits that are set in the network
mask, for example, 192.168.0.0/24. The subnets are always displayed in a
hierarchical tree. Resource scoping applies, so you can see only the subnets that
contain resources to which you have access.
You need to assign each subnet to the appropriate site. By default, any
encompassed subnets (a subnet whose IP range is wholly contained within another
subnet) are automatically assigned to the same site. However, you can manually
override subnet encompassment by explicitly assigning an encompassed subnet
to a different site. By default, encompassed subnets are displayed under their
parent subnets in the left pane. However, when an encompassed subnet is manually
assigned to a different site from its parent, it is displayed under the site to which
it is assigned.
141
142
Configuring site servers
Managing subnets
Any site servers on a subnet are automatically assigned to the same site as the
subnet. This assignment is not broken if you manually assign a site server to a
different site. A site server can be manually assigned to any number of sites, in
addition to the site that it serves through its subnet assignment.
To manage subnets
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
Configure the subnets to suit your requirements.
You can do any of the following:
Create a new subnet
In the left pane, click New > Subnet.
See “Creating a new subnet” on page 142.
Delete a subnet
In the left pane, select the subnet that you want to delete,
and then click Del.
If you delete a subnet that you created manually, it is deleted
permanently. However, any subnets that were imported from
basic inventory or from Active Directory are restored when
the data is refreshed.
Assign a subnet to a
site
On the Subnets page, select the appropriate subnet, and then
click Assign to Site.
In the Site Selection window, select the site to which you
want to assign the subnet.
Resynchronize subnets On the Subnets page, click Re-synchronize Subnets.
Notification Server refers to the CMDB for the current subnet
information. It reads the subnet assignment that is included
in the results of the latest Agent Inventory scan. Notification
Server then updates the list of subnets accordingly.
Creating a new subnet
You can create new subnets manually and assign them to the appropriate sites.
See “Managing subnets” on page 141.
To create a new subnet
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, click New > Subnet.
Configuring site servers
About configuring the site service settings
3
In the New Subnet dialog, specify the appropriate details:
Subnet
The subnet network address.
Subnet mask
When you press Tab or click in this box after typing the
subnet network address, a mask is automatically selected
according to the following rules:
The system examines the first octet of an IPv4 address
to determine if it is a class A, B, or C subnet. It then selects
the appropriate default mask.
■ If the network address is more specific (i.e. more non-zero
octet) than allowed for that class, then additional bytes
are set in the default mask.
■ If the address is not in a recognized format, or the last
octet is non-zero, then no default mask is suggested.
■
You can edit the default mask manually if necessary.
However, once you have manually edited the subnet mask,
updating the network address in the Subnet box no longer
updates the mask.
Assign to site
The site to which you want to assign the new subnet.
If you don’t want to assign the subnet to a site, select
Unassigned.
4
Click OK.
About configuring the site service settings
The site service settings are usually global default settings. Any changes that you
make to the settings for a particular site service type are applied to all site services
of that type. However, some site service types may have settings that can be
configured on individual services, overriding the global defaults. For example,
each package server can be configured as Constrained or Unconstrained, overriding
the default setting.
You can view and modify the global settings for each site service. Each site service,
such as package servers, has a page that lets you edit its global settings.
In the left pane, each installed service is shown underneath each site server. The
corresponding page shows the service summary for the site server. The panel is
expanded by default, rather than collapsed for statistics as on the Site Server
page. The Change Settings link lets you edit the global settings for that service
type.
143
144
Configuring site servers
About configuring the site service settings
For many services, the summary information that is shown here may be the same
as the summary information expandable on the Site Server page. However, the
Symantec Management Platform allows a service to provide a different control
in this context, if appropriate. For example, if there is a full page of data available,
it is displayed on the site service page. A condensed data set is displayed on the
Site Server page.
See “About package service settings” on page 144.
See “Configuring package service settings” on page 148.
See “About task service settings” on page 148.
See “Configuring task service settings” on page 149.
See topics about monitor service in the Monitor Solution User Guide.
About package service settings
The Package Service Settings page contains the global package service settings.
These settings are applied to all package services that are installed on site servers
in your Symantec Management Platform environment.
See “Configuring package service settings” on page 148.
See “About configuring the site service settings” on page 143.
Configuring site servers
About configuring the site service settings
Table 6-1
Setting
Global package service settings
Description
Package File Settings You can delete package files if they have been unused for a specified time.
You can choose to remove automatic site assignments for a package that has been unused
for a specified time. This feature is activated for a package when you enable the Assign
packages to package servers automatically with manual prestaging option on the Package
Servers tab.
The Remove automatic site assignments if they are unused for setting relates to the
package delivery system as a whole, not specifically to package servers.
A software package that is configured for automatic assignment is automatically assigned
to a site when one of the following occurs:
An enabled task or policy that delivers the package targets one or more computers in
the site.
■ A Symantec Management Agent in the site requests the package.
■
An automatic assignment is flagged as unused if an agent in the site does not request the
package within the specified time period. Unused automatic site assignments are removed
automatically on a schedule. The site assignment is removed even if an enabled policy or
task is still associated with the package. The automatic site assignment is then restored
the next time an agent requests the package.
See “About removing automatic site assignments” on page 147.
Published Codebase
Types
You can specify the codebase types to publish to the Symantec Management Platform.
You can publish the following types:
■
UNC codebase
■
IIS hosted codebase
This codebase can be either HTTP or HTTPS.
145
146
Configuring site servers
About configuring the site service settings
Table 6-1
Global package service settings (continued)
Setting
Description
Security Settings
You can allow anonymous access to package codebases. This option enables all packages
that are downloaded to package servers to have anonymous access applied to the directories
containing the package files. Anonymous access is also enabled for the directory security
inside IIS for the hosted package server packages.
If this feature is disabled, the Agent Connectivity Credentials are used when you apply
security to the package server files. The Agent Connectivity Credentials are specified on
the Authentication tab on the Global Symantec Management Agent Settings page; it is a
global setting for all package servers and agents. This account usually has a lower level of
rights than the Application Identity account, and is a dedicated account created for use on
package servers. Any HTTP virtual directories that are mapped to packages on the package
server then have Windows authentication enabled.
See “Symantec Management Agent Settings – Global: Authentication tab ” on page 346.
Only authenticated users are allowed to download through UNC when anonymous access
is enabled. For example, if a package server in a non-trusted domain has anonymous access
enabled on its files and the Agent Connectivity Credential (ACC) account the Symantec
Management Agent uses to connect anonymously to the UNC source cannot be authenticated,
access is denied and no download occurs. However, you can download through HTTP from
a package server, in a non-trusted domain, using anonymous access because the ACC account
does not need to be authenticated.
You can create the ACC on package servers, provided the ACC is not a domain account.
During this procedure, you have the option to reenable the created local account if it has
been locked out. You also can create the ACC even if the package server is also a domain
controller.
Specifying a local account as the ACC facilitates the download of packages between a
non-trusted domain. A local account ensures there is always a common account for all
agents and package servers to use, rather than using a domain account that all parties may
not trust.
The local ACC account is usually specified as .\<account name> or <account name>.
For a site to function, there must be at least one unconstrained package server
that is assigned to it. Unconstrained package servers can download packages from
the Notification Server computer or package servers outside of its site. Constrained
package servers can only operate by downloading packages from other package
servers within their site that have the packages available. You need an
unconstrained package server to collect any required packages from outside the
site. The unconstrained package server then makes the package available to all
the constrained package servers within the site.
Each package server can be configured as constrained or unconstrained, overriding
the default setting.
Configuring site servers
About configuring the site service settings
About removing automatic site assignments
The Package Service Settings page has a Remove automatic site assignments if
they are unused for setting. This feature is activated for a package when you
enable the Assign packages to package servers automatically with manual
prestaging option on the Package Servers tab. An automatic site assignment is
removed if an agent has not requested the package for a time period that exceeds
the Remove automatic site assignments if they are unused for setting.
See “About package service settings” on page 144.
See “About assigning packages to package servers automatically” on page 688.
If you check the option to remove automatic site assignments, site assignments
are removed even if enabled tasks or policies are associated with the package.
When a package is unassigned from a site, it is not reassigned at the next package
refresh interval, even if an enabled task or policy is associated with the package.
A package is reassigned to a site only if a Symantec Management Agent in the
site requests the package.
When a package is unassigned from a site, the package servers that hosted the
package are no longer assigned as hosts. When a package server updates its
configuration, the package is not in the list of packages that the package server
should host. The package server then marks the package for deletion. When the
package is marked for deletion, the countdown for its deletion begins. The package
is deleted when the time that is specified in Delete package files if they are unused
for on the Package Service Settings is reached.
You cannot manually remove a package’s site assignment on the package’s Package
Servers tab. If you manually remove a package’s site assignment on the package’s
Package Server tab, the site assignment is restored when you save the changes.
You also cannot remove a package’s automatic site assignment by modifying the
polices that caused the assignment. To remove a package’s automatic site
assignment, you must use the Remove automatic site assignments if they are
unused for setting.
When you check Remove automatic site assignments if they are unused for , it
is possible for a package to not get unassigned from a site when the duration that
is specified is exceeded. This situation can occur if you used the Package Servers
by Site option to assign a package to a site and later changed this option to Package
Servers automatically with manual prestaging. Because the initial site assignment
was not automatically assigned, the option that removes automatic site
assignments does not remove it.
147
148
Configuring site servers
About configuring the site service settings
Note: You can check whether Notification Server considers a package to be
automatically assigned in the SWDPackageSite table of the CMDB. If the
AutoAssigned column for the package has a value of 1, the package is automatically
assigned.
Configuring package service settings
You need to configure the global package service settings. These settings are
applied to all package services that are installed on site servers in your Symantec
Management Platform.
See “About package service settings” on page 144.
See “About configuring the site service settings” on page 143.
To configure package service settings
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, under the Settings node, expand the Package Service folder
and then click Package Service Settings.
3
On the Package Service Settings page, configure the appropriate settings:
To set the global package
service settings
In the Global Package Service Settings pane, make
the necessary changes.
To set up unconstrained
package servers
In the Constrained Package Server Selection panel,
set up each package server by checking or unchecking
the Constrained check box, as appropriate.
You can use the Site drop-down list to view the
summary information about all the package servers in
a specific site, or all sites.
4
Click Save changes.
About task service settings
The Task Service Settings page contains the task service settings. These settings
are applied to all task services that are installed on site servers in your Symantec
Management Platform.
See “Configuring task service settings” on page 149.
Configuring site servers
About configuring the site service settings
Table 6-2
Task service settings
Setting
Description
Task update interval
The intervals when the task services download new
and updated tasks from Notification Server.
Minimum time between tickle
attempts
The minimum amount of time between tickle
attempts.
The tickle server sends a packet to a task server when
any of its client computers have a task or job to run.
It also collects status information and sends it to the
client computer’s Notification Server database
(CMDB).
Maximum computers to manage
per Task Server
The maximum number of computers that each task
server should manage.
Allow maximum computers to be
exceeded. . .
Whether a task server can manage more computers
if no other servers are available.
Send detailed task events
Whether to send detailed information for each task
server event, which requires more bandwidth and
might slow down your network’s performance.
Automatically restart services
Whether to restart the following services when
configuration changes are made:
■
Symantec Object Host Service
■
Client Task Data Loader
■
WWW Publishing
The data loader runs on each task server. It receives
status information from the task service and caches
it in memory until it can be sent to the CMDB.
Network ports
The ports to use for the Client to Task Server tickle
option and the Server to NS tickle options.
The ports to use for remote connections to the task
server, data loader, and tickle server.
Configuring task service settings
You can apply task service settings to the task servers that computers, users, or
resources use. Notification Server applies these settings to the chosen task services
that are installed on the site servers in your environment.
See “About Task Management” on page 440.
149
150
Configuring site servers
About configuring the site service settings
See “Sequencing tasks” on page 442.
To configure task service settings
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Site Server Settings.
2
In the left pane, under the Settings node, expand the Task Service > Settings
folder and then click Task Service Settings.
3
On the Task Service Settings page, configure the appropriate settings.
See “About task service settings” on page 148.
4
In the Applied To panel, click Apply to to select the computers, users, or
resources to which these task service settings apply.
See “Specifying the targets of a policy or task” on page 413.
These settings apply to the task services that these computers, users, or
resources use.
5
Click Save changes.
Chapter
7
Configuring Package Server
for Linux
This chapter includes the following topics:
■
About package server for Linux
■
About integrating Apache Web Server with package server for Linux
■
About detecting the Apache Web Server
■
Requirements to configure package server and the Apache Web Server
■
Requirements to configure HTTPS and HTTP
■
Package server configuration example that uses main web directory for package
server links
■
Package server configuration example using an alias for package server links
About package server for Linux
To designate a Linux computer as a package server, ensure that the computer is
running the following software:
■
Symantec Management Agent 7.1 for UNIX, Linux, and Mac
This agent was previously known as the Altiris Agent for UNIX and Linux.
Symantec Management Agent for UNIX, Linux, and Mac runs on a managed
computer. That agent must match the version of the agent that is installed on
the Notification Server computer in Symantec Management Platform. If the
agent on the managed computer is older than the agent on Notification Server,
upgrade it. After the agent is upgraded, the managed computer can become a
package server.
152
Configuring Package Server for Linux
About integrating Apache Web Server with package server for Linux
■
Apache Web Server version 2.0 or 2.2
See “About integrating Apache Web Server with package server for Linux”
on page 152.
The following server platforms are supported:
■
Red Hat Enterprise Linux AS 4
■
Red Hat Enterprise Linux ES 4
■
Red Hat Enterprise Linux Server 5
■
SUSE Linux Enterprise Server 10
■
SUSE Linux Enterprise Server 11
Package server for Linux supports alternate download locations. Paths for alternate
locations are converted automatically from Windows style to UNIX style if you
include the trailing slash. For example, if you have Patch Management Solution
installed, you can change policy and package settings when rolling out patches.
In Symantec Management Console, under Settings > All Settings > Software >
Patch Management, you click a vendor settings page; for example, you would
click Red Hat Settings > Red Hat Patch Remediation Settings. When you click
the Policy and Package Settings tab, you see the Remediation Settings page for
the selected product. This is where you can check Use alternate download location
on Package Server. When you enter the alternate download location, you must
use the full Windows path. In this and similar instances, include a trailing slash
in the Windows-style path to ensure that it is converted correctly to a UNIX-style
path.
Correct:
C:\path\
Incorrect:
C:\path
Trailing slash means that the Windows path is converted
correctly to /path/.
If you omit the trailing slash, the Windows path is converted
incorrectly.
About integrating Apache Web Server with package
server for Linux
You integrate package server for Linux with the Apache Web Server to expose
packages and Package Snapshots to Symantec Management Agent. Snapshots are
downloaded from Notification Server to Symantec Management Agent on all
supported platforms through HTTP URLs.
See “About package server for Linux” on page 151.
Configuring Package Server for Linux
About detecting the Apache Web Server
The packages and package snapshots are always downloaded to package server
directories. The only files that are created in the Apache Web Server are directories,
symbolic links, and .htaccess files. Symbolic links are created to the package files
and snapshot files. The .htaccess files lock down package files with passwords.
When a Linux computer becomes a package server, the agent on that computer
attempts to create two main HTTP shares.
These shares are created in the Apache Web Server virtual web space, as follows:
■
/Altiris/PS/Snapshots
■
/Altiris/PS/Packages Note /Altiris/PS
This second directory is created if required.
The Package Manifest file is not used when a package server for Linux downloads
a package for distribution. The exception is if the package is located in the same
directory for the package server for Linux and Software Delivery. All package file
permissions are set to allow Apache Web Server clients access. This access is
typically through 0x744.
Depending on the specific configuration of the Apache Web Server, directories
are created in the root of the web directory. An example is /var/www/html on a
typical Linux Red Hat system. The package server agent reads the Apache Web
Server configuration file to determine this location.
See “About detecting the Apache Web Server” on page 153.
If you choose, you can specify that package server create the directories in an
alternate location. Use an Apache Web Server alias directive to specify a separate
directory.
See “Requirements to configure package server and the Apache Web Server”
on page 155.
See “Requirements to configure HTTPS and HTTP” on page 156.
About detecting the Apache Web Server
You can detect the Apache Web Server automatically or manually.
See “About integrating Apache Web Server with package server for Linux”
on page 152.
See “Requirements to configure package server and the Apache Web Server”
on page 155.
If you choose Automatic Detection, Symantec Management Agent looks for the
Apache HTTPD or HTTPD2 executable in the following directory locations:
153
154
Configuring Package Server for Linux
About detecting the Apache Web Server
■
/bin:/usr/bin:/sbin:/usr/sbin:/usr/lbin:/usr/etc:/etc:/usr/bsd:/usr/local/bin:/
usr/contrib/bin/
■
System PATH variable
■
/opt/apache/bin:/usr/apache/bin:/usr/apache2/bin:/usr/local/apache/bin:/usr/
local/apache2/bin:/usr/local/bin:/opt/freeware/apache/bin:/opt/freeware/
apache2/bin:/opt/freeware/apache/sbin:/opt/hpws/apache/bin:/opt/apache2:/
usr/local/apache+php
If both HTTPD and HTTPD2 executables are found, then both Apache 2.0 and
Apache 2.2 are installed.
In addition, if both executable files are found, then the file that matches a running
process is used. The default file is HTTPD2.
If the Apache Web Server cannot be detected automatically, you may need to
detect it manually. The Apache Web Server might not be detected automatically
if the executable file is renamed. If multiple installations have occurred, then the
wrong Apache Web Server could be detected. In any of these situations, you should
specify the Apache Web Server location manually.
To specify the Apache Web Server manually you should edit the [httpd
Integration] section of the client.conf file in the agent. In this section, you should
specify the "apache_exe_location" setting.
When the Apache Web Server executable is located, it is used to determine the
default location of the Apache Web Server configuration file. The configuration
file is required to determine if the Apache Web Server setup is suitable for package
server use. The configuration file also lets the installation program determine
the settings that are applicable to the package server. Applicable settings include
the ports that are used or whether the server is SSL-enabled.
If Symantec Management Agent for UNIX, Linux, and Mac cannot find the Apache
Web Server configuration file, it searches in the following locations:
■
/etc/httpd/conf
■
/etc/httpd/2.0/conf
As an alternative to Automatic Detection you can edit the [Httpd Integration]
section of the Symantec Management Agent for UNIX, Linux, and Mac client.conf
file. When you edit the file, specify the apache_config_location. Any setting that
you change becomes the default.
You can use the Apache Web Server "-f" option during the installation to relocate
the configuration file from its default location. If you relocate the file, you must
specify the location of the apache_config_location. Package server for Linux does
not support mod_perl generated httpd.conf files.
Configuring Package Server for Linux
Requirements to configure package server and the Apache Web Server
Requirements to configure package server and the
Apache Web Server
For the package server for Linux to work with the Apache Web Server, certain
requirements must be met. When these requirements are met, the Symantec
Management Agent for UNIX, Linux, and Mac sends the Apache HTTP Server role.
This role allows the computer to be used as a package server for Linux.
See “About detecting the Apache Web Server” on page 153.
The configuration requirements are as follows
■
Apache Web Server version 2.0 or 2.2 is installed.
■
The package server for Linux uses only the main Apache Web Server or the
default Apache Web Server.
All other virtual host sections in the Apache Web Server configuration are
ignored, with the following exceptions:
■
■
The global settings and the _default_ virtual host are read for the main
server settings.
■
The first virtual host that defines an SSL server is considered to be the
main SSL server. Its settings are used for integrating and all other SSL
virtual hosts are ignored.
The Apache Web Server web space location where the package server files and
directories are to be created must have the following options enabled:
■
FollowSymLinks
■
AllowOverride
The Apache Web Server web space location must also be accessible through
anonymous HTTP. The location is virtual directory /Altiris/PS/.
See “Requirements to configure HTTPS and HTTP” on page 156.
■
If both HTTP and HTTPS are defined for the Apache Web Server, the HTTPS
server is used.
■
Non-standard ports are detected and used, but the main Apache Web Server
must be accessible through the hostname of the computer. The Listen directive
for the main server must come before all other Port statements and Listen
directives in the configuration file.
■
The Apache Web Server must be running.
■
No compressing modules are used with the Apache Web Server. This
requirement exists because Package Delivery does not support those modules.
155
156
Configuring Package Server for Linux
Requirements to configure HTTPS and HTTP
■
You may need to restart Symantec Management Agent for UNIX, Linux, and
Mac after you make changes to the httpd.conf file. The files may not take effect
until after you restart the agent.
Requirements to configure HTTPS and HTTP
Symantec Management Agent for UNIX, Linux, and Mac uses whichever type of
Apache Web Server is available. It can use either HTTP or HTTPS.
See “Requirements to configure package server and the Apache Web Server”
on page 155.
If the Apache Web Server supports both types of Web server, the package server
for Linux uses HTTPS. Integrating with SSL through HTTPS is the default option
because it is the most secure. If you want to use the HTTP server, you can change
the [httpd Integration] "integrate_with" setting.
We recommend one of the following approaches for installing the Apache Web
Server to support package servers for UNIX and Linux:
Install a packaged version of Apache Web
Server. On Linux, the distributed Apache
Web Server is most suitable.
This installation contains the executable
files and the technical support exe files in
/usr/sbin or /usr/bin.
Install the Apache Web Server package in
the recommended location.
An example of a suitable default location is
/usr/local or /opt.
Leave the Configuration directory in its
The default configuration directory is the
default location. This requirement ensures location that was compiled into your .exe, or
that Symantec Management Agent for UNIX, /etc/httpd/conf.
Linux, and Mac can easily detect the Apache
Web Server and the configuration file. If you
do not move the configuration directory, you
do not have to specify extra manual settings.
If you change the Apache Web Server configuration files while Symantec
Management Agent is running, data is sent to Notification Server after a short
time. After the Apache Web Server role data is sent to Notification Server, the
computer becomes a candidate package server . If you want to speed up this process
you should run the aex-sendbasicinventory executable file manually. Run the
executable file from the shell on the client computer that is targeted for the
package server installation. Update Notification Server with the changes.
Two configuration examples are available.
See “Package server configuration example that uses main web directory for
package server links” on page 157.
Configuring Package Server for Linux
Package server configuration example that uses main web directory for package server links
See “Package server configuration example using an alias for package server
links” on page 159.
Package server configuration example that uses main
web directory for package server links
This configuration generally requires the minimal modification to an
out-of-the-box or default Apache Web Server setup. In this configuration a virtual
directory that is called /Altiris/PS is created automatically under the main Apache
HTML directory.
See “Requirements to configure HTTPS and HTTP” on page 156.
The example configuration contains the following directories:
■
Snapshots
■
Packages
Symbolic links are created in these directories to each shared package. The
packages themselves are stored under the package server agent VAR directory.
This configuration includes both an HTTP and an HTTPS Apache server. The
package server uses the HTTPS server if it is available. The HTTPS server ensures
a more secure operating environment and allows the use of Package Access
credentials.
Several configuration file checks are performed. The configuration files that are
listed in this section are examples. These examples are from the default installation
of the Apache Web Server as part of a legacy Red Hat Linux Distribution.
Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the ## standard
HTTP port (see above) and to the HTTPS port ## <IfDefine HAVE_SSL>
Listen 80 Listen 443 Listen 10.10.10.10:8080 </IfDefine>...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server.
Check number 2; Main directory options is as follows:
...
157
158
Configuring Package Server for Linux
Package server configuration example that uses main web directory for package server links
# DocumentRoot: The directory out of which you will serve your
Notification Server Reference 62
# documents. By default, all requests are taken from this directory,
but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/var/www/html" ...
# This should be changed to whatever you set DocumentRoot to.
#<Directory "/var/www/html">
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# does not give it to you.
Options Indexes FollowSymLinks
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options",
"FileInfo",
# "AuthConfig", and "Limit" AllowOverride AuthConfig
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
...
Find the <Directory> node for the DocumentRoot directory, and ensure that the
following options are set:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
Check number 3; Check SSL host is as follows:
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
Configuring Package Server for Linux
Package server configuration example using an alias for package server links
ErrorLog logs/error_log
TransferLog logs/access_log Notification Server Reference 63
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. The port should
match the first SSH Listen. Ensure that the DocumentRoot of the virtual host is
the same as the DocumentRoot of the main server.
The DocumentRoot of the host can be different from the DocumentRoot of the
main server. The DocumentRoot of the host must have a <Directory> node that
is configured with the same options that are specified in Check number 2.
Package server configuration example using an alias
for package server links
You may want to keep the package server for Linux virtual directory completely
separate from the Apache Web Server directory. To keep them separate, follow
this configuration example. This configuration example keeps all the symbolic
links out of the main Apache Web Server directory. It ensures that the
FollowSymLinks options are not required in the main directory.
See “Requirements to configure HTTPS and HTTP” on page 156.
An alias is used in the Apache Web Server configuration file to separate the
/Altiris/ PS virtual directory. The package server for Linux automatically detects
this alias and creates the required subdirectories in the correct location.
The subdirectories are as follows:
■
Packages
■
Snapshots
The actual packages are downloaded to the VAR directory on the agent.
The configuration files that are used in this section are an example. The example
is from the default installation of the Apache Web Server as part of a legacy Red
Hat Linux Distribution.
The Check number 1; Listen statement is as follows:
...## When we also provide SSL we have to listen to the
159
160
Configuring Package Server for Linux
Package server configuration example using an alias for package server links
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine HAVE_SSL>
Listen 80
Listen 443
Listen 10.10.10.10:8080
</IfDefine>
...
Ensure that the Listen statement for each of the main servers is the first Listen
statement of its type in the configuration file. The main HTTP and HTTPS servers
should be the first two Listen statements.
You should remove the IP or ensure that it is the same IP to which the hostname
resolves, as reported to Notification Server. You can use port numbers other than
80 and 443. The package server for Linux detects the ports. However, it always
uses the port of the first Listen in the Apache Web Server configuration file.
Check number 2; Create Alias and aliases directory options is as follows:
...
# Aliases: Add here as many aliases as you need (no limit). The format
is
# Alias fakename realname
#
<IfModule mod_alias.c>
...
Alias /Altiris/PS /var/altiris/www/ps
<Directory /var/altiris/www/ps >
Options FollowSymLinks
AllowOverride All
</Directory> </IfModule>
# End of aliases.
You should perform these steps in the following order:
■
Create both the Alias statement and the <Directory> node for the destination
directory of the alias.
Configuring Package Server for Linux
Package server configuration example using an alias for package server links
■
Ensure that the following options are set on that directory:
■
FollowSymLinks
■
AllowOverride AuthConfig or Allow override All
■
Create the destination directory.
■
Set the correct permissions on the destination directory to ensure that Apache
Web Server clients can download files from there.
■
To ensure that the directory works, place a text file in it. Then browse to a URL
such as http://your.server.name/ Altiris/PS/testfile.txt. In this example,
your.server.name and testfile.txt are your own server name and the name of
the text file that you created.
Check number 3; Check SSL host is as follows:
...
## SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
...
Ensure that the _default_ SSH Virtual host has the correct port. It should match
the first SSH Listen. Ensure that its DocumentRoot is the same as the
DocumentRoot of the main server.
161
162
Configuring Package Server for Linux
Package server configuration example using an alias for package server links
Chapter
8
Configuring hierarchy
This chapter includes the following topics:
■
About hierarchy
■
Hierarchy requirements
■
Setting up a Notification Server hierarchy
■
About creating and managing hierarchical relationships
■
Creating and managing hierarchical relationships
■
Setting up a hierarchical relationship between two Notification Server
computers
■
About hierarchy replication
■
Configuring hierarchy replication
■
Hierarchy replication settings
■
Setting up custom hierarchy replication
■
Configuring hierarchy replication rules
■
Hierarchy replication rule settings
■
Overriding the hierarchy differential replication schedule
■
Replicating selected data manually
■
About hierarchy automation policies
■
Running a hierarchy report
■
Updating summary data
164
Configuring hierarchy
About hierarchy
About hierarchy
Hierarchy is a technology designed to reduce the total cost of ownership (TCO) of
managing Symantec software and solutions across multiple Notification Servers.
Hierarchy reduces the TCO by supplementing the Notification Server system with
centralized management capabilities.
See “Hierarchy requirements” on page 165.
See “Setting up a Notification Server hierarchy” on page 166.
Hierarchy defines the information flows across multiple Notification Servers in
an enterprise. If you have multiple Notification Servers, you can use Hierarchy
to define collections of Notification Servers that share common configuration
settings and data. Hierarchy can distribute and synchronize any changes that are
made to the shared configuration settings and data. Hierarchy lets you manage
your Symantec solutions across multiple Notification Servers from a central
location.
Some solutions, such as Inventory Solution, Patch Management Solution, and
Software Management Solution, are set up to participate in hierarchy. For
information on a specific solution, refer to the appropriate solution documentation.
Hierarchy uses replication to copy and synchronize shared objects and data
between Notification Servers within the same hierarchical structure. At scheduled
intervals, each server within a hierarchy synchronizes objects and data with its
immediate parent and immediate children.
See “About replication” on page 187.
A Hierarchy topology defines the relationships between Notification Servers,
which in turn controls how synchronization occurs between adjacent nodes.
A Hierarchy topology complies with the following rules:
■
Each Notification Server can have zero or one parent.
■
Each Notification Server can have zero or more children.
In Hierarchy, objects and data are constrained to replicate in known directions,
so synchronization is both predictable and scalable. As Hierarchy only replicates
each object or piece of data in one direction, conflict management is trivial and
the source is always given priority.
Table 8-1
Objects that can be synchronized between Notification Servers
Object
Description
Configuration and
Management Items
Policies, filters, and reports are replicated as read-only items
down a hierarchy.
Configuring hierarchy
Hierarchy requirements
Table 8-1
Objects that can be synchronized between Notification Servers
(continued)
Object
Description
Security Settings
Security roles, privileges, and permissions are replicated
down a hierarchy.
Resources
Resource information, such as computers, users, sites, and
their associated data classes are replicated up or down a
hierarchy.
Packages
Packages that are associated with software resources and
the data classes that are associated with the packages are
replicated down a hierarchy.
Events
Event classes, such as software delivery execution, are
replicated up or down a hierarchy.
Note: Some Symantec solutions create custom replication rules to ensure that
specific items are always synchronized.
Hierarchy requirements
To share or receive common configuration settings and data with multiple
Notification Server computers, you must first add the Notification Server computer
to a hierarchy. Because Notification Server computers can be managed locally,
each Notification Server computer must be added or removed from a hierarchy
individually with the appropriate access credentials. Typically, the Symantec
Administrator managing the topology design accesses the Notification Server
computers in other sites remotely to add them to a hierarchy.
See “About hierarchy” on page 164.
See “Setting up a Notification Server hierarchy” on page 166.
The requirements for configuring hierarchy are as follows:
■
Network traffic must be routable between adjoining Notification Server
computers within the hierarchy.
■
HTTP/HTTPS traffic must be permitted between adjoining Notification Server
computers within the hierarchy.
■
Trust relationships must exist between adjoining Notification Server computers
within the hierarchy, or credentials for the privileged accounts that facilitate
trust must be known.
165
166
Configuring hierarchy
Setting up a Notification Server hierarchy
■
Each Notification Server computer must be able to resolve the name and the
network address of any adjoining Notification Server computers within the
hierarchy.
■
There must be sufficient bandwidth between Notification Server sites to support
package and data replication.
Bandwidth and the hardware that is required depend on the size of your
hierarchy topology and the data replicated.
■
A site must exist for each Notification Server computer, and must include the
subnet that contains Notification Server. The site must also contain a package
server (a site server that is running the package service) that serves the
Notification Server computer.
See “About site services” on page 131.
Setting up a Notification Server hierarchy
To share or receive common configuration settings and data with multiple
Notification Servers, you must first add the Notification Server computer to a
hierarchy. This section outlines the process of setting up a Notification Server
hierarchy.
See “About hierarchy” on page 164.
See “Hierarchy requirements” on page 165.
Table 8-2
Setting up a Notification Server hierarchy
Step
Action
Description
Step 1
Create the appropriate
You create a hierarchy by creating a series of parent-to-child and
hierarchical relationships between child-to-parent relationships that link together the Notification
Notification Servers.
Server computers in your system.
See “About creating and managing hierarchical relationships”
on page 167.
See “Creating and managing hierarchical relationships”
on page 168.
Step 2
Create and enable the appropriate
replication rules to specify the
data to replicate through the
hierarchy.
Hierarchy replication of resources and events is configured using
replication rules. You can configure hierarchy replication rules
on each Notification Server to best suit the requirements of your
organization.
See “Configuring hierarchy replication” on page 173.
See “Configuring hierarchy replication rules” on page 177.
Configuring hierarchy
About creating and managing hierarchical relationships
About creating and managing hierarchical
relationships
You can add your Notification Server (the one that you are logged on to, which
may be a remote logon) to a hierarchy as a child of an existing remote Notification
Server computer, or as its parent. To create a hierarchical relationship, you require
a Symantec Administrator account (or an account with equivalent privileges) on
both computers. To add or remove Notification Server computers from a hierarchy,
you need the Manage Hierarchy Topology privilege on the Notification Server
computer where the action is carried out.
See “About hierarchy” on page 164.
See “Hierarchy requirements” on page 165.
See “Setting up a Notification Server hierarchy” on page 166.
See “Creating and managing hierarchical relationships” on page 168.
You can view and configure the Notification Server computer hierarchy using the
Symantec Management Console. If you are the Hierarchy administrator, you can
see only the parent and children (down to all levels) of your Notification Server.
Note that all actions that you take are based on your Notification Server.
Right-clicking a Notification Server computer does not perform a remote logon
to any remote Notification Server computers. It opens a context menu containing
the actions that you can perform on that server, which is different for local and
remote computers. A full set of actions is available for the local server, but only
a limited set is available for remote servers. Actions such as extracting reports
are performed on the appropriate database.
The actions that you can perform on the hierarchy are relative to your Notification
Server computer, which is the computer that you are logged on to. If you have the
Manage Hierarchy privilege on a remote Notification Server computer, you can
perform a remote logon to that computer. You can then open the Symantec
Management Console, and perform hierarchy configuration relative to that
computer.
You can enable or disable hierarchy replication on specific Notification Server
computers at any time. For example, you can use this facility to temporarily disable
hierarchy replication during maintenance tasks such as solution installation,
upgrades, or uninstallation. Disabling replication on one Notification Server
computer does not affect the replication schedule on the other Notification Server
computers in the hierarchy. However, no data is passed through the disabled
computer, so replication down stops at the parent, and replication up stops at the
children.
167
168
Configuring hierarchy
Creating and managing hierarchical relationships
A colored symbol on the Hierarchy Management page indicates any hierarchy
alerts. The colors that you might see and the corresponding alert status are as
follows:
Yellow
Low alert status
Orange
Medium alert status
Red
Critical alert status.
For example, if you attempt to replicate the same data both up and
down the hierarchy from the same Notification Server computer, a
critical alert is raised. Data should be replicated one way only. If the
parent or the child Notification Server computer has the same
hierarchy replication rules implemented, or you could set up a data
clash.
Creating and managing hierarchical relationships
You create a hierarchy by creating a series of parent-to-child and child-to-parent
relationships that link together the Notification Server computers in your system.
You can add your Notification Server (the one that you are logged into, which may
be a remote logon) to a hierarchy as a child of an existing remote Notification
Server, or as its parent.
See “About hierarchy” on page 164.
See “Hierarchy requirements” on page 165.
See “Setting up a Notification Server hierarchy” on page 166.
See “About creating and managing hierarchical relationships” on page 167.
To create and manage hierarchical relationships
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, in the View
drop-down list, select Diagram to display the hierarchy in graphical format.
The alternative, Grid view, should be used only for copying data to the
clipboard. It contains data that is not displayed in Diagram view.
Configuring hierarchy
Setting up a hierarchical relationship between two Notification Server computers
3
Perform any of the following:
Add a new Notification
Server to a hierarchy
See “Setting up a hierarchical relationship between
two Notification Server computers” on page 169.
Modify a hierarchical
relationship between two
Notification Servers
See “Setting up a hierarchical relationship between
two Notification Server computers” on page 169.
Remove a Notification Server Right-click the Notification Server computer that you
from the hierarchy
want to remove, and then click Remove.
Enable or disable hierarchy
replication
You may want to disable hierarchy participation when
you perform maintenance on a Notification Server.
Right-click the Notification Server computer on which
you want to enable or disable hierarchy replication,
and click Enable Replication or Disable Replication,
whichever is appropriate.
Disabling hierarchy replication affects the hierarchy
replication schedule only. It has no effect on any
stand-alone replication that has been set up to or from
another Notification Server.
Manually synchronizing the hierarchy does not change
this setting, but overrides it to perform a once-only
replication of the appropriate items.
4
Manually override the
hierarchy replication
schedule for a Notification
Server
See “Overriding the hierarchy differential replication
schedule” on page 181.
Run a hierarchy report
See “Running a hierarchy report” on page 183.
Click Apply.
Setting up a hierarchical relationship between two
Notification Server computers
You can set up a hierarchical relationship (either Parent of or Child of) between
your Notification Server computer and a remote Notification Server computer.
You need to specify the name, URL (which should include any non-default port
configurations or HTTPS), and access details of the remote Notification Server
computer. You also need to provide the access details of your local Notification
Server computer. By default, the hierarchy replication schedule staggers the
169
170
Configuring hierarchy
Setting up a hierarchical relationship between two Notification Server computers
replication between each pair of Notification Server computers. You can change
the replication schedule to suit your requirements, but you should ensure that
replication staggering is maintained.
See “About hierarchy” on page 164.
See “Hierarchy requirements” on page 165.
See “Setting up a Notification Server hierarchy” on page 166.
See “About creating and managing hierarchical relationships” on page 167.
See “Creating and managing hierarchical relationships” on page 168.
Both Notification Server computers must have a package server available within
their respective sites. The package server is required for performance reasons.
You cannot create a hierarchical relationship between two Notification Server
computers if either one does not have a package server available.
Notification Server application credentials should be stable and not be changed
regularly like some user account passwords. If the Notification Server computer
application account password becomes invalid, a message is displayed in the
console. The message prompts you to use the ASConfig command-line tool to
make the necessary updates.
To set up a hierarchical relationship between two Notification Server computers
1
In the Symantec Management Console, on the Settings menu, click
Notification Server Management > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click your
Notification Server, and then click the appropriate option:
■
Add > Parent
■
Add > Child
■
Edit > Parent
■
Edit > Child
3
In the Add Hierarchy Node Wizard, on the first page, enter the name and URL
of the remote Notification Server computer.
4
Supply the appropriate access credentials.
The access credentials must be a Symantec Administrator account or
equivalent account on the remote Notification Server computer.
5
Click Advanced.
6
In the Return Credential Settings dialog box, specify the Symantec
Administrator (or equivalent) account that the remote Notification Server
computer uses to communicate with the local Notification Server computer.
Configuring hierarchy
About hierarchy replication
7
Click OK to close the Advanced dialog box.
8
Click Next.
9
On the Replication Schedules page, set up the differential and the complete
replication schedules, and enable those that you want to use on the
Notification Server computer.
By default, only the differential replication schedule is enabled. Complete
replication is rarely used because it puts a heavy load on the Notification
Server computer, but you can enable it when necessary. You should schedule
the replication at the times that do not clash with replication schedules on
other Notification Server computers in the hierarchy.
See “Managing shared schedules” on page 126.
See “Configuring a schedule” on page 127.
10 Click Next.
11 On the Confirm Settings page, verify that the settings are correct, and then
click Finish.
The local Notification Server computer uses the specified information to
locate and verify the remote Notification Server computer and set up the
appropriate hierarchical relationship with it.
If the remote Notification Server computer does not have a package server
available within its site, the verification fails and the hierarchical relationship
cannot be established.
About hierarchy replication
Hierarchy replication specifies what is replicated in the hierarchy. It has no effect
on the stand-alone replication that you can set up between any two Notification
Servers. Any data that is replicated down from a parent Notification Server has
priority, and overwrites the corresponding data on its child servers.
See “Setting up a Notification Server hierarchy” on page 166.
See “About creating and managing hierarchical relationships” on page 167.
See “Setting up a hierarchical relationship between two Notification Server
computers” on page 169.
See “Configuring hierarchy replication” on page 173.
See “Hierarchy replication settings” on page 174.
See “Setting up custom hierarchy replication” on page 176.
See “Configuring hierarchy replication rules” on page 177.
171
172
Configuring hierarchy
About hierarchy replication
Note: Hierarchy replication is not supported from a 7.1 server to a 7.0 server or
from a 7.0 server to 7.1 server.
The replicated configuration and management items received from a parent server
are usually read-only so they cannot be modified. The read-only setting ensures
that it is replicated unchanged down the hierarchy. If you want to allow additions
to replicated items on child servers, you need to unlock the relevant items on the
Notification Server computer on which they were created. For example, you may
want to allow policies to be enabled and disabled on the child Notification Servers.
Hierarchy replication does not let you replicate the same data up and down the
hierarchy. If you set up two rules that have the same resource type being replicated
in both directions, a critical alert is raised and the replication rules are not
executed.
Hierarchy has two modes of replication:
Differential
Replicates the objects and the data that have changed since the last
replication. This mode is enabled by default and reduces the load and
the bandwidth that hierarchy uses.
Complete
Replicates all objects and data. This mode is disabled by default.
To minimize the load on the network and to prevent data collisions, you should
schedule hierarchy replication at a different time for each Notification Server in
your hierarchy.
See “About Symantec Management Platform schedules” on page 121.
Hierarchy replication synchronizes different types of objects in the following
ways:
Security objects
Security objects, such as roles and privileges, always use complete
replication. Differential replication is not an option for read-only
objects such as these.
Items
Items use differential replication, which is handled by hashing each
item to check for changes and replicating those that have changed.
Configuring hierarchy
Configuring hierarchy replication
Resources
Resources use differential replication. Differential replication is based
on the "last changed" timestamp on the source data. Any data that
has changed since the last replication is replicated to the destination
server. The data on the destination is then verified, if data verification
has been enabled in the appropriate replication rule.
Data verification imposes significant processing load on Notification
Server. To reduce this load, you can verify a specified percentage of
data on the destination server with each replication. For example, if
you verify 10% of the data for each replication, that ensures that all
data has been verified after 10 replications.
Configuring hierarchy replication
When you add a Notification Server to a hierarchy you can specify what to replicate
to the parent Notification Server and to any child Notification Servers. By default,
everything is replicated (full replication), which may consume excessive bandwidth.
We recommend that you configure hierarchy replication on each Notification
Server to best suit the requirements of your organization.
See “About hierarchy replication” on page 171.
See “Hierarchy replication settings” on page 174.
See “Setting up custom hierarchy replication” on page 176.
See “Configuring hierarchy replication rules” on page 177.
Note: Hierarchy replication is not supported from a 7.1 server to a 7.0 server or
from a 7.0 server to 7.1 server.
Anything that is published on a child Notification Server is read-only and cannot
be overwritten by the data that is replicated down from its parent.
Hierarchy replication of resources and events is configured using replication
rules. These rules define the data that you want to replicate to other Notification
Servers. You need to create all the rules that you require, and then enable those
that you want to use. You can disable a replication rule at any time—it is not
deleted—and enable it again later.
Hierarchy replication rules are replicated down the hierarchy. You can set up
your replication rules at the root level Notification Server and then replicate them
to all child levels. You may want to do the same for security roles and privileges.
Lower-level Notification Servers cannot change the replicated security items or
replication rules, but they can add new ones when necessary. Any new security
items or replication rules would apply only to the local Notification Server, but
173
174
Configuring hierarchy
Hierarchy replication settings
they can be replicated down to its children. You need the Manage Hierarchy
Replication privilege to make any changes to replication rules.
You can also manually replicate selected data directly from a Notification Server
to all its child Notification Servers without including it in a replication rule. Manual
replication is a once-off replication that takes place immediately. You need the
have Read permission on the Replicate Now right-click menu item action to
perform manual replication.
See “Replicating selected data manually” on page 182.
See “About replication” on page 187.
To configure hierarchy replication
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, select the Replication tab.
3
Configure hierarchy replication by selecting the appropriate options, and
setting up and enabling the appropriate rules.
See “Hierarchy replication settings” on page 174.
4
To save the configuration settings, click Save changes.
5
If you want to set up custom hierarchy replication for configuration and
managements items, make the appropriate settings.
The context menu option to enable hierarchy replication on specific items is
not available until the Custom option has been confirmed.
6
Click Save changes to confirm the custom hierarchy replication settings.
Hierarchy replication settings
You can configure hierarchy replication by selecting the appropriate options, and
setting up and enabling the appropriate replication rules. The replication rules
specify the replication settings for particular resource types or event types.
See “Configuring hierarchy replication” on page 173.
Configuring hierarchy
Hierarchy replication settings
Table 8-3
Hierarchy replication settings
Setting
Description
Configuration and
Management Items
Enables replication for standard configuration and management items such as policies,
filters, and reports. These items replicate down the hierarchy.
The replication options are:
Security
■
All
■
None
■
Custom
If you select custom replication, you need to enable replication on the appropriate items
or folders.
See “Setting up custom hierarchy replication” on page 176.
Enables replication for security roles and privileges. These items replicate down the
hierarchy.
The replication options are:
Resources
■
All
■
None
■
Custom
If you select custom replication, you need to specify the security roles and privileges
that you want to replicate.
See “Setting up custom hierarchy replication” on page 176.
Specifies the resources and the associated data that you want to replicate by setting up the
appropriate rules and enabling those that you want to use.
Most resources go up the hierarchy, but there are a few exceptions, such as sites, that are
replicated down. New resources always go up the hierarchy.
See “Configuring hierarchy replication rules” on page 177.
Events
Specifies the events that you want to replicate by setting up the appropriate rules and
enabling those that you want to use.
Event rules are generally disabled, as Notification Server generates a large amount of event
data. Event data does not need to be replicated in normal operating conditions. However,
there may be occasions when you want event data to be replicated up the hierarchy.
You may want to replicate some summary information that can be used to create a report
at the top level of the hierarchy. A report at the top level would let you drill down through
the report results to a particular Notification Server and access its event data.
See “Configuring hierarchy replication rules” on page 177.
175
176
Configuring hierarchy
Setting up custom hierarchy replication
Table 8-3
Hierarchy replication settings (continued)
Setting
Description
Advanced
Contains replication rules that belong to Notification Server and installed solutions. These
rules control the replication of the hierarchy replication rules for the Notification Server
environment. You cannot modify or delete any rules that have been replicated down from
a parent. You may add new rules and you can disable or enable them when necessary. For
example, you may want to set up global rules on the root Notification Server and add regional
rules on the appropriate lower-level Notification Servers.
See “Configuring hierarchy replication rules” on page 177.
Setting up custom hierarchy replication
You can set up custom hierarchy replication for configuration and management
items and security roles and privileges.
See “About hierarchy replication” on page 171.
See “Configuring hierarchy replication” on page 173.
The current Item Replication report that you can access from the Configuration
and Management Items panel lists all the items that have been enabled for
replication using Custom hierarchy replication. When the selected items are
replicated, any dependent items that have not been enabled are included
automatically. These items do not appear on the Item Replication report. To see
a list of all the items that were replicated, you need to view the Objects Replicated
report.
To set up custom hierarchy replication for configuration and management items
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, in the Replication tab, in the
Configuration and Management Items panel, click Custom.
3
Click Save Changes.
Configuring hierarchy
Configuring hierarchy replication rules
4
In the Symantec Management Console, in the left pane, right-click on the
folder or item that you want to replicate, and then click Hierarchy > Enable
Replication.
5
If you have selected a folder, in the Inherited Replication Behavior dialog,
specify whether to include the folder contents in the replication:
To include all of the folder
contents
Click Yes.
To replicate only the folder
with no contents
Click No.
If necessary, you can manually enable or disable particular subfolders later.
To set up custom hierarchy replication for security roles and privileges
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, in the Replication tab, in the Security
panel, click Custom.
3
Click Select security roles and privileges.
4
In the Select Security Roles and Privileges window, select the roles and
privileges that you want to replicate.
5
Click OK.
6
Click Save Changes.
Configuring hierarchy replication rules
You can set up replication rules for the resource types or resource targets, specific
data classes, and event types that you want to replicate within the hierarchy. Each
rule replicates the specified data in one direction only, up to the parent Notification
Server or down to the child Notification Servers.
See “Configuring hierarchy replication” on page 173.
See “Hierarchy replication settings” on page 174.
See “Hierarchy replication rule settings” on page 179.
Note: Hierarchy replication is not supported from a 7.1 server to a 7.0 server or
from a 7.0 server to 7.1 server.
177
178
Configuring hierarchy
Configuring hierarchy replication rules
You may include resource targets in a resource replication rule. Resource scoping
applies to the contents (resources) of the targets that are replicated. Therefore,
the resources that are replicated depends on the owner of the resource target.
The Notification Server administrator can choose to replicate resource targets in
their current state (owned by somebody else, with the corresponding scope).
Alternatively, they can take ownership of the targets, save them with the
administrator’s scope (which usually contains more resources) and replicate them
in that state. All the current members of a resource target are replicated. The
actual resource target item is replicated in the background as a dependent item.
For example, when a replication rule is created at the parent which applies to a
resource target. The resource target is replicated as a dependent item when the
replication rule itself replicates down the hierarchy. However, when a child
Notification Server defines a new hierarchy rule and applies it to a resource target,
the target does not send, just the resources within and the selected data types.
The replication rules that are provided with Notification Server and the installed
solutions cannot be deleted, and you should not normally need to modify them.
However, you can enable and disable rules when necessary, and you can edit the
rule name and description.
To configure hierarchy replication rules
1
In the Symantec Management Console, on the Settings menu, click
Notification Server Management > Hierarchy.
2
On the Hierarchy Management page, click the Replication tab.
3
Do any of the following:
4
To create a new hierarchy
replication rule
Click Add.
To modify an existing
hierarchy replication rule
Select the appropriate rule, and then click Edit.
To enable a hierarchy
replication rule
Check Enabled beside the replication rule name.
To delete a hierarchy
replication rule
Select the appropriate rule, and then click Delete.
If you want to disable the replication rule, uncheck
Enabled.
If you want to create or modify a rule, in the Replication Rule window, specify
the appropriate settings.
See “Hierarchy replication rule settings” on page 179.
Configuring hierarchy
Hierarchy replication rule settings
5
Click Save Changes.
The modified hierarchy replication rule is added to the table.
6
On the Replication tab, click Apply.
Hierarchy replication rule settings
You can set up replication rules for the resource types or resource targets, specific
data classes, and event types that you want to replicate within the hierarchy. Each
rule replicates the specified data in one direction only, up to the parent Notification
Server or down to the child Notification Servers. Some settings apply only to a
particular rule type.
See “About hierarchy replication” on page 171.
See “Configuring hierarchy replication” on page 173.
See “Hierarchy replication settings” on page 174.
See “Configuring hierarchy replication rules” on page 177.
Table 8-4
Hierarchy replication rule settings
Setting
Description
Rule name and
description
The first line of the page heading is the name of the replication rule. The second line of the
page heading is its description.
To change these, you can click the text to make it editable, and then type the rule name or
description.
Rule status symbol
The current status of the replication rule:
■
On (Green light) – The rule is active.
■
Off (Red light) – The rule is idle.
You can click the symbol to toggle the status to its alternative setting.
179
180
Configuring hierarchy
Hierarchy replication rule settings
Table 8-4
Hierarchy replication rule settings (continued)
Setting
Description
Resource Types
Applies to resource replication rules and event replication rules.
Resource Targets
The resources that you want to replicate. These two options are alternatives.
You can click the appropriate option to activate the one that you want:
Resource Types
Replicates the selected resource types.
Click Resource Types and then, in the Select Resource Type window, select the resource
types that you want to include.
■ Resource Targets
Replicates the selected resource targets.
Click Resource Targets and then, in the Resource Target window, select the resource
targets that you want to include.
If you want to create new resource targets, click Build Target and, in the Select a Group
window, specify the appropriate resource target.
■
Data Classes
Applies to resource replication rules only.
If you want to specify particular data classes to include, you can click Data Classes.
In the Inventory Data Classes window, select the classes that you want.
Event Classes
Applies to event replication rules only.
The event classes to include. To select these, you can click Event Classes and, in the Event
Classes window, select the classes that you want.
Direction
Maximum Rows
The direction of replication:
■
Up the Hierarchy
■
Down the Hierarchy.
Applies to event replication rules only.
You can specify the maximum number of table rows to replicate.
Resend events that
have been sent
previously
Applies to event replication rules only.
You should use this option if a destination server has recently purged its event classes. You
could also use this option if you have experienced network problems between servers in
the hierarchy. Resending events is a once-off operation and you should disable this option
after the rule has been run.
Note: Enabling this option may cause duplicate event data at the destination Notification
Server because event data does not support merging.
Configuring hierarchy
Overriding the hierarchy differential replication schedule
Table 8-4
Setting
Hierarchy replication rule settings (continued)
Description
Use Standard
Use the default replication schedule for this Notification Server. This schedule is the
Replication Schedule replication schedule that is defined when you add the Notification Server computer to the
hierarchy.
See “Setting up a hierarchical relationship between two Notification Server computers”
on page 169.
Use this schedule
Overrides the default replication schedule and use another schedule for this rule.
You can select the schedule that you want to use.
If you select Custom Schedule, you need to click Define Custom Schedule and, in the
Schedule Editor, specify the schedule parameters.
Enable Data
Verification
Applies to resource replication rules only.
Verify maximum of
nn% of data during
each replication
Applies to resource replication rules only.
Data verification imposes a significant load on the server, so should be used only for critical
business processes.
To reduce the load that is imposed on the server, you can verify small amounts of resource
data on every replication. You can specify a verification percentage in the replication rule.
For example, if you verify 10% of the data for each replication, that ensures that all data
has been verified after 10 replications.
Overriding the hierarchy differential replication
schedule
The Notification Server computers in a hierarchy are normally synchronized
according to the replication schedule that is set up in the replication rules. If
necessary, you can manually override the differential replication schedule for
your Notification Server and trigger the hierarchy replication rules immediately.
It triggers the hierarchy differential schedule to the selected child node. Any
hierarchy replication rules that are set to run on the differential schedule is run
immediately. Any rules that are set to run on custom schedules are not triggered
to run at the time. You can manually replicate data to your Notification Server
from a remote parent or child Notification Server only.
You cannot manually override replication to a remote Notification Server. You
can only perform an operation that affects your Notification Server. You can log
on to a remote Notification Server to make it your Notification Server, and
manually override the differential replication schedules on its parent or its child
Notification Servers.
181
182
Configuring hierarchy
Replicating selected data manually
See “About hierarchy replication” on page 171.
See “Configuring hierarchy replication” on page 173.
To override the hierarchy differential replication schedule
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click the
Notification Server computer from which you want to replicate data.
3
Click Hierarchy > Replicate To....
This option triggers the hierarchy replication rules that point to the local
(currently logged on) Notification Server. You cannot replicate data from the
remote Notification Server to any other remote servers.
4
In the confirmation dialog box, click OK.
Replicating selected data manually
You can override the replication rules for your Notification Server by performing
a manual hierarchy replication of a particular folder or item. Manual replication
replicates the selected data to the child Notification Servers immediately. The
data is replicated regardless of the replication schedules or whether the data is
included in the replication rules.
See “About hierarchy replication” on page 171.
To manually replicate selected data from your Notification Server
1
In the Symantec Management Console, in the left pane, right-click the folder
or item that you want to replicate.
If you select a folder, the replication includes all of its content (all levels of
subfolders and items that it contains). Any parent folders (but not their
contents) are also replicated to preserve the folder paths within the structure.
2
Click Hierarchy > Replicate Now....
3
In the confirmation dialog box, click OK.
About hierarchy automation policies
A set of hierarchy automation policies is supplied with Notification Server, and
solutions may supply additional policies. You need to turn on the policies that
you want to use and turn off those that you don’t want to use. You cannot modify
Configuring hierarchy
Running a hierarchy report
the default policies, but you may clone them to create new policies. You can then
configure those policies to suit your requirements.
See “Managing automation policies” on page 426.
See “About hierarchy” on page 164.
The following default hierarchy policies are provided:
Hierarchy Critical Alerts
Sends a high-priority email alert to the Notification System
administrator whenever a critical alert is received at the
local Notification Server.
Critical alert states are also indicated in the Topology tab
in the Hierarchy Management page.
Hierarchy
Enabling/Disabling
Sends a high-priority email alert to the Notification System
administrator whenever hierarchy replication has been
enabled or disabled on the local Notification Server.
Hierarchy High Alerts
Sends a high-priority email alert to the Notification System
administrator whenever a high alert is received at the local
Notification Server.
Hierarchy Structure Change Sends a high-priority email alert to the Notification System
administrator whenever a Notification Server is added to
or removed from the hierarchy.
Running a hierarchy report
Some hierarchy reports are supplied with Notification Server, and solutions may
provide additional reports. You can run a report on any Notification Server in the
hierarchy to extract data from its CMDB.
See “About hierarchy” on page 164.
You may want to update the summary data prior to running a hierarchy report.
You can update the summary data on demand or schedule updates.
See “Updating summary data” on page 184.
Some installed solutions may supply hierarchy federated reports. These reports
summarize the relevant data across the hierarchy, and the results contain a single
line for each Notification Server. You can run the full report on a particular
Notification Server by double-clicking on the appropriate line.
183
184
Configuring hierarchy
Updating summary data
To run a hierarchy report
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Hierarchy.
2
On the Hierarchy Management page, on the Topology tab, right-click the
Notification Server computer on which you want to run a report.
3
Click Reports and click the appropriate report.
4
In the report page, specify any parameters that you want to use, and refresh
the report.
See “Extracting Notification Server report results” on page 501.
Updating summary data
If you need to generate data for hierarchy-enabled reports, you can update
summary data in task server. You can update summary data on demand, schedule
a one-time update, or create a custom schedule for recurring updates. You can
also delete an existing schedule.
A default schedule runs the task automatically every day. If you want daily updates
of the inventory data, you do not need to change the update schedule.
See “Running a hierarchy report” on page 183.
See “Update Summary Data page” on page 460.
To update summary data on demand
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Notification Server > Task Settings > Update
Summary Data.
3
In the Update Summary Data pane, right-click the task that you want to run,
and click Start Now.
You can click Details to view more information about the task before you run
it.
4
If the schedule that you want to run is not in the list, create a custom schedule.
See “To create a custom schedule” on page 185.
Configuring hierarchy
Updating summary data
To schedule a one-time update
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Notification Server > Task Settings > Update
Summary Data.
3
In the Update Summary Data pane, click New Schedule and check Schedule.
4
Next to Schedule, in the drop-down list, click At date/time.
5
On the calendar, select a date. Use the Time up- and down-arrows to select
a time using hours and minutes.
6
Check Repeat every:. Select the number of times to repeat and the increment
at which to repeat the task.
You can select minutes, hours, days, or weeks.
7
Click Schedule.
To create a custom schedule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Notification Server > Task Settings > Update
Summary Data.
3
In the Update Summary Data pane, click New Schedule and check Schedule.
4
Next to Schedule, in the drop-down list, click Shared schedule.
5
Next to Select shared schedule:, click the down-arrow and select how often
this schedule should run.
Options include daily, monthly, half-hourly, hourly, quarter-hourly, during
business hours, weekly, and so on.
6
Click New.
7
In the Create New Shared Schedule window, enter a unique name and a
description for this update summary task.
8
Click Add schedule and select one of the following options:
■
Scheduled time. Select this option to create a custom schedule at a time
that you select. This option does not let you specify an end time for the
task. However, you can click No repeat to change whether and how often
the summary task data is updated. You can choose not to repeat the update
or to repeat it daily, weekly, monthly, or yearly.
■
Schedule Window. Select this option to specify start and end times for
the task. Use the slider bar to select the schedule window for the task. The
185
186
Configuring hierarchy
Updating summary data
slider bar presents a 24-hour period and shows typical work hours
highlighted in boldface type. After you specify the window, specify how
often in hours or minutes to run the task during that window.
9
Click the blue text link. The default is No repeat.
10 In the Repeat schedule window, click the Repeat every: down-arrow to select
how often to repeat the update as follows:
■
No repeat
■
Day
■
Week
■
Month (week view)
■
Month (date view)
■
Year (week view)
■
Year (date view)
11 Click other options that may appear and click OK.
12 Click OK.
To delete a schedule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Notification Server > Task Settings > Update
Summary Data.
3
In the Update Summary Data pane, right-click the schedule that you want
to delete, and click Delete.
4
Click OK.
Chapter
9
Configuring replication
This chapter includes the following topics:
■
About replication
■
Replication requirements
■
About configuring replication
■
Configuring replication rules
■
Replication rule settings
■
Specifying destination Notification Servers in a replication rule
■
Adding or modifying an available Notification Server
■
Specifying Notification Server credentials in a replication rule
About replication
Replication is the one-way transfer of data between two Notification Servers.
See “Replication requirements” on page 189.
Note: Replication is not supported from a 7.1 server to a 7.0 server or from a 7.0
server to 7.1 server.
See “About configuring replication” on page 189.
Replication lets you replicate the following between Notification Servers:
■
Configuration and management items, such as reports, resource targets,
policies, and tasks
■
Resources, such as computers, users, and packages
188
Configuring replication
About replication
When you replicate resources you can verify the data that is replicated by
entering a Data Verification percentage in the rule.
■
Events, such as software delivery execution
■
Security settings, such as roles, and privileges
Note: Replication replaces Inventory Forwarding and Package Replication Solution
in Notification Server 7.x.
The stand-alone replication functionality that is described here is different from
hierarchy replication. Stand-alone replication defines the information flow between
two Notification Servers. Hierarchy replication provides reliable and scalable data
synchronization between multiple Notification Servers.
Replication can be configured to replicate data outside the hierarchy structure.
For example, by sending data to an external server that collates particular
information for reports.
The following replication types are supported:
Differential
Replicates the objects and the data that have changed since the last
replication. This method is the recommended method because it
reduces the network load and bandwidth consumption when data is
replicated.
Complete
Replicates all objects and data.
This method is commonly used for hierarchy replication. A complete
replication is typically performed monthly to ensure full replication.
Stand-alone replication does not perform complete replication like
hierarchy replication does. Stand-alone replication is always
differential.
Another difference between hierarchy replication and replication is that within
a hierarchy, the replicated data is secured and (by default) read-only. Ownership
applies so that child Notification Servers cannot automatically overwrite the data
that has been replicated down from the parent Notification Servers. Some data
includes the settings that enable it to be editable on the destination, and these
can be configured as appropriate. Replication has no such ownership, so all
replicated data can be edited on the destination Notification Servers.
Configuring replication
Replication requirements
Replication requirements
The requirements for configuring replication in your Notification System must
be satisfied before you configure any replication.
The requirements are as follows:
■
Network traffic must be routable between Notification Servers.
■
HTTP/HTTPS traffic must be permitted between Notification Servers.
■
Trust relationships must exist between Notification Servers, or credentials
for the privileged accounts that facilitate trust must be known.
■
Each Notification Server must be able to resolve the name and the network
address of any Notification Server with which it replicates data.
■
There must be sufficient bandwidth between Notification Servers to support
package and data replication.
Required bandwidth and hardware depends on the size of your infrastructure
topology and the data replicated.
■
Each Notification Server must have a site server that is running the package
service available. The package service must serve the Notification Server
computer.
See “About replication” on page 187.
See “About configuring replication” on page 189.
About configuring replication
Before you start replicating data from one Notification Server to another, you
need to plan your replication. This is to ensure that similar data is not passed in
both directions. If any of your servers are part of a hierarchy, you need to ensure
that the replication does not conflict with the hierarchy replication process.
Notification Server does not check to ensure that your replication configuration
is consistent with the hierarchy. A poorly planned implementation may create
data clashes or overwrites in the affected CMDBs.
See “About replication” on page 187.
See “Replication requirements” on page 189.
See “Configuring replication rules” on page 191.
Note: Replication is not supported from a 7.1 server to a 7.0 server or from a 7.0
server to 7.1 server.
189
190
Configuring replication
About configuring replication
To configure replication, you need to set up the appropriate replication rules on
each Notification Server computer. Each rule specifies the data to replicate from
that server (the source server) to one or more specified destination servers and
the schedule to use. You should use different replication schedules for each
Notification Server computer. For example, stagger the times to ensure that each
runs at a different time. Replicating to and from multiple Notification Server
computers at the same time can cause problems in the CMDB.
The rule must be enabled for the specified replication to take place. You can enable
and disable replication rules at any time, according to the needs of your
organization. For each rule that is enabled, the specified data is replicated
according to the defined schedule.
You can replicate data at any time by running the appropriate replication rules.
In the console, right-click on the rule and click Run. Running a replication rule
overrides its schedule and replicates the specified data to the destination servers
immediately. Running a replication rule is a once-only operation and does not
change the replication schedule. All replication rules continue to be run as
scheduled.
Table 9-1
Replication rule types
Type
Description
Events
Replicates Notification Server events.
Items
Replicates Notification Server configuration and management items such as policies, filters,
and reports.
Resources
Replicates Notification Server resource types, resource targets, and specific data classes.
If you include resource targets in a resource replication rule, remember that resource scoping
applies to the contents (resources) of the replicated target. Therefore, the resources that are
replicated depend on the owner of the resource target. The Notification Server administrator
can choose to replicate resource targets in their current state (owned by somebody else, with
the corresponding scope). Alternatively, they can take ownership of the targets, save them with
the administrator’s scope (which usually contains more resources) and replicate them in that
state. All the current members of a resource target are replicated. The actual resource target
item is replicated in the background as a dependent item. The target that is applied to a
stand-alone rule is replicated when the stand-alone rule itself is replicated. When the rule is
run, the target is not sent.
Security
Replicates Notification Server security roles and privileges. Two types of security replication
rules are available: Privilege and Role. The configuration procedure is identical for each.
When you include a security role in a replication rule, you must also configure a replication
rule to replicate all of the privileges in the role. The replicated security role does not recognize
any privileges that already exist on the destination Notification Server computer.
Configuring replication
Configuring replication rules
Configuring replication rules
The replication rules that you configure on a Notification Server are items on that
server. Therefore it is possible to replicate them to other Notification Servers.
You may want to set up your item replication rules to ensure that replication rules
are not included.
Note: Replication is not supported from a 7.1 server to a 7.0 server or from a 7.0
server to 7.1 server.
When a replication rule is replicated, its settings remain unchanged. A rule that
is enabled on the source server is immediately enabled on the destination servers.
However, the destination that is specified in the replication rule cannot be resolved.
Each Notification Server uses its own unique GUIDs to identify resources, so the
destination is valid only on the source Notification Server. You need to update
the replication rule to point to the correct destination Notification Server.
See “About replication” on page 187.
See “About configuring replication” on page 189.
To configure a replication rule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
191
192
Configuring replication
Replication rule settings
3
In the Replication folder, do any of the following:
Create a new replication rule Right-click the appropriate folder and click New >
Replication Rule.
The new rule appears in the folder and is selected
automatically.
Modify an existing
replication rule
Expand the appropriate folder, and then select the
replication rule that you want to modify.
Enable or disable a
replication rule
Expand the appropriate folder, and then right-click
the replication rule and click Enable or Disable,
whichever is appropriate.
You can also enable or disable a rule in the Replication
Rule page, by clicking the rule status (On/Off) icon to
toggle the setting.
Run a replication rule
4
Expand the appropriate folder, and then right-click
the replication rule that you want to run and click Run.
On the Replication Rule page, specify the appropriate settings.
See “Replication rule settings” on page 192.
5
Click Save changes.
Replication rule settings
Some replication rule settings apply only to a particular rule type.
See “About configuring replication” on page 189.
See “Configuring replication rules” on page 191.
Table 9-2
Replication rule settings
Setting
Description
Rule name and
description
The first line of the page heading is the name of the replication rule. The second line of the
page heading is its description.
To change these, you can click the text to make it editable, and then type the rule name or
description.
Configuring replication
Replication rule settings
Table 9-2
Replication rule settings (continued)
Setting
Description
Rule status symbol
The current status of the replication rule:
■
On (Green light) – The rule is active.
■
Off (Red light) –The rule is idle.
You can click the symbol to toggle the status to its alternative setting.
Resource Types
Applies to resource replication rules and event replication rules.
Resource Targets
Specifies the resources that you want to replicate. These two options are alternatives.
You can click the appropriate option to activate the one that you want:
Resource Types
Replicates the selected resource types.
If you choose this option, you need to click Resource Types.
In the Select Resource Type window, select the resource types that you want to include.
■ Resource Targets
Replicates the selected resource targets.
If you choose this option, you need to click Resource Targets.
In the Select a Group window, select the resource targets that you want to include.
See “Selecting named resource targets” on page 419.
■
Data Classes
Applies to resource replication rules only.
If you want to specify particular data classes to include, you need to click Data Classes.
In the Inventory Data Classes window, select the classes that you want.
Event Classes
Applies to event replication rules only.
The event classes to include. To select these, click Event Classes and, in the Event Classes
window, select the classes that you want.
Items
Applies to item replication rules only.
The items to include in the replication rule. To select these, click Items and, in the Select
Items window, select the items that you want.
Roles
Applies to security replication rules only.
Privileges
The roles or privileges to replicate, according to the rule type. These settings are alternatives
and only the appropriate option is displayed on the page.
To select these, click Roles/Privileges and, in the Select Roles/Privileges window, select
the roles or privileges that you want.
Destination
The Notification Server computers to which the data is replicated.
See “Specifying destination Notification Servers in a replication rule” on page 194.
193
194
Configuring replication
Specifying destination Notification Servers in a replication rule
Table 9-2
Replication rule settings (continued)
Setting
Description
Credentials
The credentials that are required to connect to the destination Notification Servers.
See “Specifying Notification Server credentials in a replication rule” on page 196.
Maximum Rows
Applies to event replication rules only.
Specifies the maximum number of table rows to replicate.
Resend events that
have been sent
previously
Applies to event replication rules only.
Use this schedule
In the drop-down list, select the schedule that you want to use.
You should use this option if a destination server has recently purged its event classes or
if you have experienced network problems between servers.
If you select Custom Schedule, you need to click Define Custom Schedule and, in the
Schedule Editor, specify the schedule parameters.
Verify maximum of
nn% of data during
each replication
Applies to resource replication rules only.
To reduce the load that is imposed on the server, you can verify small amounts of resource
data on every replication. You can specify a verification percentage in the replication rule.
For example, if you verify 10% of the data for each replication, that ensures that all data
has been verified after 10 replications.
Specifying destination Notification Servers in a
replication rule
You need to specify the Notification Server computers to which a replication rule
replicates data. This procedure is the same for all replication rule types.
See “About replication” on page 187.
See “Replication requirements” on page 189.
See “About configuring replication” on page 189.
See “Configuring replication rules” on page 191.
To specify the destination Notification Servers in a replication rule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
3
In the Replication folder, click the replication rule you want to edit.
Configuring replication
Adding or modifying an available Notification Server
4
On the Replication Rule page, click Specified Notification Servers.
5
In the Notification Servers window, in the Available Notification Servers
list, select the appropriate destination Notification Servers.
6
If necessary, you can add new Notification Servers to the list, or modify
existing Notification Servers.
See “Adding or modifying an available Notification Server ” on page 195.
7
Click Save changes.
The selected Notification Servers are listed in the Destination field.
Adding or modifying an available Notification Server
If necessary, you can add new Notification Servers to the list of those available,
or modify existing Notification Servers.
See “Specifying destination Notification Servers in a replication rule” on page 194.
To add or modify an available Notification Server
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
3
In the Replication folder, click the replication rule you want to edit.
4
On the Replication Rule page, click Specified Notification Servers.
5
In the Notification Servers window, do one of the following:
6
To add a new Notification
Server
Click Add.
To modify an existing
Notification Server
In the Available Notification Servers list, select the
Notification Server computer that you want to modify,
and then click Edit.
In the Add a Notification Server by name or browse the network window,
enter the appropriate details in the following boxes:
Notification Server Name
Notification Server Web Site
195
196
Configuring replication
Specifying Notification Server credentials in a replication rule
7
If you want to select the Notification Server computer from your network,
click Browse.
In the Browse for Computer dialog box, select the appropriate Notification
Server.
8
Click Add.
The system connects to the specified server, verifies that it is suitable, and
then adds it to the list of available Notification Servers.
Specifying Notification Server credentials in a
replication rule
You need to specify the credentials for both the source and the destination
Notification Servers in a replication rule. If you have specified two or more
destination Notification Servers in the same replication rule, they are assumed
to have the same credentials. If your destination Notification Servers have different
credentials, you need to create a different replication rule for each destination.
See “About replication” on page 187.
See “Replication requirements” on page 189.
See “About configuring replication” on page 189.
See “Configuring replication rules” on page 191.
To specify Notification Server credentials in a replication rule
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Replication
folder.
3
In the Replication folder, click the replication rule you want to edit.
4
On the Replication Rule page, click Specified Credentials.
5
In the Credentials window, under Destination Server Credentials, specify
the account on the destination server:
■
Use application credentials.
Uses the default Notification Server account that was set up at installation.
See “Notification Server processing settings” on page 52.
■
Use these credentials.
Specify the appropriate user name and password.
Configuring replication
Specifying Notification Server credentials in a replication rule
6
7
Under Sending Server Credentials, specify the account on the local server
(the one on which you configure the replication).
■
Use application credentials
Uses the default Notification Server account.
■
Use these credentials
Specify the appropriate User name and Password.
Click OK.
The system does not verify that the specified credentials are correct until it
attempts to execute the replication rule.
197
198
Configuring replication
Specifying Notification Server credentials in a replication rule
Chapter
10
Customizing the Symantec
Management Console
This chapter includes the following topics:
■
About customizing the Symantec Management Console
■
Saving console elements as XML files
■
Customizing the console menu
■
About the context menu
■
Adding user-defined actions to the context menu
■
About console views
■
About portal pages
About customizing the Symantec Management
Console
You can customize the Symantec Management Console to suit the requirements
of your organization. For example, you may want to add extra submenu items to
the console menu to suit the users in your organization. You cannot change the
top-level menu options, and you cannot edit or remove any of the submenu items
that are supplied with the Symantec Management Console.
You can customize the following console components:
200
Customizing the Symantec Management Console
Saving console elements as XML files
Menus
Add submenus and submenu items, and set up the menu structure
that best suits your organization.
See “Customizing the console menu” on page 201.
Context menus
Add user-defined actions to the right-click menu.
See “About the context menu” on page 205.
Views
Create and modify views to set up the navigation tree structure
that best suits your organization.
See “About console views” on page 212.
Portal pages
Create and modify portal pages. A portal page is a Symantec
Management Console page that you can customize to suit your
requirements. You can use a portal page to consolidate key
information into a single, easy-to-view page. A portal page can
display the status of the Symantec Management Platform and
managed computers, or any other information that you want to
make available. For example, you can include external web pages,
intranet pages, RSS feeds, or your own applications.
See “Creating and modifying portal pages” on page 217.
Web parts
Create and modify the Web parts that you use to build portal pages.
See “Creating and modifying Web parts” on page 218.
Most customizations are system-wide. To achieve role-level customization, you
can use security on items. For example, you can create a portal page that is
accessible only to a certain role. In this case, customization is implemented with
permissions on items, not privileges. Views, trees, and menus can also be
customized using security. For example, a Symantec administrator can set the
permission on a tree item or menu option so that users in one role can see it, but
users in another role cannot. However, the My Portal page and per-page
personalization applies per-user.
You can save your customized console elements as XML files, and restore them
when necessary by importing the appropriate files.
See “Saving console elements as XML files” on page 200.
Saving console elements as XML files
You can save console elements (menu items, views, portal pages, or Web parts)
as XML files. You may want to do this to create backup files before you customize
the console. You could also do this to create XML files that you can customize and
import as custom console elements into other Notification Servers.
Customizing the Symantec Management Console
Customizing the console menu
See “About customizing the Symantec Management Console” on page 199.
To restore console elements, you import them from the appropriate XML files.
Console elements are identified by their GUIDs. Elements in the imported XML
file overwrite the existing elements that have matching GUIDs. Any elements in
the XML that don't have matching GUIDs in the console are added as new items.
Note: You need the Import XML privilege to import XML files. By default, only the
Symantec Administrator role has this privilege.
To save a console element as an XML file
1
In the Symantec Management Console, in the left pane, click the tree node
that you want to save.
2
Right-click, and then click Export.
3
In the Destination File for Exported XML dialog box, specify the XML file
name and location, and then click Save.
To restore a console element from an XML file
1
In the Symantec Management Console, in the left pane, select the folder to
which you want to restore the element.
2
Right-click, and then click Import.
3
In the Choose the XML File to Import dialog box, select the appropriate XML
file.
4
If you want to prevent any changes from being made to the imported element,
check Open as read-only.
5
Click Open.
Customizing the console menu
You can customize the console menu to suit your requirements. The menu options
that are supplied with the Symantec Management Platform are read-only and
cannot be modified. You can add new submenus, and can modify them as necessary.
You can move or delete any menu item, except those that have been designated
as read-only.
See “About customizing the Symantec Management Console” on page 199.
201
202
Customizing the Symantec Management Console
Customizing the console menu
To customize the console menu
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, perform the appropriate customization tasks:
3
To add menu items
See “Adding menu items” on page 202.
To add submenus
See “Adding submenus” on page 203.
To manage menu items
See “Managing menu items” on page 204.
To import and export menu items
See “Importing and exporting menu items”
on page 205.
Click Apply.
Adding menu items
You can add new menu items to any submenu. You cannot add new items to the
Symantec Management Console menu.
If you want to add a menu item that links to a view or portal page you create, you
can save time by creating the view or portal page before adding the menu item.
See “Customizing the console menu” on page 201.
See “Adding submenus” on page 203.
To add a menu item
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, right-click the menu item under
which you want to add the new menu item.
3
Click New Item.
The new item is added to the menu structure.
4
On the Menu Details page, specify the menu item details in the following
fields:
Name
The label for the menu item.
Customizing the Symantec Management Console
Customizing the console menu
Show
The page or view that is loaded when the menu item is selected.
This drop-down list lets you choose from the following:
■
View: A view with one navigation tree. You need to select the
root node of the view to use.
Single Page View: A single page with no navigation tree. You
must select the type of page from the following options:
Altiris Page - any Notification Server or solution page that
is associated with console items.
Portal Page - a portal page.
Report Page - a report page.
URL - a page that is specified by entering a URL.
■ Nothing: No page is loaded. This option is usually used as a
menu level for adding submenu items.
■
5
Click Apply.
Adding submenus
You can structure your menu by grouping the menu items into appropriate
submenus. When you create a submenu, you can add new menu items to it
manually or import the submenu items from an XML file.
See “Customizing the console menu” on page 201.
See “Adding menu items” on page 202.
To add a submenu
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, right-click the menu item under
which you want to add the submenu.
3
Click New Submenu.
The new submenu is added to the menu structure. A new menu item is added
to the submenu automatically.
4
Click Apply.
To import submenu items from an XML file
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, select the submenu to which you
want to import menu items.
203
204
Customizing the Symantec Management Console
Customizing the console menu
3
Right-click, and then click Import Submenu.
4
In the Choose the XML File to Import dialog, select the appropriate XML file,
and then click Open.
5
Click Apply.
Managing menu items
You can organize the items on the menu to suit your requirements.
See “Customizing the console menu” on page 201.
You can perform the following operations:
Add menu separators
A menu separator is a line between two menu items to help
visually separate groups of menu items. You can add these
in appropriate places to enhance the menu structure.
See “To add a menu separator” on page 204.
Rearrange menu items
See “To move a menu item” on page 204.
Delete menu items
See “To delete a menu item” on page 205.
To add a menu separator
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, right-click the item below where you
want the separator added and select New Separator.
An item labeled “(separator)” is added to the menu structure.
3
Click Apply.
To move a menu item
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, select the menu item and then drag
it to the appropriate location in the menu structure.
3
Click Up or Down to move it within the same parent menu item.
4
Click Apply.
Customizing the Symantec Management Console
About the context menu
To delete a menu item
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, select the menu item, and then click
Delete.
3
Click Apply.
Importing and exporting menu items
You can export a selected submenu to an XML file. You can also import the entire
menu or a particular submenu from an XML file into another Notification Server.
See “Customizing the console menu” on page 201.
See “Adding submenus” on page 203.
To export a submenu to an XML file
1
In the Symantec Management Console, on the Settings menu, click Console
> Menus.
2
On the Edit Menu page, in the left pane, select the submenu that you want to
export.
3
Right-click and then click Export....
4
In the Destination File for Exported XML dialog box, specify the XML file
name and location, and then click Save.
To import the entire console menu from an XML file
1
On the Edit Menu page, in the left pane menu, click Import Entire Menu.
2
In the Choose the XML File to Import dialog box, select the appropriate XML
file, and then click Open.
About the context menu
The console context ("right-click") menu contains the menu options that are
relevant to the folder or item on which you have clicked. A default set of right-click
menu options is provided with the Notification Server, and installed solutions
may add further options. Most of the default set of options are common functions
that are available to most folders and items.
See “About customizing the Symantec Management Console” on page 199.
The context menu options that are available for any particular folder or item
depend on the security permissions and privileges that you have for that folder
205
206
Customizing the Symantec Management Console
About the context menu
or item, and also depend on the item type. If you don't have permission to do
something, the corresponding option does not appear on the menu. Folders and
items that are supplied by the Symantec Management Platform and installed
solutions are usually read-only and cannot be modified.
See “About security privileges” on page 82.
Table 10-1
Common context menu options
Option
Description
Applies to Item
Types
Additional
Requirements
Open
Displays the contents of the folder or item in the
right pane.
All item types
Read permission on
the item.
Open in new
window
Displays the contents of the folder or item in a new All item types
window.
Read permission on
the item.
Rename
Renames the folder or item.
All item types
Write permission on
the item.
Clone
Makes a copy of the selected item and save it under All item types
a new name.
Clone permission on
the item and Write
permission on the
destination folder.
Delete
Deletes the folder or item.
All item types
Delete permission on
the item.
Move
Moves the folder or item to another location in the All item types
tree.
Write permission on
the item and on the
destination folder.
Import
Imports console elements from an XML file.
Import XML privilege
and Write permission
on the destination
folder.
This option duplicates clicking on the folder or
item in the left pane:
You may want to do this to restore console
elements from a backup file. You can also
customize your console by importing custom
elements that have been defined in an XML file.
See “Saving console elements as XML files”
on page 200.
All item types
Customizing the Symantec Management Console
About the context menu
Table 10-1
Common context menu options (continued)
Option
Description
Applies to Item
Types
Export
Exports the selected folder or item to an XML file. All item types
You may want to do export your data to create a
backup file before you customize the console. You
could also do this to create XML files that you can
customize and import as custom console elements
into other Notification Servers.
Additional
Requirements
Read permission on
the item.
See “Saving console elements as XML files”
on page 200.
View as XML
Displays the selected item in XML format. You may All item types
want to use this feature to view the XML structure
of a console element that you intend to modify.
Read permission on
the item.
Properties
Displays the properties of the folder or item in a
new window. You may want to use this option to
obtain the item GUID or to view its security
attributes.
All item types
Read permission on
the item.
New > Folder
Creates a new folder.
Folders only
Write permission on
the folder.
Folders only
Write permission on
the folder.
Folders only
Write permission on
the folder.
See “Adding new items directly to a view”
on page 214.
New > Item Link
Creates a link to an item.
See “Adding new items directly to a view”
on page 214.
New > Web Link
Creates a link to a web page.
See “Adding new items directly to a view”
on page 214.
You can customize the context menu by adding new menu options. You cannot
remove any of the options that are supplied with Symantec Management Platform
or installed solutions.
See “Adding user-defined actions to the context menu” on page 208.
See “Removing user-defined actions from the context menu” on page 209.
207
208
Customizing the Symantec Management Console
Adding user-defined actions to the context menu
Adding user-defined actions to the context menu
You can create user-defined actions and make them available in the context menu.
The action may be one of the following:
■
Open a URL and substitute details of the selected resource into the URL. For
example, the resource name.
■
Run a command line on the Notification Server computer or the computer on
which the browser is running.
Note: Each user that wants to run command line right-click actions on a
computer needs to have the appropriate SSL certificate installed on the
computer. You can download the SSL certificate that you need from the
Command Line Right-Click Action Certificate page.
See “Command Line Right-Click Action Certificate page” on page 210.
See “About the context menu” on page 205.
You can specify the resources to which the action applies by selecting the resource
type and (optionally) filtering the resources with a query. When you right-click a
resource of the appropriate type that meets the filter query (if a filter was
specified), the context menu that appears includes the user-defined action.
You require the New Right-Click Action privilege to be able to add a user-defined
action to the context menu.
See “About security privileges” on page 82.
To add a user-defined action to the context menu
1
In the Symantec Management Console, on the Settings menu, click Console
> Right-Click Actions.
2
In the left pane, right-click the folder to which you want to add the right-click
action, and then click New > Right-Click Action.
3
In the New Right Click Action page, specify the appropriate name and
description.
4
Configure the action that you want by making the appropriate settings:
Enable
The action must be enabled to be included in the context menu.
The new action is disabled by default, which lets you configure
and test the action before you make it available to console users.
Customizing the Symantec Management Console
Adding user-defined actions to the context menu
Resource Type
The resource type to which the action applies. By default all
resources of the specified type are included. If you want to apply
the action to a specific subset of resources, you can filter the
resources with a suitable query expression.
See “Filtering target resources” on page 210.
Action Type
In the drop-down list, select the appropriate action type:
URL
In the Base URL box, specify the appropriate URL.
The URL can be to another page in the Symantec Management
Console, or to an external intranet or Internet site.
■ Command Line
In the Command Line box, specify the appropriate command
line.
Check the Run At Server check box to run the command line
from the server. If you leave this check box unchecked, the
command line is run from the computer on which the action
is invoked.
■
Substitution
Parameters
Substitution parameters let you use a variable in the command
line or URL and have the value substituted with the appropriate
value at run time. For example, the resource name, IP address,
or GUID.
For each substitution parameter that you want to include:
5
1
Click Add.
2
In the Select Attributes window, select the attribute that
you want to use as a parameter, and then click OK.
3
Under Parameter Name, type the appropriate name for the
parameter.
Click Apply.
Removing user-defined actions from the context menu
You can remove user-defined actions that you have created from the context
menu. You cannot remove the default actions that are supplied by Notification
Server or installed solutions.
See “Adding user-defined actions to the context menu” on page 208.
209
210
Customizing the Symantec Management Console
Adding user-defined actions to the context menu
To remove a user-defined action from the context menu
1
In the Symantec Management Console, on the Settings menu, click Console
> Right-Click Menu.
2
In the left pane, right-click the action that you want to remove, and then click
Delete.
3
In the confirmation dialog box, click OK.
Command Line Right-Click Action Certificate page
The Command Line Right-Click Action Certificate page lets you download an
SSL certificate that enables you to run command line right-click actions on your
computer. Each user that wants to run command line right-click actions on a
computer needs to have the SSL certificate installed on the computer.
See “Adding user-defined actions to the context menu” on page 208.
When a command line right-click action is run on a computer, the command line
is executed by an ActiveX control hosted by the Symantec Management Console.
For your security, to ensure that only legitimate command lines can be run on
your computer, you need to install an SSL digital certificate into the registry of
your computer. This certificate allows you to run command lines from a
Notification Server that uses the same SSL digital certificate. You cannot run a
command line on a console page that does not use SSL or does not have a matching
certificate. An error message is displayed if you attempt to run a command line
in either scenario.
Note: To download the command line right-click action certificate, you need to
access the Command Line Right-Click Action Certificate page over SSL.
To download the Command Line Right-Click Action Certificate
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Settings > Notification Server > Command Line
Right-Click Action Certificate.
3
In the Command Line Right-Click Action Certificate page, click Download
Client Registry File.
Filtering target resources
If you want to apply the action to a specific subset of resources, you can filter the
resources with a suitable query expression.
Customizing the Symantec Management Console
Adding user-defined actions to the context menu
See “Adding user-defined actions to the context menu” on page 208.
To filter the target resources
1
For each attribute that you want to filter on, under Expression, on the toolbar,
click the Add symbol to add a line to the query.
2
For each query line, specify the appropriate expression:
Attribute
1
In the query line, click the blue text.
The default text is "Specify", or the name of the currently
selected attribute.
2
Operator
Value
3
In the Select Attribute window, select the attribute on which
you want to filter the resource type, and then click OK.
In the drop-down list, select the appropriate operator:
■
not null
■
is null
■
=
■
like
■
<>
In the text box, type the value that you want to use.
If the expression contains two or more query lines, in the drop-down list to
the left of the lines, select the appropriate operator:
AND
The expression filters only the resources that meet all of the
query lines.
OR
The expression filters the resources that meet any of the query
lines.
4
If you want to remove a query line from the expression, on the appropriate
line, click Delete.
5
If you want to view the list of resources that are filtered by the expression,
click Display Targeted Resources.
The Resources Targeted by Expression window displays the list of resources
for which the context menu action will be available.
211
212
Customizing the Symantec Management Console
About console views
About console views
A view is a two-pane layout with a navigation tree in the left pane and content in
the right pane. The navigation tree contains links to Symantec Management
Console items and lets you group items from different parts of the console into a
suitable structure. An item may appear multiple times in a view, and in any number
of different views. A view can include folders, item links, and Web links. The
Symantec Management Platform and solutions include predefined views that you
can modify and extend as necessary. You can also create your own views.
See “About customizing the Symantec Management Console” on page 199.
See “Creating and modifying views” on page 212.
Views let you organize and access the Symantec Management Platform and
solution functionality. You may want to set up views to reflect the functionality
that is provided by a solution or a feature or to provide users in a specific role
with access to the appropriate tasks.
The default navigation tree structure that you can see in the left pane is the real
folder structure. Each item appears only once in the real structure. Folders in a
view may be virtual folders, which do not exist in the real structure, or they may
be links to real folders. A link to a real folder includes everything under that folder.
If any new items are added to the real structure in that folder, they are
automatically included in the view. You cannot exclude items in a folder from a
view, but you can delete them from the view. This breaks the link between the
view and the item: it does not delete the real item.
Security applies to views, so what you see in a view depends on your security
privileges and the permissions. To have a privilege or permission on a folder in a
view, it must be set directly on the view and also set in the real folder. You may
see only some of the items in a view, but other users may see more or less.
See “Adding new items directly to a view” on page 214.
Creating and modifying views
Notification Server and solutions include predefined views that you can modify
and extend as necessary. You can also create and modify your own views.
See “About console views” on page 212.
Customizing the Symantec Management Console
About console views
To create or modify a view
1
In the Symantec Management Console, in the Settings menu, click Console
> Views.
2
In the left pane, in the Views folder, do one of the following:
3
To create a new view
Right-click the folder to which you want to add the
view, and then select New > View.
To modify an existing view
Right-click the view that you want to modify and then
select Edit View.
On the Edit View page, specify the appropriate details in the following fields:
Name
The view name.
Description
A description of the view.
Display portal page
Lets you select a portal page to associate with the root folder
of the view. When the root folder of the view is selected in
the left pane, the specified portal page is displayed in the
content pane.
Contents of this view
Displays the structure of the view that you are creating, and
lets you create new folders and delete any items that you
don't want.
The contents are sorted alphabetically, with folders on top,
followed by items. You cannot modify the structure.
Available items
Displays the Symantec Management Console tree structure,
and lets you select the folders and items that you want to
include in the view.
To add an item to the view:
4
Click OK.
1
In the Tree drop-down list, select the tree from which
you want to select items.
2
Expand the tree and select the folder or item that you
want to add to the view.
3
Click Add.
213
214
Customizing the Symantec Management Console
About portal pages
Adding new items directly to a view
You can add new folders, item links and Web links directly to a view. You can also
add new views to create a hierarchy of views.
See “About console views” on page 212.
To add a new component directly to a view
1
In the Symantec Management Console, in the Settings menu, click Console
> Views.
2
In the left pane, right-click the folder under which you want to add the new
folder or item and select the appropriate option:
New > Folder
In the New Folder dialog box, type the new folder name, and
then click Apply.
New > Item Link
In the Edit Item Link window, select the item to which you
want to create an item link, and then click OK.
New > Web Link
In the Web Link Configuration dialog box, specify the URL
of the web page to which you want to link.
You can optionally specify the following:
Icon Image URL
If you want to use an icon in the tree view, specify the
URL to the appropriate image file.
■ Target Frame
The default is rightPane, which is the main content area
usually known as the right pane.
■
Click Apply.
New > View
In the Edit View window, create the appropriate view.
See “Creating and modifying views” on page 212.
About portal pages
A portal page is a Symantec Management Console page that you can customize
to suit your requirements. You can use a portal page to consolidate key information
into a single, easy-to-view page. A portal page can display the status of the
Symantec Management Platform and managed computers, or any other
information that you want to make available. For example, you can include external
Web pages , intranet pages, RSS feeds, or your own applications. This is more
Customizing the Symantec Management Console
About portal pages
convenient than viewing a number of different console pages to gather the
information that you want.
See “About customizing the Symantec Management Console” on page 199.
Most portal pages are available to all console users. The exception is the My Portal
page, which is a special portal page that is unique to each user. First-time users
are given a default My Portal page that includes only the Getting Started Web
part.
See “About the My Portal page” on page 216.
Note: To view a portal page, you require Read permission on that portal page.
Portal pages are constructed from Web parts. You can create and customize Web
parts according to your requirements and then add them to your portal pages.
The types of Web parts are as follows:
Report
Displays the information that is retrieved from a report.
URL
A link to another Web page (such as a page in your corporate intranet, or
an external Web site).
Portal pages can be up to three columns wide. Web parts may be displayed on a
portal page in three different sizes, depending on which column they are placed
in or whether they span all columns. The left and middle columns are the same
width (Web parts in these are “small”), and the right column is wider (Web parts
here are “large”). Alternatively, a Web part can use the full page width (Web part
is “multi-column”). These multi-column Web parts are shown at the top or bottom
of the portal page. When you design a new Web part, you need to ensure that it
displays appropriately at any size. You cannot set a particular size as a Web part
property.
You can collapse a Web part by clicking the arrow at the top right, and expand it
by clicking the arrow again. This lets you include slow-to-load or rarely-used Web
parts on a portal page.
Portal pages have the following two modes of operation:
View
The portal page is read-only. You can view all the Web parts, but cannot
make any changes. Some portal pages that are provided by Symantec
solutions may be restricted to view mode to prevent anybody from
modifying the content.
215
216
Customizing the Symantec Management Console
About portal pages
Edit
If you have Write permission on the portal page, you can edit it. You can
add, remove, resize, and re-order Web parts on a portal page. The Web
parts tree is displayed on the left of the page, letting you drag and drop
Web parts to the appropriate locations. To remove a Web part from a
portal page, click the X symbol at the top-right corner of the Web part.
See “Creating and modifying portal pages” on page 217.
See “Creating and modifying Web parts” on page 218.
About the My Portal page
The My Portal page is the default page when a new user opens the Symantec
Management Console. This portal page has a Getting Started Web part that
contains short videos and links to help topics. These are provided to help you
understand the Symantec Management Platform. You can access this page from
the Home menu of the console.
See “About portal pages” on page 214.
Any changes that a user makes to the My Portal page, such as adding, editing, or
removing Web parts, is personalized to that user. The changes are saved according
to their user ID. When the user next logs on and selects the My Portal page option
from the Console menu, their personalized My Portal page is automatically
reloaded.
Accessing the Notification Server Management Home page
The Notification Server Management Home page provides access to key
information about Notification Server and the installed solutions.
See “About portal pages” on page 214.
The Notification Server Management Home page includes the following
information:
Resource Manager
A link that lets you select a resource to view in the Resource
Manager console.
Installed products
List of solutions that are installed on Notification Server.
Site Servers
List of site services and site servers that are included in the
Notification Server site.
Hierarchy
Details of the hierarchy to which Notification Server belongs. This
information is displayed only if Notification Server is a member of
a hierarchy.
Customizing the Symantec Management Console
About portal pages
Agent Rollout Status Status of the Symantec Management Agent rollout to computers
that you want to manage.
Licenses
Lists the following for each solution:
■
Total number of licenses available
■
Number of licenses in use
■
License expiration dates (if applicable)
The Notification Server Management Home page, as with all portal pages, is
customizable. You can configure the page with the information you feel is most
useful.
See “Creating and modifying portal pages” on page 217.
To access the Notification Server Management Home page
◆
In the Symantec Management Console, in the Home menu, click Notification
Server Management > Portal.
Creating and modifying portal pages
The Symantec Management Console lets you create new portal pages and modify
existing ones. As part of creating or modifying a portal page, you might need to
create or modify Web parts.
See “About portal pages” on page 214.
See “Creating and modifying Web parts” on page 218.
Note: To modify a portal page, you require Write permission on the portal page.
To see a Web part on a portal page, you require Read permission on the Web part.
To create or modify a portal page
1
In the Symantec Management Console, in the Settings menu, click Console
> Portal Pages.
2
Do one of the following:
To create a new portal page
In the left pane, right-click the Portal Pages folder,
and then select New > Portal Page.
To modify an existing portal In the left pane, in the Portal Pages folder, select the
page
page that you want to edit.
In the upper-right corner of the portal page, click Edit.
217
218
Customizing the Symantec Management Console
About portal pages
3
On the Portal Page Configuration page, specify the page name and description
and select the Web parts that you want to use on the portal page.
Name
The name of the portal page.
Description
A description of the portal page.
Web Parts panel
This panel contains the list of available Web parts that you
can add to the portal page.
To add a Web part:
1
Select the Web part, and then click Add.
2
In the portal page, click the Web part and drag it to the
appropriate location on the page.
4
If you want to remove a Web part from the page, in the appropriate Web part
frame, click the Delete symbol in the upper-right corner.
5
To save the changes to the portal page, click Apply.
Creating and modifying Web parts
Web parts are mini Web pages that you can use as the building blocks for portal
pages. A Web part can display a report or the contents of a Web page . The console
is supplied with a set of predefined Web parts that you can use to build your portal
pages. You can modify these Web parts, and also create new ones.
See “Creating and modifying portal pages” on page 217.
You can also create a report Web part directly from a report.
See “Saving Notification Server report results as a Web part” on page 505.
To create or modify a Web part
1
In the Symantec Management Console, in the Settings menu, click Console
> Web Parts.
2
Do one of the following:
To create a new Web part
In the left pane, expand the Web Parts folder, and
right-click the folder in which you want to add the new
Web part.
Click New > Web Part.
To modify an existing Web
part
In the left pane, expand the Web Parts folder, and select
the Web part that you want to modify.
Customizing the Symantec Management Console
About portal pages
3
On the Web Part Configuration page, specify the Web part parameters:
Name
The name of the Web part.
Description
A description of the Web part.
Web Part Contents
The content of the Web part. You can choose one of the
following:
Results from report
If you choose this option, you need to select the
appropriate report. The report is run when you open a
portal page that contains the Web part, so the results are
always up-to-date.
■ Show URL
If you choose this option, specify the appropriate URL.
■
Fixed Height
Check this option to specify a fixed height for the Web part,
and then type the height (in pixels) in the adjacent box.
If this option is not selected, the Web part resizes according
to the content that it displays.
Default size
The default size of the Web part:
■
Small
■
Large
■
Multi-column
When the Web part is added to a portal page, its default
location is determined by its default size. If you move the
Web part to another location it is resized automatically.
4
If you want to cancel the changes without saving anything, click Cancel.
5
Click Save Changes.
6
If you want to preview the Web part that you have specified, click Show
Preview.
219
220
Customizing the Symantec Management Console
About portal pages
Section
Discovering Symantec
Management Platform
resources
■
Chapter 11. Discovering Windows computers
■
Chapter 12. Importing resources from Active Directory
■
Chapter 13. Discovering network devices
2
222
Chapter
11
Discovering Windows
computers
This chapter includes the following topics:
■
About resource discovery
■
About discovering Windows computers
■
About discovering computers with domain resource discovery
■
Discovering computers with domain Resource Discovery
■
Selecting domains
■
Domain discovery credentials
About resource discovery
Discovering all the resources in your network is one of the first steps in
successfully managing your network. The Symantec Management Platform
provides tools to automatically discover devices in your network. It also creates
resources for those discovered in the configuration management database, also
known as the CMDB. The ability to automatically discover resources removes the
need for time consuming and error prone manual entry.
You can run a manual discovery at any time or you can set up a schedule. By
scheduling the discovery, you can automatically create CMDB resources for new
computers as they are added to your network.
The following table lists the different tools available to discover resources.
224
Discovering Windows computers
About discovering Windows computers
Table 11-1
Resource discovery methods
Method
Description
Domain Resource Discovery
If you want to quickly discover Windows computers,
you can use domain resource discovery. This method
lets you discover the computers that have a trusted
account on a domain.
When you installed Notification Server, you had the
opportunity to use this method to discover computers
automatically.
See “About discovering Windows computers”
on page 224.
Active Directory import
You can import some or all of the resources in your
Microsoft Active Directory into the CMDB. You can
configure resource import rules to identify and import
the resources that you want. You can then configure
schedules to perform full imports and update imports
at the appropriate intervals.
See “About discovering Windows computers”
on page 224.
Network Discovery
If you want to discover all resources on all platforms,
use Network Discovery. Using Network Discovery,
you can discover all IP devices that are connected to
your network. You can discover routers, switches,
hubs, network printers, Novell NetWare servers, and
Windows, UNIX, Linux, and Macintosh computers.
See “About Network Discovery” on page 248.
About discovering Windows computers
Before you can manage computers, you must do the following:
■
Discover the computers on your network.
■
Create resources for them in the CMDB.
This process is called discovery and lets you discover the computers on which you
can install the Symantec Management Agent and various solution agent/plug-ins.
You can discover Windows computers by doing the following:
■
Searching for all Windows computers on your network that are registered on
a specific domain
Discovering Windows computers
About discovering computers with domain resource discovery
■
Searching for all Windows computers on your network that match the
organizational units that you specify
If you want to discover the computers that are running on other operating systems,
you can use Network Discovery.
See “About resource discovery” on page 223.
You can use different methods to discover Windows computers.
Table 11-2
Method
Discovery methods for Windows computers
Description
Resource discovery Searches the specified domain for all computers that are registered
on that domain. You must choose at least one of the Domain Browse
List or Domain Membership options.
See “About discovering computers with domain resource discovery”
on page 225.
Microsoft Active
Directory Import
Lets you import the computer resources that match the organizational
units that you specify. You can also filter the computers that have
been active within a specific number of days or that are running a
specific Windows operating system.
This method returns detailed information on the operating systems
for each of your discovered computers and is the preferred method.
See “About importing resources using Microsoft Active Directory
Import” on page 233.
You can use these discovery methods to discover all your computers in domains,
or you can target computers in a single domain.
About discovering computers with domain resource
discovery
You can discover Windows computers by searching domain resource information.
Two methods of domain search are available: Domain Browse List and Domain
Membership. Discovered computers have a resource created for them in the CMDB.
Discovered resource data is stored in the Notification database.
This database contains the following information on each discovered computer:
■
Name (Domain Browse List and Domain Membership)
■
OS name (Domain Browse List and Domain Membership)
■
Main version (Domain Browse List)
225
226
Discovering Windows computers
About discovering computers with domain resource discovery
■
Minor version (Domain Browse List)
■
Platform (Domain Browse List)
The information in parenthesis indicates which domain search type yields what
data.
See “About discovering Windows computers” on page 224.
The following table describes each method.
Table 11-3
Methods for domain resource discovery
Method
Description
Domain Browse List
The browse option discovers all computers that share files or
printers or are running the Windows Messenger Service.These
computers include Windows 95, 98, 98 SE and ME.
This method can also discover computers in a workgroup that
meet the search criteria.
The Domain Browse List works by enumerating the records in the
computer browse list. This computer browse list was designed for
a small, peer-to-peer environment, so it does not scale to large
environments well.
When the Notification Server performs a Domain Browse List
discovery, it requests a copy of the computer browse list. The
browse list includes additional information such as the computer’s
operating system and version. It then does a reverse lookup of the
computer’s name to get its IP address.
You might have problems discovering computers using this
method if the following conditions exist:
■
The computer is not in the computer browse list.
The computer is in the computer browse list but not registered
as sharing files.
■ It can take between 15 minutes and 51 minutes for changes to
be reflected in the computer browse list.
■
The Domain Browse List discovery method gets as much of the
computer browse list as it can and as fast as it can. This method
can overload a PDC in a large domain or a multi-domain
environment. We recommend you run this outside business hours,
preferably over a weekend.
Discovering Windows computers
Discovering computers with domain Resource Discovery
Table 11-3
Methods for domain resource discovery (continued)
Method
Description
Domain Membership
This option discovers all computers with trust accounts in the
domain. It can discover computers in Windows NT 4.0 domains
or Windows 2000 and later Active Directory domains. This method
finds all Windows NT/2000/XP/2003 computers in the domain.
However, any Windows 95, 98, 98 SE and ME computers are not
found.
Note: Limited information can be discovered on computers in NT
4.0 domains. For example, the specific operating system of the
computer is not known.
Domain Membership discovery works by enumerating the
computer accounts in the specified domains.
When you add a Windows NT/2000/XP/2003 computer to a
domain, a computer account is created in that domain. The
computer uses this account to authenticate with the domain so
the computer can authenticate user logons using a secure
connection. Windows 9x computers do not create a computer
account, which is why you cannot find Windows 9x computers
using this method.
When discovering computers using the Domain Membership
method, Notification Server catalogs these accounts. Unlike the
Domain Browse List method, these accounts have no additional
information beyond the computer’s name. Notification Server
still does a reverse lookup on the name to get its IP address.
See “Discovering computers with domain Resource Discovery” on page 227.
Discovering computers with domain Resource
Discovery
You can discover Windows computers by searching domain resource information.
Discovered computers have a resource created for them in the CMDB. You can
run a discovery manually or use a schedule. After a discovery is run, you can view
reports that show your discovery results. You can also discover Windows
computers using Microsoft Active Directory Import.
See “About discovering Windows computers” on page 224.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
227
228
Discovering Windows computers
Discovering computers with domain Resource Discovery
Note: The status message on the Resource Discovery page shows the last time
that discovery was run manually from the page. The time is not updated to show
any subsequent scheduled discovery that has been run.
To discover computers using Resource Discovery
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Domain Membership/WINS.
2
On the Domain Membership/WINS Import page, under Domains to search,
type the name of a domain you want to search, and then click the add icon.
3
(Optional) To enter a different user name and password for the domain so
that Notification Server has access, complete the following steps in order:
4
■
Select the domain.
■
Click the pencil icon.
■
Click Use these credentials.
■
Enter the user name and password, and then click OK.
Select at least one of the following options:
Domain Browse List
Uses the network browse list to discover all computers on
the domain. It is designed for small, peer-to-peer
environments. This option does not work if the computers
aren’t in the browse list or aren’t registered as sharing files
or printers on the domain.
Domain Membership
Queries the domain controller for a list of all Windows 2000
(and later) computers that have trust accounts on the
domain. This option is slower than Domain Browse List.
See “About discovering computers with domain resource discovery”
on page 225.
5
6
Choose one of the following options:
Discover now
Click Discover Now.
Set schedule
Under Scheduling Options, select the frequency from the
drop-down list, and then click Save changes.
View discovery results by doing the following:
■
Click View Discovery Reports.
Discovering Windows computers
Selecting domains
■
In the Resource Discovery Reports window, right-click a report and click
Open in New Window.
■
Enter the parameters for the report.
■
Click Refresh.
Selecting domains
The Domain Picker page lets you select the domains that you want from the list
of available domains.
See “Discovering computers with domain Resource Discovery” on page 227.
See “About discovering Windows computers” on page 224.
To select domains
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Domain Membership/WINS.
2
On the Domain Membership/WINS Import page, under Domains to search,
click Browse and select from available domains.
3
In the Domain Picker window, under Select the desired domains, check the
appropriate checkboxes.
4
Click OK.
Domain discovery credentials
You can specify a different ID and password to use.
See “About discovering Windows computers” on page 224.
229
230
Discovering Windows computers
Domain discovery credentials
Chapter
12
Importing resources from
Active Directory
This chapter includes the following topics:
■
About Microsoft Active Directory Import
■
About importing resources using Microsoft Active Directory Import
■
Creating and modifying resource import rules
■
Resource Selection dialog box
■
Select Organizational Unit (OU) dialog box
■
Select Security Groups or Select Distribution Groups dialog box
■
Column Mappings dialog box
■
Computer Import Constraints and User Import Constraints dialog boxes
■
About importing resource associations
■
Scheduling resource import rules
■
Configuring the Directory Synchronization schedule
■
Running resource import rules manually
About Microsoft Active Directory Import
The Microsoft Active Directory Import feature of the Symantec Management
Platform lets you import Active Directory objects, such as users, computers, sites,
and subnets, into the CMDB. This feature lets you leverage the data that already
exists in Active Directory without re-creating it. You can schedule regular imports
232
Importing resources from Active Directory
About Microsoft Active Directory Import
to keep your CMDB populated with up-to-date resources, allowing better
management of your environment.
Microsoft Active Directory Import uses Lightweight Directory Access Protocol
(LDAP) to provide one-way synchronization from Active Directory to the Symantec
Management Platform. LDAP is the same protocol used by standard Active
Directory administration tools. Microsoft Active Directory Import supports
Windows 2000, 2003, and 2008 domains.
To use Microsoft Active Directory Import, you need to define the appropriate
resource import rules to import the resources that you want. You can schedule
the resource import rules to run at regular intervals, and you can run them
manually at any time. When you run a resource import rule, you can import all
of the appropriate data (a full import). Alternatively, you can import the data that
is new or changed in Active Directory since the previous import (an update import).
As part of the import process, you can automatically create filters or organizational
groups based on the organizational units, security groups, and distribution groups
that are set up in Active Directory. These filters can be used to specify resource
targets to which you apply policies and tasks.
See “About resource filters” on page 385.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
During the import process, the computers from Active Directory are matched
with managed computers in the CMDB, using the computer name and domain.
However, Microsoft Active Directory Import imports all computers that the
resource import rules identify, regardless of their Symantec Management Agent
installation status. Importing all computers lets you import new and unmanaged
computers and then target those computers for Symantec Management Agent
installation.
Note: You can also discover new and unmanaged Windows computers using
Resource Discovery.
See “About discovering Windows computers” on page 224.
If there are any errors in the import process, you can check the Symantec
Management Platform status log for information. The status log can be accessed
from the Start menu on the Symantec Management Platform computer: All
Programs > Symantec > Diagnostics > Altiris Log Viewer.
The Symantec Management Platform includes a number of reports that provide
information on Microsoft Active Directory Import activities. These reports are
Importing resources from Active Directory
About importing resources using Microsoft Active Directory Import
stored in the Reports > Notification Server Management > Microsoft Active
Directory folder.
About importing resources using Microsoft Active
Directory Import
You can import all of the computers that are registered in your Active Directory.
Alternatively, you can choose to import only the computers that match the criteria
you specify.
See “About Microsoft Active Directory Import” on page 231.
When you install the Symantec Management Platform, you can use Microsoft
Active Directory Import to import all your computers. You can then target the
unmanaged computers for Symantec Management Agent installation. Microsoft
Active Directory Import is the preferred method for identifying new and
unmanaged computers. It returns detailed information on the operating systems
for each of your discovered computers.
You can also use Microsoft Active Directory Import to create Symantec
Management Platform accounts and roles from Windows users and groups. You
import Windows users and groups so that you do not have to manually create
Symantec Management Platform accounts and roles. Microsoft Active Directory
Import has a resource import rule for importing role and account resources. When
this rule runs, it duplicates the Windows user and group structure in Symantec
Management Platform. It creates a Symantec Management Platform account for
all of the Windows users in the selected security groups. It also creates Symantec
Management Platform roles for each of the selected security groups. Finally, it
puts the newly created Symantec Management accounts into the Symantec
Management Platform roles where the corresponding Windows user is put into
the corresponding Windows group.
See “About Symantec Management Platform user accounts” on page 97.
After the initial import, you can configure resource import rules that regularly
check Active Directory for new or changed resources and then import the
appropriate resources to the CMDB.
When you configure resource import rules, you can specify the Active Directory
source structure from which to import. You can apply constraints that filter the
imported computers according to your requirements. For example, you can import
only the computers that have changed their computer account password within
a particular number of days or those that are running a particular Windows
operating system.
233
234
Importing resources from Active Directory
Creating and modifying resource import rules
Table 12-1
Process for importing resources using Microsoft Active Directory
Import
Step
Action
Description
Step 1
Configure the appropriate
resource import rules.
You can create any new resource import rules that you want and
modify the existing rules to suit your requirements. You can also
delete any rules that you no longer need.
See “Creating and modifying resource import rules” on page 234.
Step 2
Schedule the resource import
rules.
For each resource import rule, you can schedule full imports and
update imports to run at appropriate intervals.
See “Scheduling resource import rules” on page 243.
Step 3
Configure the Directory
Synchronization schedule.
The Directory Synchronization schedule identifies previously
imported resources that no longer exist in Active Directory and
removes them from the CMDB.
See “Configuring the Directory Synchronization schedule”
on page 245.
Step 4
(Optional) Run a resource import You can run a resource import rule manually at any time. You
rule manually.
can run the rule as a full import or an update import.
See “Running resource import rules manually” on page 245.
Creating and modifying resource import rules
Resource import rules let you specify the resources that you want to import from
Active Directory.
Six default resource import rules are supplied with the Symantec Management
Platform, one for each of the supported resource types: User, Computer, Print
Queue, Site, Subnet, and Role and Account. You can modify these rules to suit
your requirements, or you can create new rules to import the resources that you
want.
You can configure a rule to automatically create filters or organizational groups
based on the Active Directory organizational units, security groups, and
distribution groups from which the rule imports resources. These filters can then
be used to specify resource targets to which you apply policies and tasks.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
You can schedule your resource import rules to update the CMDB at regular
intervals, or you can run a particular rule manually at any time. Running your
Importing resources from Active Directory
Creating and modifying resource import rules
resource import rules periodically ensures that any changes to Active Directory
are reflected in the CMDB.
To create or modify a resource import rule
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Microsoft Active Directory.
2
On the Microsoft Active Directory Import page, perform one of the following
tasks:
3
To create a new resource
import rule
In the toolbar, click Create a new import rule.
To modify an existing
resource import rule
In the list of resource import rules, select the
appropriate rule.
To delete a resource import
rule
In the list of resource import rules, select the
appropriate rule, and then in the toolbar, click Delete
the selected import rule.
The new rule is added to the list of resource import
rules.
In the resource import rule that you want to modify, for each of the
highlighted links, click the link, and then specify the appropriate settings.
Specified resource Specify the domain type and resource type that you want to
type (default
import and the appropriate Active Directory source structure.
setting), Computer,
See “Resource Selection dialog box” on page 237.
User, Site, Subnet
Specified data
source (default
setting)
Specify the domain or server (domain controller) and the
appropriate account credentials from which you want to import
resources.
See “Resource Selection dialog box” on page 237.
235
236
Importing resources from Active Directory
Creating and modifying resource import rules
None (default
setting)
When you click this link, one of the following dialog boxes
appears:
Select Organizational Unit (OU)
Select the Active Directory organizational units or
Containers (whichever corresponds to the source structure
that you specified in the Resource Selection window) from
which to import resources. When you select an
organizational unit or container, you can choose whether
or not to include its descendants.
See “Select Organizational Unit (OU) dialog box” on page 240.
■ Select Security Groups or Select Distribution Groups
Select the particular Active Directory groups from which to
import users and groups. The Select Security Groups dialog
box only appears for the rule that imports role and account
resources.
See “Select Security Groups or Select Distribution Groups
dialog box” on page 240.
■
Specified column
mappings (default
setting), Default
column mappings
Specify the mapping between the Symantec Management
Platform CMDB and Active Directory resource data fields. You
can use these mappings to import additional attributes when
the Active Directory schema has been extended.
See “Column Mappings dialog box” on page 241.
All computers, All
users
Specify the appropriate criteria to constrain the imported
resources to only those that match the specified criteria. A
resource is imported only if it meets all of the specified criteria.
See “Computer Import Constraints and User Import Constraints
dialog boxes” on page 241.
These resource
associations
Specify the resource associations that you want to use to import
other related resources that are not explicitly specified in the
resource import rule. By default, all of the available resource
associations are enabled.
Microsoft Active Directory Import can extract these
relationships from Active Directory and create the appropriate
resources and resource associations in the CMDB.
See “About importing resource associations” on page 242.
Specifiedschedules Specify the schedules that are used to import resources. You
can specify schedules for full and update data imports.
See “Scheduling resource import rules” on page 243.
Importing resources from Active Directory
Resource Selection dialog box
4
Check the appropriate Enabled boxes to enable the importing of computer,
user, subnet, and site resources.
5
Click Apply.
Resource Selection dialog box
The Resource Selection dialog box lets you specify the domain type and resource
type that you want to import and the appropriate Active Directory source structure.
You also need to specify the domain or server (the domain controller) and the
appropriate account credentials from which you want to import resources.
See “Creating and modifying resource import rules” on page 234.
Table 12-2
Options in the Resource Selection dialog box
Option
Description
Domain Type
The type of domain from which you want to import resources.
Microsoft Active Directory Import supports Microsoft Windows 2000/2003/2008 domains.
Resource Type
The type of resource that you want to import.
The available resource types are as follows:
■
Computer
■
User
■
Print Queue
■
Site
■
Subnet
■
Role and Account
237
238
Importing resources from Active Directory
Resource Selection dialog box
Table 12-2
Options in the Resource Selection dialog box (continued)
Option
Description
Source
The Active Directory source structure from which to import resources
The available source structures are as follows:
Organizational Units
Due to the way LDAP works, importing from organizational units is the fastest method.
Applies to Computer, User, and Print Queue resources.
■ Distribution Groups
Applies to Computer and User resources.
■ Security Groups
Applies to Computer, User, Role, and Account resources.
■
If you want to import resources from Distribution Groups or Security Groups, Microsoft
Active Directory Import recurses all of the groups within these groups. Distribution Groups
inside Security Groups, and vice versa, are imported.
Sites and Subnets are imported from a different area of Active Directory where organization
units and groups do not apply.
Create filters
Creates resource filters corresponding to the Source selection that is specified. The created
filters contain the same resources as the source organizational unit, distribution group, or
security group to which they correspond. This applies to Computer, User, and Print Queue
resources only.
If you import sites, site filters are created.
This setting is not relevant to importing subnets.
Matchcomputerswith Automatically matches computers with their primary users and creates a filter that contains
primary users
the computers associated with the users being imported.
See “About user-based policies” on page 412.
This setting applies to importing User resources only.
Importing resources from Active Directory
Resource Selection dialog box
Table 12-2
Options in the Resource Selection dialog box (continued)
Option
Description
Domain or Server
The Domain or domain controller from which you want to import resources.
The domain controller is a server on a Microsoft Windows network that allows host access
to Windows domain resources. The domain controllers in your network are the centerpiece
of your Active Directory directory service. Each domain controller stores user account
information, authenticates users, and enforces security policies for a Windows domain.
To ensure that the correct domain or domain controller is targeted, you should specify a
Fully Qualified Domain Name (FQDN).
Specifying which domain controller the Active Directory data is gathered from gives you
more control of your environment. If you specify a domain, Microsoft Active Directory
Import selects the most appropriate domain controller.
If you have a heavily loaded environment, targeting a particular domain controller can
help manage the load imposed by the import rules. For example, you can specify a dedicated,
less loaded domain controller.
Targeting a domain controller also makes Update Import rules more reliable. The mechanism
that determines which resources have changed since the last time the rule ran relies on
domain controller-specific information. If you run an Update Import rule and you target a
domain, Microsoft Active Directory Import may not use the same domain controller as it
did for the previous import. If Microsoft Active Directory Import uses a different domain
controller, it may not be able to determine what has changed since the previous import. If
the changes cannot be determined, Microsoft Active Directory Import performs a Full
Import instead of an Update Import.
However, specifying a domain provides some redundancy in an import rule. If a domain
controller is unavailable, Microsoft Active Directory Import automatically selects another.
Use application
credentials
Use the Symantec Management Platform application identity credentials to access the
domain or domain controller .
You specify these on the Processing tab of the Server Settings page.
See “Notification Server processing settings” on page 52.
Use these credentials If the Symantec Management Platform application identity does not have read permission
on the organizational units, distribution groups, or security groups from which you want
to import resources, this setting specifies the appropriate account to use. An administrator
or similarly privileged account is not required as a normal user account is sufficient.
Note: You cannot use special characters in the user name or password. You may use only
alphanumeric characters.
239
240
Importing resources from Active Directory
Select Organizational Unit (OU) dialog box
Select Organizational Unit (OU) dialog box
The Select Organizational Unit (OU) dialog box lets you specify particular Active
Directory organizational units or Containers from which to import resources.
When you select each organizational unit or container, you can choose whether
or not to include its descendants.
See “Creating and modifying resource import rules” on page 234.
The top-level node is selected by default, so you get everything. You only need to
change this setting if you want to narrow down the data source within Active
Directory.
Select Security Groups or Select Distribution Groups
dialog box
The Select Security Groups or the Select Distribution Groups dialog box lets
you specify particular Active Directory groups from which to import users and
groups. The Select Security Groups dialog box appears when you click the None
link in the rule that imports role and account resources. This rule lets you import
Windows users and groups to create Symantec Management Platform accounts
and roles. The Select Distribution Groups dialog box appears when you click the
None link when importing resources from Active Directory by distribution group.
See “Creating and modifying resource import rules” on page 234.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
Table 12-3
Options in the Select Security Groups or Select Distribution
Groups dialog box
Setting
Description
Starts with
Lets you find a group that starts with the text you provide.
Contains
Lets you find a group that contains the text you provide.
Find
Finds the groups that match the text you entered in Starts
with or Contains.
Add
Lets you add a group to the list of Selected Groups.
Remove
Lets you remove a group from the list of Selected Groups.
Importing resources from Active Directory
Column Mappings dialog box
Column Mappings dialog box
The Column Mappings dialog box lets you specify the mapping between the
Symantec Management Platform CMDB and the Active Directory resource data
fields. You can use these mappings to import additional attributes when the Active
Directory schema has been extended.
See “Creating and modifying resource import rules” on page 234.
This window is used in Computer, User, and Print Queue resource import rules
only.
You can specify the classes from which to import and the column mappings that
you want to use to import data. You can enable or disable specific groups, or you
can change the column mapping by selecting different entries in the Data Source
Column drop-down list.
The default settings should be sufficient for importing computers or users.
Table 12-4
Options in the Column Mappings dialog box
Option
Description
Enabled
Enables column mapping for the specified group.
Group Name
The name of the data class.
Column Name
The name of the data class column.
Column Type
The type of the data class column.
Data Source Column
The attribute on the source object in Active Directory whose
data you want to use to populate the data class column.
Computer Import Constraints and User Import
Constraints dialog boxes
The Computer Import Constraints and the User Import Constraints dialog boxes
let you specify filters that constrain the imported resources to only those that
match the specified criteria. A resource is imported only if it meets all of the
specified filter conditions.
See “Creating and modifying resource import rules” on page 234.
241
242
Importing resources from Active Directory
About importing resource associations
Table 12-5
Options in the Computer Import Constraints and User Import
Constraints dialog boxes
Option
Description
Enabled
The computer or user must be enabled in Active Directory. Disabled computers and
users are not imported.
Computers and users may be disabled in Active Directory (the administrator may do
this through Active Directory Users and Computers or other administration tools).
A disabled user cannot log onto the domain. Many organizations disable users before
they delete them. Using this filter ensures that inactive user accounts are not
imported.
This filter applies to importing computers and users.
Computeraccountpassword The computer must be active. Active computers are those computer accounts where
changed within the last nn the password has been changed within the specified number of days (the default is
days
30 days).
A computer in a domain automatically changes its password periodically. This filter
is similar to the Enabled filter because it prevents the import of old or unused
computers.
This filter is based on the "pwdLastSet" attribute in Active Directory. It applies to
importing computers only.
Operating System
The computer must have the specified operating system type: Server or
Workstation/Other.
This filter helps to prevent the importing of irrelevant computer records. It applies
to importing computers only.
LDAP search filter
The computer or user must match the specified LDAP query.
You can specify any query you want by entering the appropriate syntax. For example,
if you want to exclude service accounts, and all service accounts in your organization
start with “Service _”, you can specify (!(name=Service_*)).
For more information on LDAP queries, see technet.microsoft.com.
This filter applies to importing computers and users.
About importing resource associations
Microsoft Active Directory not only stores objects, it also stores relationships
between objects. Microsoft Active Directory Import can extract these relationships
from Active Directory and create the appropriate resources and resource
associations in the CMDB. Microsoft Active Directory Import supports four
resource associations for users and one resource association between subnets and
sites.
Importing resources from Active Directory
Scheduling resource import rules
Table 12-6
Resource associations supported by Microsoft Active Directory
Import
Resource association
Description
User - Company
Creates a Company resource for the imported User based
on its "company" attribute in Active Directory.
User - Department
Creates a Department resource for the imported User based
on its "department" attribute in Active Directory.
User - User
Creates one or more User resources for the imported User
based on its "directReports" attribute in Active Directory.
User - User
Creates a User resource for the imported User based on its
"manager" attribute in Active Directory.
Site - Subnet
Creates one or more Subnet resources for the imported Site
based on its "siteObjectBL" attribute in Active Directory.
Subnet - Site
Creates a Site resource for the imported Subnet based on
its "siteObject" attribute in Active Directory.
The Enable Resource Associations window lets you use these relationships in a
resource import rule to import other related resources that are not explicitly
specified in the rule. By default, all of the available resource associations are
enabled.
See “Creating and modifying resource import rules” on page 234.
Scheduling resource import rules
For each resource import rule, you can specify the appropriate Full Import and
Update Import schedules. A full import imports all resources from the targeted
domain controller or domain. An update import imports only the resources that
have changed since the last time the resource import rule ran.
A single resource import rule may include both schedules, or you may configure
different full import and update import rules. If you configure a specific update
import rule, we recommend that the rule targets a domain controller rather than
a domain.
An update import runs as a full import if any of the following are true:
■
The rule is run for the first time.
■
The domain or server that is specified in the rule has changed.
■
The domain controller that the rule previously imported from is not available.
243
244
Importing resources from Active Directory
Scheduling resource import rules
If necessary, you can override the schedule and run a resource import rule
manually at any time.
See “Creating and modifying resource import rules” on page 234.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
See “Running resource import rules manually” on page 245.
To schedule resource import rules
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Microsoft Active Directory.
2
On the Microsoft Active Directory Import page, beside the resource import
rule that you want to schedule, check Enabled.
3
In the resource import rule description, click Specified schedules.
4
In the Rule Scheduling window, set up either or both of the following
schedules:
Full Import Schedule
Imports all of the resources that are identified by the
resource import rule.
Update Schedule
Imports only the new and modified resources that are
identified by the resource import rule.
See “To set up a schedule” on page 244.
5
Click OK to close the Rule Scheduling page.
6
Click Apply.
To set up a schedule
1
Under the appropriate schedule, check Enable.
2
In the Schedule drop-down list, select one of the following schedules:
At date/time
Specify the appropriate date and time.
If you want the schedule to repeat, check Repeat every,
and then specify the repeat interval.
Shared schedule
Select the appropriate shared schedule.
Importing resources from Active Directory
Configuring the Directory Synchronization schedule
Configuring the Directory Synchronization schedule
To keep the CMDB synchronized with Active Directory resources, you need to
configure the appropriate Directory Synchronization schedule. The Directory
Synchronization schedule identifies any previously imported resources that no
longer exist in Active Directory and removes them from the CMDB. It also detects
any resources that have been renamed or moved outside of the organizational
units from which they were initially imported, and deletes the corresponding
records from the CMDB.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
Warning: If you move a computer from a domain to a workgroup, you must delete
the computer’s record from Active Directory to avoid duplication in the CMDB.
To configure the Directory Synchronization schedule
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Microsoft Active Directory.
2
In the Microsoft Active Directory Import page, under Directory
Synchronization Schedule, check Enabled.
3
In the Schedule drop-down list, select one of the following schedules:
At date/time
Specify the appropriate date and time.
If you want the schedule to repeat, check Repeat every,
and then specify the repeat interval.
Shared schedule
4
Select the appropriate shared schedule.
Click Apply.
Running resource import rules manually
If you need to import particular resources immediately, you can run the
appropriate resource import rule manually. You can run the resource import rule
as a full import or an update import. Running a resource import rule manually
has no effect on its schedule, if one is enabled.
See “Scheduling resource import rules” on page 243.
See “About importing resources using Microsoft Active Directory Import”
on page 233.
245
246
Importing resources from Active Directory
Running resource import rules manually
To run resource import rules manually
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Microsoft Active Directory.
2
In the Microsoft Active Directory Import page, select the resource import
rule that you want to run.
3
Click one of the following options:
4
Run the selected
import rule now
(Full Import)
Runs a full import of the selected resource import rule.
Run the selected
import rule now
(Update Import)
Runs an update import of the selected resource import rule.
If you want to stop the import process for any reason, click Stop.
Chapter
Discovering network
devices
This chapter includes the following topics:
■
About Network Discovery
■
What’s new in Network Discovery
■
About Network Discovery configuration
■
About discovering network devices
■
Configuring discovery settings
■
Methods for discovering network devices
■
Discovering network devices
■
Creating Network Discovery tasks using the wizard
■
Manually creating and modifying Network Discovery tasks
■
Selecting network ranges to discover
■
Creating connection profiles with Network Discovery
■
Scheduling Network Discovery tasks
■
Network Discovery home page
■
About discovery status and results
■
Viewing discovered devices in organizational views
■
Viewing discovery reports
13
248
Discovering network devices
About Network Discovery
■
About classifying SNMP devices
■
Classifying SNMP devices
■
Importing MIB files
■
MIB browser page
■
MIB import task page
■
About Connection Profiles
■
Updating a connection profile
■
Creating or cloning a connection profile
■
Changing default SNMP alert severity
■
Define group settings page
■
Delegating Network Discovery tasks to non-administrators
■
Adding non-administrators to security roles for performing Network Discovery
tasks
■
Enabling non-administrator roles to create or run Network Discovery tasks
■
Granting non-administrator roles privileges to create credentials and
connection profiles
■
Granting non-administrator roles access to the default connection profile
■
Enabling roles other than predefined security roles to create and run tasks
using the Network Discovery wizard
■
Making a connection profile read-only
About Network Discovery
Network Discovery lets you discover all IP devices that are connected to your
network. Network Discovery lets you find new network devices and find the
network devices whose discovery properties have changed.
Network Discovery is bundled with many Symantec suites and may be included
depending on the products you have installed.
Network Discovery can discover routers, switches, hubs, network printers, Novell
NetWare servers, and the computers that are running Windows, UNIX, Linux, and
Macintosh. You can use a variety of protocols to discover devices, such as AMT,
SNMP, WMI, and others.
Discovering network devices
What’s new in Network Discovery
The information that is collected can help you do the following:
■
Plan for imaging
■
Updating drivers on specific types of hardware
■
Configuring changes to routers or switches
■
Identifying the computers that are running the operating systems not currently
supported by the Symantec Management Agent
You can also update categories so that the new devices that are added to the
network can be identified during discovery.
Because Network Discovery integrates with Symantec Management Platform,
when devices are discovered, they are automatically created as resources in the
platform’s cental database (CMDB). Using the platform’s task management
component, you can schedule discovery tasks to run when it best meets your
needs.
See “About Network Discovery configuration” on page 250.
See “About discovering network devices” on page 251.
See “Discovering network devices ” on page 254.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
You can also discover Windows-based computers through domains or importing
through Microsoft Active Directory.
See “About resource discovery” on page 223.
What’s new in Network Discovery
This release of Network Discovery has the following new features:
■
Runs on the new Symantec Management Platform
■
Uses the new core task management infrastructure
■
Support multiple protocols using connection profiles
■
Provides quick access to common tasks and data through portal pages
■
Includes a new wizard-based approach to creating discovery tasks
To help you understand how to use the new features of Network Discovery, the
following table compares the functionality of 6x versions to 7x.
249
250
Discovering network devices
About Network Discovery configuration
Table 13-1
Network Discovery 6x to 7x comparison
Function
6x method
7x method
Configure the action to Create scan groups and Create Network Discovery tasks.
perform a discovery.
scan group policies.
See “Discovering network devices ”
on page 254.
Configure
communication
protocols.
Configure community Configure connection profiles for a
strings for a scan
Network Discovery task.
group.
See “Creating connection profiles with
Network Discovery” on page 259.
View the status of a
discovery.
View the Discovered
Devices page.
View the Network Discovery home page.
View discovered
devices.
View network device
collections.
View the Network Resource
organizational view.
See “Network Discovery home page”
on page 260.
See “Viewing discovered devices in
organizational views” on page 262.
Classify unknown
SNMP devices.
Use the Device
Classifications page.
Use the SNMP Device Classifications
page.
See “About classifying SNMP devices ”
on page 263.
Create managed
resources in the
database.
Enable discovered IP
devices.
Gather inventory of
Performed through
AMT and ASF devices. scan group policies.
Done automatically.
This function will be done using agentless
inventory tasks through a future version
Inventory for Network Devices.
About Network Discovery configuration
You can configure default settings for discovery tasks and processing. The
following table lists the ways you can configure Network Discovery.
See “About Network Discovery” on page 248.
Discovering network devices
About discovering network devices
Discovery task settings
In the Network Discovery settings, you can set the maximum
number of threads per discovery task. During the discovery
process, a separate thread is used to discover each device.
This number is the default maximum thread count to use
when a new Network Discovery task is created. You can also
configure this count for an individual task by editing the
advanced properties of the task.
You may want to reduce this value if discovery tasks place
a burden on the server’s performance.
See “Configuring discovery settings” on page 252.
SNMP Device Classification
When you discover SNMP devices, you can identify a
network device type classification with the resource. This
method lets you identify resources as routers, switches,
printers, servers, and so on. You can configure the
classifications of discovered SNMP resources.
See “About classifying SNMP devices ” on page 263.
About discovering network devices
To help you successfully manage your network, you need to identify the various
devices on your network. Network Discovery lets you find new network devices,
identify previously-discovered network devices that are no longer found, and find
network devices whose discovery properties have changed. The discovery is
performed by running tasks that discover devices and reporting the data to the
Notification Server. The discovery data about devices is stored as known resources
in the Configuration Management Database (CMDB). To keep your discovery data
current, you configure automated discovery tasks to run at regular intervals.
See “Discovering network devices ” on page 254.
When you configure discovery tasks, you specify the following information:
■
The method of discovery that you want to use: Ping or ARP
See “Methods for discovering network devices ” on page 252.
■
The portions of the network to discover
■
The network protocols to use to communicate with devices (connection profile)
■
When to run the task
You can create and configure discovery tasks in the following ways:
251
252
Discovering network devices
Configuring discovery settings
Network Discovery wizard
The wizard guides you through creating a discovery task
and configuring settings. You can later edit the task’s
advanced settings and schedules by editing the task page.
See “To create Network Discovery tasks using the Network
Discovery wizard” on page 255.
Manually creating a task
You can manually create tasks from the Task Management
Portal. This option lets you configure more advanced options
and schedules. You can run two kinds of tasks: discovering
a network or discovering an individual device.
See “Manually creating and modifying Network Discovery
tasks” on page 255.
Configuring discovery settings
You can configure global settings for Network Discovery tasks. These settings are
used when a new task is created.
See “About Network Discovery configuration” on page 250.
To configure discovery settings
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, click Settings > Discovery and Inventory > Network
Discovery Settings.
3
Enter the maximum number of threads per delivery task.
During the discovery process, a separate thread is used to discover each
device.
This number is the default maximum thread count to use when a new Network
Discovery task is created. You can also configure this count for an individual
task by editing the advanced properties of the task.
You may want to reduce this value if discovery tasks place a burden on the
server's performance.
4
Click Save Changes.
Methods for discovering network devices
When discovering network devices, you can use one of the following discovery
methods: ping or ARP.
Discovering network devices
Methods for discovering network devices
See “About discovering network devices” on page 251.
You launch discovery tasks through the Network Discovery wizard, which you
access from the Network Discovery home page. This is where you indicate which
method of discovery you want to use.
See “Network Discovery home page” on page 260.
Table 13-2
Network discovery methods
Method
Description
Ping
Device existence is determined by sending an ICMP ping
request to each possible IP address in a specified range or
subnet. When a device receives a ping, it responds with a
reply, reporting the presence of the device to the discovery
engine.
You can use this method to perform a comprehensive search
that finds all devices.
This method is unusable if your network firewall does not
allow Ping requests.
This method may not be best for the subnets that are sparse
(those with few devices in their address space). The engine
may spend a lot of time waiting for responses from the
devices that don’t exist. This situation occurs because the
engine waits until the specified timeout period expires, and
then, if applicable, the engine retries one or more times.
ARP
Device existence is initially determined by reading the ARP
Cache table of a network infrastructure device (such as a
switch or router). The ARP Cache table is read from the
device, and then each device in the table is individually
contacted and discovered.
This discovery method gives the discovery engine a set of
devices to discover.
However, ARP Cache table entries are removed after
relatively short periods of inactivity. This means that the
scan by itself is not aware of inactive devices. You can fix
this issue by sending a ping to each device in a target
network. This process refreshes the table, which has all of
the devices in it.
253
254
Discovering network devices
Discovering network devices
Discovering network devices
You can discover all the devices on your network and enter those devices in the
CMDB. This process guides you through the steps to discover network devices.
See “About discovering network devices” on page 251.
Table 13-3
Process for discovering network devices
Step
Action
Description
Step 1
(Optional) Configure Network You can configure default task options
Discovery options.
and configure SNMP classifications.
See “About Network Discovery
configuration” on page 250.
Step 2
Create a Network Discovery You can create and schedule a task to
task.
discover either a single device or multiple
devices on a network. You can use two
methods for creating tasks: using the
Network Discovery wizard or creating
tasks manually.
See “Creating Network Discovery tasks
using the wizard” on page 255.
See “Manually creating and modifying
Network Discovery tasks” on page 255.
Step 3
(Optional) Modify task
settings or schedules.
After you create a Network Discovery
task, you can modify the task settings or
add additional schedules.
See “Manually creating and modifying
Network Discovery tasks” on page 255.
Step 4
View discovery data.
You can view the status of Network
Discovery tasks and view reports that
show discovery results.
See “About discovery status and results”
on page 262.
Step 5
Classify unknown devices.
If you have devices with an unknown
classification, you can modify the SNMP
classifications list.
See “About Network Discovery
configuration” on page 250.
Discovering network devices
Creating Network Discovery tasks using the wizard
Creating Network Discovery tasks using the wizard
The Network Discovery wizard is an administrator tool that guides you through
creating a discovery task and configuring settings. You can later edit the task’s
advanced settings and schedules by editing the task.
See “About discovering network devices” on page 251.
See “Discovering network devices ” on page 254.
To create Network Discovery tasks using the Network Discovery wizard
1
In the Symantec Management Console, in the Home menu, click Discovery
and Inventory > Network Discovery.
2
In the Quick Start Actions, click Launch Discovery Wizard.
3
In the wizard, select a discovery method, and then click Next.
See “Methods for discovering network devices ” on page 252.
4
Specify the portions of the network to discover, and then click Next.
See “Selecting network ranges to discover” on page 258.
5
Select a connection profile, and then click Next.
Connection profiles specify the protocols that you want to use for discovery.
You can use an existing profile or create a new profile .
See “Creating connection profiles with Network Discovery” on page 259.
6
Name the task and then click Next.
7
Schedule the task, and then click Finish.
See “Scheduling Network Discovery tasks” on page 260.
8
To view the tasks that the discovery wizard creates, view the bottom of the
Network Discovery home page.
You may need to click the refresh icon to view newly created tasks. You can
also click Manage > Jobs and Tasks and then in the left pane, click System
Jobs and Tasks > Discovery and Inventory.
Manually creating and modifying Network Discovery
tasks
You can manually create and modify tasks from the Task Management Portal.
This option lets you configure advanced options and schedules.
See “About discovering network devices” on page 251.
255
256
Discovering network devices
Manually creating and modifying Network Discovery tasks
See “Discovering network devices ” on page 254.
When you manually create tasks, you can discover a network or an individual
device.
To manually create a task to discover a network
1
In the Symantec Management Console, do one of the following:
■
On the Home menu, click Discovery and Inventory > Network Discovery
and then in Network Discovery Task Management Web part, click
Available Tasks >New.
■
On the Manage menu, click Jobs and Tasks. In the left pane, expand System
Jobs and Tasks, and then right-click Discovery and Inverntory, and click
New > Task. In the Create New Task dialog box, in the left pane, under
Discovery and Inventory, click Discover Network.
2
Give the task a unique and a descriptive name.
3
Select a connection profile.
Connection profiles specify the protocols that you want to use for discovery.
You can use an existing profile or create a new profile .
See “Creating connection profiles with Network Discovery” on page 259.
4
Select a discovery method.
See “Methods for discovering network devices ” on page 252.
5
Specify the portions of the network to discover.
See “Selecting network ranges to discover” on page 258.
6
(Optional) To configure the maximum number of devices to discover
concurrently, click Advanced.
See “About Network Discovery configuration” on page 250.
7
Click OK to save the task.
8
In the task window that opens, schedule the task.
See “Scheduling Network Discovery tasks” on page 260.
9
To view the task, in the left pane, click Jobs and Tasks > System Jobs and
Tasks > Discovery and Inventory. You can also view the bottom of the
Network Discovery home page. You may need to click the refresh icon to view
newly created tasks.
Discovering network devices
Manually creating and modifying Network Discovery tasks
To manually create a task to discover a single device
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks. In the left pane, expand System Jobs and Tasks, and then right-click
Discovery and Inverntory, and click New > Task.
2
In the Create New Task dialog box, in the left pane, under Discovery and
Inventory, click Discover Device.
3
Give the task a unique and a descriptive name.
4
Select a connection profile.
Connection profiles specify the protocols that you want to use for discovery.
You can use an existing profile or create a new profile.
See “Creating connection profiles with Network Discovery” on page 259.
5
Click OK to save the task.
6
In the task window that opens, click New Schedule.
7
Schedule the task.
See “Scheduling Network Discovery tasks” on page 260.
8
In the schedule dialog, specify the device that you want to discover by entering
the IP address or name.
9
Click Schedule.
10 To view the task, in the left pane, click Jobs and Tasks > System Jobs and
Tasks > Discovery and Inventory. You can also view the bottom of the
Network Discovery home page. You may need to click the refresh icon to view
newly created tasks.
To modify Network Discovery tasks
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
To view the default location of Network Discovery tasks, in the left pane, click
Jobs and Tasks > System Jobs and Tasks > Discovery and Inventory. You
can also view the bottom of the Network Discovery home page.
3
Select a task, and then, in the right pane, edit the task.
To stop Network Discovery tasks
1
In the Symantec Management Console, on the Home menu, click Discovery
and Inventory > Network Discovery.
2
In the Network Discovery Task Management Web part, click Task Runs.
3
Select a task and click Stop.
257
258
Discovering network devices
Selecting network ranges to discover
Selecting network ranges to discover
When you create a Network Discovery task, you identify either the single network
device or ranges of addresses that you want to discover. You do this by specifying
addresses that you either want to include or exclude or a combination of both.
See “Discovering network devices ” on page 254.
If you have a seed device and then create an include range, the seed device must
be included within the include range to also be discovered.
You can specify the following options:
■
IP Subnet
■
IP Range
■
IP Address
■
Host name (any valid host name on the network)
■
Custom Range
To use a custom range, you can use wildcards or ranges of values in the third or
fourth octet of the address. The following are examples of how you can use a
custom range:
172.16.[*].[*]
You can use an asterisk as a wildcard that will equal any
value from 0-254.
172.16.[1-24].[1-254]
You can specify a range of values. Any address in the range
will be included or excluded.
172.16.[3-30].[1-10]
You can also import a text file to specify the addresses that you want to include
or exclude. When you configure a text file, you must include all the information
required for that type of address or range. For example, if you specify an IP Range,
you must include the starting IP address, the ending IP address, and the mask.
You can also specify custom IP Ranges in an import file.
The following is an example of the format of an import file:
SingleIpAddr, Include, 192.168.0.2,
SingleIpAddr, Exclude, 192.168.0.3,
Hostname, Include, hostname1.company1.com
Hostname, Exclude, hostname2
Subnet, Include, 192.168.0.0, 255.255.255.0
Discovering network devices
Creating connection profiles with Network Discovery
Subnet, Exclude, 192.169.0.0, 255.255.255.0
CustomIpAddrRange, Include, 192.168.*.*, 255.255.0.0
CustomIpAddrRange, Exclude, 10.192.1-25.1-254, 255.0.0.0
CustomIpAddrRange, Include, 10.192.4.1-100, 255.255.254.0
IpAddrRange, Include, 192.168.0.1, 192.168.0.200, 255.255.255.0
IpAddrRange, Exclude, 192.168.0.120, 192.168.1.140, 255.255.255.0
Creating connection profiles with Network Discovery
Network Discovery tasks use connection profiles to configure the protocols that
are used to communicate with network devices. Connection profiles are a
component of the Symantec Management Platform. How you use protocols and
connection profiles has important ramifications on how Network Discovery is
able to discover devices.
Network Discovery uses connection profiles to connect to the target devices using
the enabled protocols in the profile. When a device is discovered, a resource for
that device is created in the CMDB. The resource keeps a record of the protocols
that were used to communicate with the device.
If changes are made in the connection profiles regarding the protocols used or
the credentials used for those protocols, and if you want to discover devices using
those changed settings, you will need to run a discovery again.
You can create and use different connection profiles depending on the type of
devices and the protocols that are used in your network. When configuring Network
Discovery tasks, you can use an existing connection profile or create your own.
See “About Connection Profiles” on page 267.
For detailed information about using connection profiles with Network Discovery,
view the following article:
https://kb.altiris.com/article.asp?article=43626&p=1
See “Creating Network Discovery tasks using the wizard” on page 255.
See “Manually creating and modifying Network Discovery tasks” on page 255.
To create a connection profile
1
In a Network Discovery task, click New connection profile.
The listed protocols are those that are supported.
2
Name the connection profile.
259
260
Discovering network devices
Scheduling Network Discovery tasks
3
Turn on or off each protocol and configure the operational settings and select
credentials for each protocol.
See “About credential manager” on page 118.
See “Editing a credential” on page 119.
See “Creating a credential” on page 118.
4
Click OK.
5
Select the profile from the drop-down list.
Scheduling Network Discovery tasks
When you schedule tasks, you can configure multiple schedules for an individual
task or use shared schedules. Network Discovery tasks use the task management
component of the Symantec Management Platform that provides flexibility in
targeting computers and scheduling tasks.
See “About Task Management” on page 440.
See “Creating Network Discovery tasks using the wizard” on page 255.
See “Discovering network devices ” on page 254.
To schedule Network Discovery tasks
1
In the Symantec Management Platform, on the Home menu, click Discovery
and Inventory > Network Discovery and then in Network Discovery Task
Management Web part, click Available Tasks
2
Select a Network Discovery task. Under Task Status, click Schedule.
3
Select an option:
■
Now
■
Schedule
4
Click OK.
5
(Optional) To create multiple schedules, click Schedule, and create a new
schedule.
Network Discovery home page
This page is a portal page that provides a single launching point for most of the
activities that are associated with Network Discovery. It contains several Web
parts that display past, present, and future network discovery activities. It also
serves as a control panel for initiating and controlling network discovery tasks.
Discovering network devices
Network Discovery home page
It provides access to other management pages for Network Discovery. As with all
Symantec Management Console portal pages, you can customize it to meet your
specific needs.
Table 13-4
Web parts on the Network Discovery home page
Web part
Description
Network Discovery
Quick Start Actions
The Quick Start provides links to commonly performed tasks:
Launch Discovery Wizard and SNMP Device Classification.
To create a Network Discovery task, you can launch the Discovery
Wizard from this Web part on the Network Discovery home page.
See “Creating Network Discovery tasks using the wizard”
on page 255.
When you discover SNMP devices, you can identify a network
device type classification with the resource. This feature lets you
identify resources as routers, switches, printers, servers, and so
on. To configure the classifications of discovered SNMP resources,
you can open the SNMP Device Classification page from here.
See “About classifying SNMP devices ” on page 263.
Discovered Device
Classification
This summary graph reports the total number of devices that
were discovered in the last 30 days. The graph is a bar graph that
groups the discovered devices by the type of devices they are.
Discovery Results by
Task
This summary graph reports the total number of devices that
were discovered in the last 30 days. The graph is a pie graph that
groups the discovered devices by the Network Discovery task
that was used to discover them.
Network Discovery
Task Management
This Web part has two tabs: Available Tasks and Task Runs.
From the Available Tasks tab you can view your Network
Discovery tasks. You can edit, delete, schedule, or run an
existing task or create a new one. You can also view the
properties and the schedule of the task.
■ From the Task Runs tab you can view the tasks that are
running or have been previously run. You can also stop a
Network Discovery task that is in progress.
■
Click the Refresh symbol to update the list. Double-click a task
to view a summary of the task.
Edit button
You can edit the layout of the Network Discovery home page.
See “About portal pages” on page 214.
261
262
Discovering network devices
About discovery status and results
About discovery status and results
After a discovery has been performed, data about the devices that were discovered
are stored in the Configuration Management Database (CMDB). Each device has
a resource object automatically created for it in the CMDB. You can view the
discovered devices in organizational views and in reports.
See “Discovering network devices ” on page 254.
See “Viewing discovered devices in organizational views” on page 262.
See “Viewing discovery reports” on page 263.
Some of the reports are shown as data summaries on the Network Discovery home
page. From the Network Discovery home page, you can also view the status of the
network discovery tasks.
See “Network Discovery home page” on page 260.
Viewing discovered devices in organizational views
When a device is discovered, a resource for that device is automatically created
for it in the Configuration Management Database (CMDB). You can view the devices
using organizational views. Organizational views display all the known resources
in your environment. You can view all discovered devices in one view, called
Network Resources. There are also views for individual resource types, such as
computer, network printer, and so on.
If the resource type of the device is known, the resource type is displayed as a
property of the resource. If a device has a resource type of 'Network Resource',
then the device type is unknown. These unknown devices are listed in the Network
Resource view, not in any of the specific resource type views. If you have devices
that have an unknown classification, you can modify the SNMP classification list.
See “About classifying SNMP devices ” on page 263.
To view discovered devices in organizational views
1
In the Symantec Management Console, on the Manage menu, click All
Resources.
2
In the left pane, expand the views for Default > All Resources > Asset, and
then click Network Resource.
In the right pane, all discovered devices are displayed.
3
To view a specific type of resource, in the left pane, click a resource type
under Network Resource.
Discovering network devices
Viewing discovery reports
Viewing discovery reports
You can view the results of your discovery through reports. You can view
predefined reports or create your own.
The Discovered Devices report lets you filter the results that are based on a date
range, the discovery method or protocol used, or the task that was used.
The Discovered Devices by Group report lets you group the results that are based
on a date range, the discovery method or protocol used, the task that was used,
or the device type.
See “About discovery status and results” on page 262.
To view discovery reports
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click Reports > Discovery and Inventory.
3
Select a report.
4
Enter the parameters of the report, and click Refresh.
See “About Notification Server reports” on page 499.
About classifying SNMP devices
Discovered SNMP devices are identified by their device type, such as computer,
network printer, and so on. For the device type to be identified, Network Discovery
must know the SNMP device classification about that type. Network Discovery
has a predefined list of common SNMP devices. If the device that is discovered is
in that list, then it can be identified. If the device is not in the list, it is identified
with the generic resource type 'Network Resource'.
You can view the predefined list on the Device Classifications page. This page lists
classifications of commonly used devices. This data includes the SNMP object ID,
device type, manufacturer, and device model. If the SNMP object ID that is
discovered matches an item from this list, the data is populated.
Before you run a Network Discovery task, you can review the device classification
list, which contains common manufacturers. If you find the list incomplete, you
can add or edit classifications to customize this list for your network environment.
Taking time to review and customize the device classification list results in more
complete discovery data. Doing this task before a discovery is not required. You
can do this task after a discovery, but you have to re-run the discovery to get the
updated classification.
263
264
Discovering network devices
Classifying SNMP devices
If you change the information for an existing SNMP device classification, you
need to rescan any device that was previously classified using that entry.
Rescanning is necessary so that the devices with changed information are
reclassified.
After you run a Network Discovery task, you may have devices with an unknown
classification. If you know the Object ID for these devices, you can add them to
the classification list. The next time you run a Network Discovery task, the devices
will use the updated list to be classified.
See “Classifying SNMP devices ” on page 264.
See “About Network Discovery configuration” on page 250.
Classifying SNMP devices
You can configure the SNMP device classification values that are used to identify
SNMP devices. A list of common devices is provided in Network Discovery. You
can add, edit, or remove classifications to customize this list for your network
environment. After you change a device classification, you must rediscover it so
that it can be reclassified.
See “About classifying SNMP devices ” on page 263.
See “About Network Discovery configuration” on page 250.
To classify SNMP devices
1
In the Symantec Management Console, on the Home menu, click Discovery
and Inventory > Network Discovery.
2
In the Network Discovery Quick Start Actions, click SNMP Device
Classification.
3
To add a new classification, click Add, and enter the information about your
device.
The SNMP object ID must be a unique value that you can obtain from the
device manufacturer.
4
You can also edit or remove classifications to match the devices in your
network environment.
5
To re-classify the devices that are based on new settings, you must re-run
the discovery.
Discovering network devices
Importing MIB files
Importing MIB files
You can use two methods to import MIB files into the database. You can manually
import MIB files one at a time using the MIB Import utility. You can also create
and schedule a task that imports one or more MIB files.
See “MIB browser page” on page 266.
See “MIB import task page” on page 266.
To import MIB files manually using the MIB Import utility
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane click Settings > Monitoring and Alerting > SNMP MIB Import
Browser > MIB Browser.
3
On the top of the right pane, click Import MIB file.
4
On the Import Mib File page, click Browse to browse to a MIB file.
5
Click Import to import the MIB file.
You can import any additional MIB files that you require.
6
Click Cancel to close the Import MIB File page.
To import MIB files using the MIB import task
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, select the folder where you want to create the task.
3
On the folder’s right-click menu, click New > Task.
4
In the Create New Task dialog box, in the left pane, click Monitoring and
Alerting > MIB Import.
5
Name the task.
6
Use MIB file upload to browse to a MIB file.
7
Select one of the two import options.
You can choose to either import the single MIB file, or you can choose to
import additional MIB files that are stored at the directory location.
8
Click Upload to upload the MIB file into the import task.
A confirmation message saying: The MIB file has been successfully uploaded
should be displayed.
9
If you chose to import multiple MIB files, then continue to browse to and
upload each MIB file that you require into the task.
265
266
Discovering network devices
MIB browser page
10 Click OK.
11 Select the new MIB import task.
By default, the new MIB import task is stored at: System Jobs and Tasks >
Notification Server.
12 Schedule the new MIB import task to run by using the task scheduling utility.
MIB browser page
This page lets you manually import MIB files into the database using the MIB
Import utility.
See “Importing MIB files” on page 265.
Table 13-5
Option on the MIB browser page
Option
Description
Import MIB file
The option to select the MIB file to import.
MIB import task page
This page lets you import one or more MIB files into the database. You use this
page to upload the MIB files to a holding directory. Then, when you save and run
the MIB Import task, the MIB files get imported into the database.
See “Importing MIB files” on page 265.
Table 13-6
Options on the MIB import task page
Option
Description
Browse
The option to browse to the MIB file that you want to import.
Upload
The option to upload the MIB file to the Install
Path\Altiris\MibImportTask\Mibs\Uploaded directory. You must
run the MIB Import task to import the files in the Uploaded
directory into the database.
Import ALL MIB files
Select to import all MIB files in the Install
Path\Altiris\MibImportTask\Mibs\Uploaded directory when the
MIB Import task runs.
Import ONE MIB file
only
Select to import only the displayed MIB file when the MIB Import
task runs. This option is only relevant when the MIB Import task
runs.
Discovering network devices
About Connection Profiles
Table 13-6
Options on the MIB import task page (continued)
Option
Description
OK
Save the MIB Import task. This option is only relevant when the
MIB Import task runs.
About Connection Profiles
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols. These protocols include SNMP, WMI, WSMan, and several others.
Connection profiles are associated with devices during network discovery. During
discovery, a connection profile is selected to define the protocols and credentials
to use. When discovery completes, this connection profile is then associated with
each discovered resource. When information is required, the associated connection
profile is used to connect.
See “Creating or cloning a connection profile” on page 268.
Updating a connection profile
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols.
When you update a connection profile, the new settings are used the next time
any device that is associated with the profile is contacted.
See “About Connection Profiles” on page 267.
To update a connection profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Protocol Management >
Connection Profiles > Manage Connection Profiles.
3
Click the connection profile you want to update and click Edit selected
connection profile.
4
Click the arrow next to any protocols you want to update and provide the
required protocol details.
267
268
Discovering network devices
Creating or cloning a connection profile
5
At the upper right next to the protocols you want enabled, click the colored
circle, and then click On.
6
Click OK to save your changes.
Creating or cloning a connection profile
Connection profiles store the information that is required to communicate with
computers and other network devices using standard network monitoring
protocols.
Provided credentials are stored securely by the credential manager. If additional
administrators need access to use a connection profile, they must be granted
rights to the credentials and to the connection profile. The rights can be granted
by editing the credential and the connection profile.
Typically, you should create a new connection profile for each segment of your
network that uses different network monitoring credentials.
You can copy and make changes to already existing connection profiles. This is
called cloning.
See “About Connection Profiles” on page 267.
To create a connection profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Protocol Management >
Connection Profiles > Manage Connection Profiles.
3
Click Add settings, and provide a name for the new profile.
4
Click the arrow next to any protocols you want enabled and provide the
required protocol details.
5
At the upper right next to the protocols you want enabled, click the colored
circle, and then click On.
6
Click OK to save your changes.
Changing default SNMP alert severity
You can select the default alert severity that is assigned to SNMP alerts. Changing
alert severity lets you raise or lower the priority of specific alerts to match the
importance in your environment.
See “About Connection Profiles” on page 267.
Discovering network devices
Define group settings page
To change default SNMP alert severity
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Protocol Management >
Alert Management Settings.
3
Browse to the alert type you want to change, select the alert, and click the
edit icon.
4
Select a new default status and click Save Changes.
Define group settings page
This page lets you set up connection profiles. Connection profiles store the
information that is required to communicate with computers and other network
devices using standard network monitoring protocols.
See “Creating or cloning a connection profile” on page 268.
Table 13-7
AMT options on the Define group settings page
Option
Description
Runtime credentials
If this option is checked, the Credential Selector drop-down lists
all available Runtime Credentials. The values of runtime
credentials are retrieved at runtime (real-time) from specified
Handler (Assembly) and Method. For example, OOB solution
installs runtime credential items for AMT, ASF, and WSMAN
protocols.
Management presence
server requires
authentication
If this option is checked, the Credential Selector drop-down lists
all available credentials. The Management Presence Server (MPS)
requires authentication to connect to the Intel AMT platforms
that are located outside the enterprise.
Secure mode
If this option is checked, the connection is made using HTTPS.
■
Retry after wakeup
from sleep
Trusted domain suffixes
Specifies the list of trusted domains (for example,
symantec.com). This list is referred to while the Server
certificate is being validated.
If this option is checked, the retry for the last operation is made
once more, if it has failed due to a timeout. Timeouts can occur
for AMT 2.1 and later computers when they are in a sleep state
and WakeME functionality is enabled. The Timeout option
specifies the timeout for Intel AMT operations.
269
270
Discovering network devices
Define group settings page
Table 13-8
ASF options on the Define group settings page
Option
Description
Timeout
Specifies the timeout for the connection.
Retry Count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Secure RMCP
If this option is checked, then the secure RMCP (Remote
Management Control Protocol) is used for Remote Management.
Role
Specifies the role of Secure user. Two supported authenticated
"session" types for ASF Remote Management are Operator and
Administrator.
This option is applicable if Secure RMCP is checked. Possible
values are Administrator and Operator.
Table 13-9
EMC options on the Define group settings page
Option
Description
Port
Specifies the port number that is used for communication.
Timeout
Specifies the timeout for the connection.
Table 13-10
Option
HTTP option on the Define group settings page
Description
Use anonymous access If this option is checked, then the connection is made as
‘anonymous’ user. If unchecked, then you can select the
Credentials (Username, Password) from the Credential Selector
drop-down list.
Table 13-11
ICMP options on the Define group settings page
Option
Description
Timeout
Specifies the timeout for the connection.
Retry count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Discovering network devices
Define group settings page
Table 13-12
IPMI options on the Define group settings page
Option
Description
Authentication type
Selects one of several possible methods of authentication and
communication channel’s encryption. Possible values are None,
MD2, MD5, password, and OEM. The default is MD5.
Privilege level
Selects the privilege level that controls the range of operations
allowed. Administrator is top-level access without any limitations.
User provides read-only access. Operator accepts some commands
(such as power management) except for configuration changes.
Cipher Suit ID
Cipher Suites are a part of the IPMI authentication mechanism
that is used with Authentication Type and Privilege Level.
Particular ID should correspond to the access level allowed. For
example, “3” (default) means “authentication and encrypted
payload data supported, correct role, user name, and the password
and key required to establish session”.
KG Key
KG key acts as a value that is used for key exchange for the overall
channel. This value is used with the user key values (passwords)
in RAKPHMAC-SHA1 and RAKP-HMAC-MD5 authentication. For
example, the remote console needs to have a previous knowledge
of both this key value and the user password setting to establish
a session.
Port
Specifies the port number that is used for communication.
Timeout
Specifies the timeout for the connection.
Retry count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Table 13-13
SNMP V1 V2 options on the Define group settings page
Option
Description
Community names
The section for selecting Read Community Credentials.
Community names are the SNMP codes that act as passwords for
an application requesting services of the SNMP agent. Read
community names let the calling application retrieve information
from the SNMP device.
Read
The community name to gain read access to the SNMP device.
Multiple community names can be used separated by commas.
Timeout
Specifies the timeout for the connection.
271
272
Discovering network devices
Define group settings page
Table 13-13
SNMP V1 V2 options on the Define group settings page (continued)
Option
Description
Retry count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Table 13-14
SNMP trap sender options on the Define group settings page
Option
Description
Community names
The section for selecting Read Community Credentials.
Community names are the SNMP codes that act as passwords for
an application requesting services from the SNMP agent. Read
community names let the calling application retrieve information
from the SNMP device.
Read
The community name to gain read access to the SNMP device.
Multiple community names can be used separated by commas.
Timeout
Specifies the timeout for the connection.
Retry count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Table 13-15
VMWare options on the Define group settings page
Option
Description
Runtime credentials
If this option is checked, the Credential Selector drop-down lists
all available Runtime Credentials. The values of runtime
credentials are retrieved at runtime (real-time) from specified
Handler (Assembly) and Method. For example, OOB solution
installs runtime credential items for AMT, ASF, and WSMAN
protocols.
Port
Specifies the port number that is used for communication.
Timeout
Specifies the timeout for the connection.
Secure mode
If this option is checked, then protocol communication happens
in Secure mode using the Secure Port.
Secure port
Used only when the Secure mode option is checked. This port is
used for secure communication of the protocol.
Discovering network devices
Define group settings page
Table 13-16
WMI options on the Define group settings page
Option
Description
Runtime credentials
If this option is checked, the Credential Selector drop-down lists
all available Runtime Credentials. The values of runtime
credentials are retrieved at runtime (real-time) from specified
Handler (Assembly) and Method. For example, OOB solution
installs runtime credential items for AMT, ASF, and WSMAN
protocols.
Timeout
Specifies the timeout for the connection.
Retry count
Specifies the number of attempts that are made to connect to the
device in case of failure.
Use authentication level Lets you request the level of DCOM authentication and privacy
to be used throughout a connection. Settings range from no
authentication to per-packet encrypted authentication. If this
option is checked, you can select from the available
Authentication Levels. If this option is unchecked, then each
interface is queried to obtain the appropriate Authentication
Level.
273
274
Discovering network devices
Define group settings page
Table 13-16
WMI options on the Define group settings page (continued)
Option
Authentication level
Description
Discovering network devices
Define group settings page
Table 13-16
Option
WMI options on the Define group settings page (continued)
Description
The specified level of DCOM authentication and privacy to be
used throughout a connection. This option is applicable if the
Use authentication level option is checked. Possible values are
Default, None, Connect, Call, Packet, Packet Integrity, and Packet
Privacy.
The Authentication Level setting lets you request the level of
DCOM authentication and privacy to be used throughout a
connection. Settings range from no authentication to per-packet
encrypted authentication. The permissible settings include
Default, None, Connect, Call, Packet, Packet Integrity, and Packet
Privacy. Specifying an authentication level is more of a request
than a command because there is no guarantee that the setting
will be honored. For example, local connections always use
authenticationLevel=PktPrivacy.
■
■
■
■
■
■
None
Does not use any authentication. All security settings are
ignored.
Default
Uses a standard security negotiation to select an
authentication level. Default is the recommended setting
because the client that is involved in the transaction is
negotiated to the authentication level that is specified by the
server. DCOM does not select the value None during a
negotiation session.
Connect
Authenticates the credentials of the client only when the
client tries to connect to the server. After a connection has
been made, no additional authentication checks take place.
Call
Authenticates the credentials of the client only at the
beginning of each call, when the server receives the request.
The packet headers are signed, but the data packets that are
exchanged between the client and the server are neither
signed nor encrypted.
Packet
Authenticates that all data packets are received from the
expected client. Similar to Call; packet headers are signed but
not encrypted. Packets themselves are neither signed nor
encrypted.
Packet Integrity
Authenticates and verifies that none of the data packets that
275
276
Discovering network devices
Define group settings page
Table 13-16
WMI options on the Define group settings page (continued)
Option
Description
are transferred between the client and the server have been
modified. Every data packet is signed, ensuring that the
packets have not been modified during transit. None of the
data packets are encrypted.
■ Packet Privacy
Authenticates all previous impersonation levels and signs
and encrypts each data packet. This option ensures that all
communication between the client and the server is
confidential.
Table 13-17
WS-MAN options on the Define group settings page
Option
Description
Runtime credentials
If this option is checked, the Credential Selector drop-down lists
all available Runtime Credentials. The values of runtime
credentials are retrieved at runtime (real-time) from specified
Handler (Assembly) and Method. For example, OOB solution
installs runtime credential items for AMT, ASF, and WSMAN
protocols.
Port
Specifies the port number that is used for communication.
Timeout
Specifies the timeout for the connection.
Skip Common name
check
If this option is checked, all the common name checks are
bypassed.
Secure mode
If this option is checked, then protocol communication happens
in Secure mode using the Secure Port.
Secure port
Used only when the Secure mode option is checked. This port is
used for secure communication of the protocol.
Trusted Site
If this option is checked, all certificate checks are bypassed.
Certificate file
Required if the Secure Mode option is checked. This file (*.crt)
is used for secure communication of the protocol.
Discovering network devices
Delegating Network Discovery tasks to non-administrators
Delegating Network Discovery tasks to
non-administrators
As a network administrator, you may have a team of other administrators to whom
you can delegate certain network-administration tasks. Whether you work alone
or with a team of administrators, you may need to delegate Network Discovery
tasks to other, non-administrator users.
Network Discovery tasks require rights to work with connection profiles and
credentials. These rights are granted through a combination of permissions and
privileges. Permissions are assigned by default to items, such as files, tasks, and
wizards. Privileges are granted to user roles, including the predefined
administrator role and the predefined non-administrator roles. The intersection
of the item permissions and role privileges determines what administrators and
non-administrators can do to items.
See “About Network Discovery” on page 248.
Each of the predefined non-administrator roles in Symantec Management Platform
includes inherent privileges.
See “Predefined security roles” on page 75.
See “About security privileges” on page 82.
To enable users to discover network devices and work with connection profiles
and credentials, you assign privileges to user roles that enable those roles to create
connection profiles and credentials. Then, you select a non-administrator user
role to which you assign users. You then limit or augment the scope of the role
by removing or assigning specific privileges. To create and run Network Discovery
tasks, the user role must have access to at least one default connection profile.
This profile can be the default connection profile.
The Symantec Supervisors role is a higher-level non-administrator role. Other
workers can be assigned a role with limited inherent rights. The Symantec Level
1 Workers and Symantec Level 2 Workers roles are good examples. These roles
are used in some of the tasks that are included in the process that is defined in
this topic. You are not limited to these roles. They are the predefined roles that
are the most useful to administrators.
You can delegate tasks to more than one user role. To create, edit, or run tasks, a
user must be a member of a security role that has the Discovery Task Management
privilege. The ability to enable the Discovery Task Management privilege for any
non-administrator user is new in version 7.1.
The default Symantec Supervisors role includes more access to Network Discovery
than other non-administrator roles. Delegating tasks to the Symantec Supervisors
277
278
Discovering network devices
Delegating Network Discovery tasks to non-administrators
role is less complicated than delegating tasks to roles that have no access to
perform any Network Discovery tasks.
Select a role to which to delegate tasks based on what you want non-administrators
to be able to do. Delegate tasks by completing each step in the process, in order.
Tasks that are listed in later steps may depend on the rights that are granted in
preceding steps.
Table 13-18
Process for delegating Network Discovery tasks to
non-administrators
Step
Task
Description
Step 1
Add non-administrators to
security roles for performing
Network Discovery tasks.
To delegate tasks to users in
non-administrator roles, you must
assign users to those roles.
See “Adding non-administrators
to security roles for performing
Network Discovery tasks”
on page 281.
Discovering network devices
Delegating Network Discovery tasks to non-administrators
Table 13-18
Process for delegating Network Discovery tasks to
non-administrators (continued)
Step
Task
Description
Step 2
Enable non-administrator roles to You can delegate Network
create or run Network Discovery Discovery tasks to
tasks.
non-administrator roles and
assign non-administrator users to
those roles. Several default roles
are included in Symantec
Management Platform, and each
has certain inherent rights.
The Symantec Supervisors role
can run Network Discovery tasks.
Other non-administrator roles
cannot even run existing tasks
until you grant the required
privilege to the role. You must
perform certain steps to enable
non-administrator roles to create
and run Network Discovery tasks.
By default Administrators,
Symantec Supervisors, and
Symantec Level 1 and Level 2
Workers can view the Network
Discovery portal page. This page
is a convenient location from
which administrators view and
run Network Discovery tasks.
Administrators and supervisors
can view all parts of this page by
default. However, the Network
Discovery Task Management Web
part is disabled for other users. To
let other non-administrator users
view and use this Web part, assign
them to a security role that has
the Discovery Task Management
privilege enabled.
See “Predefined security roles”
on page 75.
See “Enabling non-administrator
roles to create or run Network
Discovery tasks” on page 283.
279
280
Discovering network devices
Delegating Network Discovery tasks to non-administrators
Table 13-18
Step
Process for delegating Network Discovery tasks to
non-administrators (continued)
Task
Step 3 (Optional
Grant non-administrator roles
but recommended) privileges to create credentials
and connection profiles.
Description
A non-administrator role can be
given privileges to discover
network devices and to create or
edit credentials and connection
profiles. Creating or editing
credentials and connection
profiles may be necessary for
performing the tasks that are
listed later in this process.
This step is optional because users
can create Network Discovery
tasks without these privileges.
They would simply have to use
existing connection profiles to
which they have access.
See “About security privileges”
on page 82.
See “Granting non-administrator
roles privileges to create
credentials and connection
profiles” on page 286.
Step 4
Grant non-administrator roles
access to the default connection
profile.
To create and run Network
Discovery tasks, a user role must
have access to the default
connection profile (or other
connection profile, but at least
one).
See “Granting non-administrator
roles access to the default
connection profile” on page 287.
Discovering network devices
Adding non-administrators to security roles for performing Network Discovery tasks
Table 13-18
Process for delegating Network Discovery tasks to
non-administrators (continued)
Step
Task
Description
Step 5
Enable roles other than predefined
security roles to create and run
tasks using the Network Discovery
wizard.
The following security roles are
predefined and by default can
create and run tasks using the
Network Discovery wizard:
■
Administrator
■
Symantec Supervisors
■
Symantec Level 2 Workers
■
Symantec Level 1 Workers
If you need to let other roles create
and run tasks using the wizard,
you must give them access
explicitly.
See “Enabling roles other than
predefined security roles to create
and run tasks using the Network
Discovery wizard” on page 288.
Step 6 (Optional)
Make a connection profile
read-only.
If you want to let a particular
non-administrator role view but
not edit a connection profile, then
you can make the profile
read-only.
See “Making a connection profile
read-only” on page 289.
Adding non-administrators to security roles for
performing Network Discovery tasks
If you want to delegate Network Discovery tasks to non-administrator users, they
must have the privileges necessary to perform those tasks. Privileges are assigned
to user roles. If you have not created a Windows user to perform Network Discovery
tasks, you must create this user first. Then, add the user to your chosen security
role or create a custom role. Finally, grant privileges to the security role. You can
then delegate the tasks that the role has sufficient privileges to perform.
The Network Discovery portal page is a convenient location from which to view
and perform discovery tasks. Administrators and Symantec Supervisors have full
access to this page by default. Users in other, non-administrator roles can view
281
282
Discovering network devices
Adding non-administrators to security roles for performing Network Discovery tasks
this page. However, the Discovery Task Management Web part is disabled unless
you enable it with the Discovery Task Management privilege. By adding
non-administrators to security roles and granting rights for Network Discovery
task management, you enable them to view and work from this page.
See “Enabling non-administrator roles to create or run Network Discovery tasks”
on page 283.
Symantec Management Platform includes several non-administrator, predefined
security roles by default. You can also create custom security roles.
See “Predefined security roles” on page 75.
See “Creating and configuring Symantec Management Platform user accounts”
on page 282.
Adding non-administrators to security roles is a step in the process for delegating
Network Discovery tasks to non-administrators.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
Creating a new Windows user
1
Log on to Symantec Management Console as Administrator.
2
In the Symantec Management Console on the Settings menu, click Security
> Account Management.
3
In the left pane, click Accounts.
4
In the Accounts pane, click Add.
5
Enter a name for the new user.
6
Click OK.
7
In the right pane that shows the user name, in Account details, in the Full
Name field, enter the user's full name.
You can leave the Email field empty. It is not required for this procedure.
8
In Credentials, click Add Credential > Windows.
9
Enter the logon name that corresponds with the Windows user who is
associated with this new account.
10 Click OK.
11 In the upper right, click the down-arrow next to Inactive and click Active
(the green option).
12 Click the Member Of tab.
13 Click Add Role, and then click Symantec Level 1 Workers (or other role to
which you want to assign this user).
Discovering network devices
Enabling non-administrator roles to create or run Network Discovery tasks
14 Click OK.
15 Click Save changes.
Adding non-administrators to security roles for performing Network Discovery
tasks
1
Log on to the Symantec Management Console as Administrator.
2
If the user to whom you want to delegate tasks has not already been created,
create the new Windows user.
See “Creating a new Windows user” on page 282.
3
Add the user to the predefined security role to which you want to delegate
tasks.
If none of the predefined security roles meets your needs, you can create a
custom security role.
See “Creating and configuring security roles” on page 76.
Enabling non-administrator roles to create or run
Network Discovery tasks
You can delegate Network Discovery tasks to users outside the Symantec
Administrators group. To delegate tasks, you assign privileges to
non-administrator roles. You then add users to those non-administrator roles.
This task is a step in the process for delegating Network Discovery tasks to
non-administrators.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
This topic describes how to delegate common Network Discovery tasks to the
following non-administrator roles:
■
Symantec Supervisors. By default, users in this role can run existing Network
Discovery tasks. However, they cannot create tasks by default. This is because
they do not have access to the default connection profile unless you grant that
access explicitly.
■
Symantec Level 1 and Level 2 Workers. Users in these roles have limited rights.
They cannot even run existing tasks until you give them rights to do so.
You are not limited to using these non-administrator roles. They are shown in
this topic as examples. Use whichever predefined security role serves your purpose.
See “Predefined security roles” on page 75.
283
284
Discovering network devices
Enabling non-administrator roles to create or run Network Discovery tasks
Tasks use connection profiles, which use credentials. For any non-administrator
role to create new tasks (and not merely run them), you must set access permissions
to a connection profile. You then set a level of control (the maximum level is Full
Control) to protocol settings for that role. After you set these permissions, users
in a non-administrator role can perform the tasks that you specify.
Complete the following procedures, in the order shown, to enable
non-administrators to create Network Discovery tasks:
■
Grant rights to a non-administrator role for network discovery task
management. This procedure lets users in the role run tasks.
See “To grant rights to a non-administrator role for network discovery task
management” on page 284.
■
Add the role of your choice to the access permissions of the relevant connection
profile. Then allow this role control to protocol settings. After you add the role
to a connection profile, users in that role can create and edit Network Discovery
tasks.
See “To grant a predefined role full (or lesser) control to protocol settings”
on page 285.
To grant rights to a non-administrator role for network discovery task management
1
Log on to Symantec Management Platform as Administrator.
2
In the Symantec Management Console on the Settings menu, click Security
> Account Management.
3
In the left pane, under Account Management, click Roles.
4
In the Roles pane on the right, click the non-administrator role to which you
want to delegate creating and running Network Discovery tasks.
Typical roles to which administrators delegate these tasks are Symantec Level
1 Workers and Symantec Level 2 Workers.
5
On the right, in the window that is labeled with the role that you selected,
click the Privileges tab if it is not active.
6
In Management Privileges, check Discovery Task Management.
7
If the role that you have selected also needs to create or edit connection
profiles, check the following additional options:
8
■
In Connection Profile Privileges, check Create Connection Profile.
■
In System Privileges, check View Security.
■
In Credential Privileges, check Create Credential.
Click the Members tab.
Discovering network devices
Enabling non-administrator roles to create or run Network Discovery tasks
9
Ensure that the user you want to add to the selected role has been added to
this role.
If the user is not a member of this role, you must create a Notification Server
user and add the user to the relevant role.
See “Adding non-administrators to security roles for performing Network
Discovery tasks” on page 281.
10 Click Save changes.
To grant a predefined role full (or lesser) control to protocol settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, under Settings, expand Monitoring and Alerting > Protocol
Management > Connection Profiles and click Manage Connection Profiles.
3
In the Manage Connection Profiles pane, click Default Connection Profile,
and click Edit.
4
In the Define Group Settings dialog box, click Access permissions to
protocols settings.
5
Click Add, select the role to which you want to grant control, and click Select.
6
Symantec Level 1 Workers
Users in this role have fewer rights than
Symantec Supervisors by default. When
given Discovery Task Management
privileges and Full Control, these workers
can create and run Network Discovery
tasks.
Symantec Level 2 Workers
Users in this role have fewer rights by
default. When given Discovery Task
Management privileges and Full Control,
these workers can create and run Network
Discovery tasks.
Symantec Supervisors
Users in this role can run Network
Discovery tasks by default. When given
Full Control, these workers can also create
and edit Network Discovery tasks.
In the Permission Selection dialog box, select permissions in one of the
following ways:
285
286
Discovering network devices
Granting non-administrator roles privileges to create credentials and connection profiles
■
Check Use and Read. You can check any other boxes that correspond to
the tasks that you want the selected role to be able to perform. Then click
Select.
■
Click Full Control to give the role all available rights that are listed, and
then click Select.
7
In the Security Descriptor Settings for: Default Connection Profile dialog
box, click Apply.
8
In the Define Group Settings dialog box, click OK to save the connection
profile.
Granting non-administrator roles privileges to create
credentials and connection profiles
When you delegate tasks to non-administrator roles, you must determine which
tasks the users who are assigned to those roles can perform. Each Symantec
Management Platform predefined security role includes inherent rights.
See “Predefined security roles” on page 75.
One example is the default Symantec Supervisors role. Users who are assigned
to this role can run existing tasks without the role being granted additional
privileges. These users can also create Network Discovery tasks if they have access
to an existing connection profile.
However, to let non-administrator roles create new tasks and connection profiles,
you grant privileges to those roles to create credentials and connection profiles.
These additional privileges are necessary if users are expected to create new tasks
that may require some credentials and connection profiles that are different from
the existing credentials and profiles.
See “About Network Discovery configuration” on page 250.
To let users assigned to non-administrator roles create credentials and connection
profiles, you must enable those privileges for the role. These privileges let the
users create the credentials and the connection profiles that are suited to the
tasks that you delegate to them or that they create.
This task is a step in the process for delegating Network Discovery tasks to
non-administrators.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
Discovering network devices
Granting non-administrator roles access to the default connection profile
To grant non-administrator roles privileges to create credentials and connection
profiles
1
Log on to the Symantec Management Console as Administrator.
2
In the Symantec Management Console, on the Settings menu, click Security
> Account Management.
3
Under Account Management, click Roles
4
In the Roles pane, then click the role that you want to enable, and in the right
pane, click the Privileges tab.
5
Scroll to Connection Profile Privileges and check Create Connection Profile.
6
Scroll to Credential Privileges and check Create Credential.
7
Scroll to System Privileges and check View Security.
8
Click Save changes.
Granting non-administrator roles access to the
default connection profile
Users in non-administrator roles, need access to the default connection profile
to run tasks. After you grant these roles access to the default connection profile,
users in those roles can also create tasks. They cannot create connection profiles,
but they can create tasks that use existing connection profiles.
This task is a step in the process for delegating Network Discovery tasks to
non-administrators.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
To grant a predefined role full (or lesser) control to the default connection profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, under Settings, expand Monitoring and Alerting > Protocol
Management > Connection Profiles and click Manage Connection Profiles.
3
In the Manage Connection Profiles pane, click Default Connection Profile,
and then click Edit.
4
In the Define Group Settings dialog box, click Access permissions to
protocols settings.
287
288
Discovering network devices
Enabling roles other than predefined security roles to create and run tasks using the Network Discovery wizard
Enabling roles other than predefined security roles
to create and run tasks using the Network Discovery
wizard
The Network Discovery wizard is an administrator tool bundled with Symantec
Management Platform. It is one method for discovering network devices and
performing other discovery tasks.
See “About discovering network devices” on page 251.
You access the Network Discovery wizard from the Symantec Management Console
Home menu.
See “Creating Network Discovery tasks using the wizard” on page 255.
The following security roles are predefined and by default can create and run
tasks using the Network Discovery wizard:
■
Administrator
■
Symantec Supervisors
■
Symantec Level 2 Workers
■
Symantec Level 1 Workers
You may want to enable other roles to create and run tasks from the Network
Discovery wizard. In this case, you must give those roles the privileges that are
required to perform those tasks using the wizard.
This task is a step in the process for delegating Network Discovery tasks to
non-administrators.
See “Delegating Network Discovery tasks to non-administrators” on page 277.
To enable roles other than predefined security roles to create tasks using the
Network Discovery wizard
1
Log on to Symantec Management Platform as Administrator.
2
In the Symantec Management Console, on the Settings menu, click Security
> Permissions.
3
In the Security Role Manager, in the Role drop-down box, select the role
that you want to enable to run tasks.
4
In the View drop-down box, click Settings.
5
In the left pane, click Edit.
Note that in the Items Selector dialog box, if the Settings checkbox is checked,
all other options are grayed out.
Discovering network devices
Making a connection profile read-only
6
If Settings is checked, uncheck it.
7
Under Discovery and Inventory , check Network Discovery Wizard if it is
not checked already.
8
Re-check Settings to turn on inheritance again.
9
Click Save Changes.
To enable roles other than predefined security roles to schedule and run tasks
using the Network Discovery wizard
1
Log on to Symantec Management Platform as Administrator.
2
In the Symantec Management Console, on the Settings menu, click Security
> Permissions.
3
In the Security Role Manager, in the Role drop-down box, click the role that
you want to enable.
4
In the View drop-down box, click Tasks.
5
In the left pane, under Tasks, expand Jobs and Tasks > System Jobs and Tasks
and click Discovery and Inventory.
Note that in the Discovery and Inventory pane, the Inherited section is gray
and cannot be edited.
6
In the Discovery and Inventory pane, in the Noninherited section, scroll
down to Task Server Permissions, and check Run Task.
7
Click Save changes, and close the Security Role Manager.
Making a connection profile read-only
You may need to delegate Network Discovery tasks to users in non-administrator
roles. However, you may not want these users to change connection profiles. You
would make a connection profile read-only to prevent hacking and maintain the
security and privacy of confidential information. Another reason to make a
connection profile read-only is to prevent less-experienced users from modifying
a connection profile to use unsupported protocols.
If you want to limit users to viewing credentials and running Network Discovery
tasks, you can block Write rights to each connection profile. By blocking Write
rights from a non-administrator role, you make a connection profile Read-only
to users in that role. The users who are assigned to those non-administrator roles
whose Write rights you block can still view and run tasks, but they cannot change
that connection profile or create a connection profile.
This task is a step in the process for delegating Network Discovery tasks to
non-administrators.
289
290
Discovering network devices
Making a connection profile read-only
See “Delegating Network Discovery tasks to non-administrators” on page 277.
To make a connection profile read-only
1
Log on to the Symantec Management Console as Administrator.
2
In the Symantec Management Console, on the Settings menu, click All
Settings.
3
In the left pane, under Settings, expand Monitoring and Alerting > Protocol
Management > Connection Profiles and click Manage Connection Profiles.
4
In the Manage Connection Profiles pane, click Default Connection Profile,
and then click Edit.
5
In the Define Group Settings dialog box, click Access permissions to protocol
settings.
6
In the Security Descriptor Settings for: Default Connection Profile dialog
box, select the role, such as Symantec Level 2 Workers, and click Edit.
7
In the Permission Selection dialog box, uncheck Write, and click Select.
8
In the Security Descriptor Settings for: Default Connection Profile dialog
box, click Apply to save the settings, and in the Define Group Settings dialog
box, click OK to save the connection profile.
Section
3
Installing and configuring the
Symantec Management
Agent
■
Chapter 14. Introducing the Symantec Management Agent
■
Chapter 15. Installing the Symantec Management Agent for Windows
■
Chapter 16. Installing the Symantec Management Agent for UNIX, Linux, and
Mac
■
Chapter 17. Configuring the Symantec Management Agent
292
Chapter
14
Introducing the Symantec
Management Agent
This chapter includes the following topics:
■
About the Symantec Management Agent
■
Methods for installing the Symantec Management Agent
■
Installing the Symantec Management Agent manually
■
About selecting computers for a Symantec Management Agent manual
installation
■
Viewing the installation status report
■
Methods for upgrading the Symantec Management Agent
■
Methods for uninstalling the Symantec Management Agent
■
About the Symantec Management Agent upgrade and uninstall policies
■
Configuring the Symantec Management Agent Upgrade and Uninstall policies
■
Configuring a Symantec Management Agent package
About the Symantec Management Agent
The Symantec Management Agent is the software that establishes communication
between the Notification Server computer and the computers in your network.
Computers with the Symantec Management Agent installed on them are called
managed computers. The Notification Server computer interacts with the Symantec
Management Agent to monitor and manage each computer from the Symantec
Management Console.
294
Introducing the Symantec Management Agent
Methods for installing the Symantec Management Agent
The Notification Server computer and the Symantec Management Agent work
together to provide the following types of functionality for managed computers:
■
Monitoring hardware and software
■
Scheduling software installations and file updates
■
Collecting basic inventory information
■
Managing policies and packages
You can install the Symantec Management Agent on Windows, Linux, UNIX, and
Mac computers. The Symantec Management Agent also lets you install and manage
solution agent plug-ins that add additional functionality to the agent. For example,
installing the Inventory plug-in lets you gather detailed hardware and software
information from all of your managed computers.
See “Methods for installing the Symantec Management Agent” on page 294.
Methods for installing the Symantec Management
Agent
Before you install the Symantec Management Agent, we recommend that you
plan your installation using the Altiris™ IT Management Suite 7.1 SP2 from
Symantec™ Planning and Implementation Guide at the following URL:
http://www.symantec.com/docs/DOC4827
You can install the Symantec Management Agent on Windows. You can install
the Symantec Management Agent for UNIX, Linux, and Macintosh computers on
those platforms.
See “About the Symantec Management Agent” on page 293.
Introducing the Symantec Management Agent
Methods for installing the Symantec Management Agent
Table 14-1
Methods for installing the Symantec Management Agent
Method
Description
Manual push
Pushing is initiated from the Symantec Management Console and
installs the Symantec Management Agent immediately. You can
install the Symantec Management Agent on any number of
computers in the same push operation. You can also customize
the installation options for each push operation.
For UNIX, Linux, and Mac computers, this method requires that
either an SSH server must be running. You must also configure
the firewall to accept SSH connections on the target computers.
See “Installing the Symantec Management Agent manually”
on page 296.
See “Installing the Symantec Management Agent for Windows
with a manual push” on page 308.
See “Installing the Symantec Management Agent for UNIX, Linux,
and Mac with a manual push” on page 320.
Manual pull
Pulling is initiated from the computer on which the Symantec
Management Agent is to be installed. This operation lets you work
around firewalls and the network access limitations that may
prevent push installations to remote computers. For UNIX, Linux,
and Mac computers, you need to use this method if SSH is not
available.
See “Installing the Symantec Management Agent for Windows
with a manual pull” on page 313.
See “Installing the Symantec Management Agent for UNIX, Linux,
and Mac with a manual pull” on page 338.
Scheduled push
This method is available for Windows computers only.
A scheduled Symantec Management Agent installation is
performed at a defined time, unlike the manual push installations
which are performed immediately. You can push the Symantec
Management Agent to the computers in an organizational group,
filter, or resource target, or the computers that have selected
resources.
See “Scheduling a Symantec Management Agent for Windows
installation” on page 314.
295
296
Introducing the Symantec Management Agent
Installing the Symantec Management Agent manually
Table 14-1
Methods for installing the Symantec Management Agent (continued)
Method
Description
Agent upgrade policy
The Symantec Management Agent Upgrade policy is provided
with Symantec Management Platform. You can turn on this policy
and configure it to ensure that all of your managed computers
have the correct Symantec Management Agent version installed.
See “About the Symantec Management Agent upgrade and
uninstall policies” on page 302.
Note: When you install the Symantec Management Agent on a computer, there
is a delay before the client task agent registers with Notification Server. Any tasks
that are targeted at the computer during this time (typically about 10 minutes)
have a pending status until the Client Task Agent registers. When the client task
agent is registered, the tasks are executed immediately.
Installing the Symantec Management Agent manually
You can install the Symantec Management Agent with a manual push or a manual
pull. It is recommended to install the Symantec Management Agent by manually
pushing to selected computers. However, to install on the remote computers that
have limited network access or are behind a firewall, you may need to perform a
manual pull.
See “About the Symantec Management Agent” on page 293.
Introducing the Symantec Management Agent
Installing the Symantec Management Agent manually
Table 14-2
Process for installing the Symantec Management Agent manually
Step
Action
Description
Step 1
Select the computers that require To install the Symantec Management Agent with a manual push,
the Symantec Management Agent you need to select the computers, on which to install the
to be installed.
Symantec Management Agent. You can select the computers that
have been discovered with resource discovery , enter the
computer names manually, or import the computers from a .csv
file.
See “About selecting computers for a Symantec Management
Agent manual installation” on page 298.
See “Selecting Windows computers for a Symantec Management
Agent manual installation” on page 308.
See “Selecting UNIX, Linux, and Mac computers for a Symantec
Management Agent manual installation” on page 323.
See “Creating a .csv file for importing UNIX, Linux, and Mac
computers” on page 324.
Step 2
Verify that the computers meet
the installation prerequisites.
Each computer must meet the hardware prerequisites and the
software prerequisites before you can install the Symantec
Management Agent on it.
See “Symantec Management Agent for Windows installation
prerequisites” on page 310.
See “Symantec Management Agent for UNIX, Linux, and Mac
installation prerequisites” on page 325.
Step 3
Configure the installation settings. The Windows installation settings let you specify how the
Symantec Management Agent is installed on the client computer.
You cannot include these settings in a .csv file when you import
computer names.
See “Symantec Management Agent for Windows installation
options” on page 311.
The UNIX, Linux, and Mac installation settings let you configure
the communication and the authentication settings for the
Symantec Management Agent for UNIX, Linux, and Mac. If you
import computer names from a .csv file, you can specify these
settings in the .csv file. You can also set or change these settings
from the Symantec Management Console.
See “Specifying the Symantec Management Agent for UNIX,
Linux, and Mac installation settings ” on page 327.
297
298
Introducing the Symantec Management Agent
About selecting computers for a Symantec Management Agent manual installation
Table 14-2
Process for installing the Symantec Management Agent manually
(continued)
Step
Action
Description
Step 4
Install the Symantec Management The preferred method is to push the Symantec Management
Agent using the appropriate
Agent to the selected computers. However, if any of the
method.
computers are behind a firewall or are difficult for Notification
Server to access, you can pull the Symantec Management Agent
to them.
See “Installing the Symantec Management Agent for Windows
with a manual push” on page 308.
See “Installing the Symantec Management Agent for UNIX, Linux,
and Mac with a manual push” on page 320.
See “Installing the Symantec Management Agent for Windows
with a manual pull” on page 313.
See “Installing the Symantec Management Agent for UNIX, Linux,
and Mac with a manual pull” on page 338.
Step 5
View the installation status report The installation status report lets you view details of all the
to verify successful installation. manual push installations and scheduled Symantec Management
Agent installations that have been attempted. The report does
not include details of any pull installations.
See “Viewing the installation status report” on page 299.
About selecting computers for a Symantec
Management Agent manual installation
Before you can manually install or uninstall the Symantec Management Agent
from the Symantec Management Agent Install page, you need to select the
appropriate computers. You can select the computers that have been discovered
with resource discovery , enter the computer names manually, or import the
computers from a .csv file.
Note: You can manually install the Symantec Management Agent only on the
computers that were discovered using Domain Resource Discovery or Network
Discovery.
See “Selecting Windows computers for a Symantec Management Agent manual
installation” on page 308.
Introducing the Symantec Management Agent
Viewing the installation status report
See “Selecting UNIX, Linux, and Mac computers for a Symantec Management
Agent manual installation” on page 323.
The .csv file is a comma-delimited text file. The file includes the DNS names or
the IP addresses of the client computers on which you want to install the Symantec
Management Agent. For Windows computers, the .csv file is a list of computer
names or IP addresses that are imported into the Symantec Management Agent
Install page. Items are interpreted as the names of computers or the IP addresses
of computers (for the entries that are in the appropriate format). No spaces are
allowed: any item that contains a space is ignored.
For UNIX, Linux, and Mac computers, each line in the .csv file represents a
computer entry that is imported into the Symantec Management Agent Install
page. You can also include the appropriate installation settings in the .csv file.
These installation settings let you configure the communication and the
authentication settings for the Symantec Management Agent for UNIX, Linux,
and Mac.
Note: If you have a large number of computers that require different connection
and configuration settings, use a .csv file to import the computers.
See “Creating a .csv file for importing UNIX, Linux, and Mac computers”
on page 324.
Note: You cannot manually uninstall the Symantec Management Agent for UNIX,
Linux, or Mac from the Symantec Management Agent Install page. This
functionality is available only for Windows computers.
See “Installing the Symantec Management Agent manually” on page 296.
See “Uninstalling the Symantec Management Agent for Windows manually”
on page 316.
Viewing the installation status report
The installation status report lets you view details of all of the Symantec
Management Agent push installation attempts that have been made. The report
does not include details of any pull installations.
See “Installing the Symantec Management Agent manually” on page 296.
See “Uninstalling the Symantec Management Agent for Windows manually”
on page 316.
299
300
Introducing the Symantec Management Agent
Methods for upgrading the Symantec Management Agent
By default, details of all installation attempts that were made in the past week are
listed. You can specify the period to view and filter the results by computer name
and domain.
To view the Agent Installation Status report
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
In the Symantec Management Agent Install page, click Status Report.
The report shows details of all push installation attempts for the Symantec
Management Agent and the Symantec Management Agent for UNIX, Linux,
and Mac. The same report is available from both the Install Agent and the
Install Agent for UNIX, Linux, and Mac tabs.
3
In the Agent Installation Status window, view the details of each installation
attempt.
4
(Optional) If you want to change the time period or filter the results by
computer name and domain, under Parameters, set the appropriate user
parameters:
5
Showing
Specify the time period that you want to view. Type the
appropriate number of units (hours, days, weeks, or months) in
the From and To boxes.
Units
Specify the units that you want to use for the Showing values.
Filter By
If you want to filter the results by computer name or domain (or
both), specify the appropriate filter text in the corresponding
boxes.
(Optional) If you have changed the user parameters, click Refresh to display
the updated report results.
Methods for upgrading the Symantec Management
Agent
You need to install the appropriate version of the Symantec Management Agent
on your managed computers. If any computers have old versions of the agent
installed, you should upgrade them.
See “About the Symantec Management Agent” on page 293.
Introducing the Symantec Management Agent
Methods for uninstalling the Symantec Management Agent
Table 14-3
Symantec Management Agent upgrade methods
Method
Description
Manually push the Symantec You can upgrade the Symantec Management Agent manually
Management Agent to the
by pushing it to the appropriate computers. You can push
appropriate computers.
to a computer that has an older version of the Symantec
Management Agent installed.
See “Installing the Symantec Management Agent manually”
on page 296.
Use the Symantec
The Symantec Management Agent Upgrade policy is
Management Agent upgrade provided with Notification Server. You can turn on this
policy.
policy and configure it to ensure that all of your managed
computers have the correct Symantec Management Agent
version installed.
See “About the Symantec Management Agent upgrade and
uninstall policies” on page 302.
Methods for uninstalling the Symantec Management
Agent
You can remove the Symantec Management Agent from a managed computer
when you no longer need it. You do not need to remove any solution agents that
have been installed on the computer, as they are removed automatically as part
of the Symantec Management Agent uninstallation process.
See “About the Symantec Management Agent” on page 293.
Table 14-4
Methods for uninstalling the Symantec Management Agent
Method
Description
Manual uninstallation.
Manual uninstallation is initiated from the Symantec
Management Console and removes the Symantec
Management Agent immediately. You can remove the
Symantec Management Agent from any number of Windows
computers in the same uninstall operation. You can also
customize the uninstallation options for each operation.
This option is available for Windows computers only.
See “Uninstalling the Symantec Management Agent for
Windows manually” on page 316.
301
302
Introducing the Symantec Management Agent
About the Symantec Management Agent upgrade and uninstall policies
Table 14-4
Method
Methods for uninstalling the Symantec Management Agent
(continued)
Description
Use the Symantec
The Symantec Management Agent uninstall policy is
Management Agent uninstall provided with Symantec Management Platform. You can
policy.
turn on this policy and configure it to ensure that the
Symantec Management Agent is removed from the
appropriate computers.
This option is available both for Windows computers and
for UNIX, Linux, and Mac computers.
See “About the Symantec Management Agent upgrade and
uninstall policies” on page 302.
About the Symantec Management Agent upgrade and
uninstall policies
You can configure the Symantec Management Agent upgrade and Symantec
Management Agent uninstall policies to suit your requirements. Both policies use
the appropriate Symantec Management Agent package but use different programs.
See “About the Symantec Management Agent” on page 293.
See “Configuring the Symantec Management Agent Upgrade and Uninstall policies
” on page 303.
Notification Server provides some default filters that you can use in scheduled
agent installation operations, and in agent upgrade and agent uninstall policies.
These filters are stored in the Symantec Management Agent folder, under the
appropriate subfolder. You cannot modify the default filters, but you can clone
them to create the new filters that you can edit to suit your requirements.
The default filters for Windows computers are as follows:
■
Computers with the Symantec Management Agent version less than NS 7
Symantec Management Agent installed
■
Windows computers requiring Symantec Management Agent upgrade
■
Windows computers with NS 7 Symantec Management Agent
■
Windows XP/2003/Vista/2008/7 computers with no Symantec Management
Agent installed
By default, the Symantec Management Agent for Windows - Uninstall policy is
applied to the all clients with no additional agents filter, and the Symantec
Introducing the Symantec Management Agent
Configuring the Symantec Management Agent Upgrade and Uninstall policies
Management Agent for Windows - Upgrade policy is applied to the Windows
computers requiring Symantec Management Agent upgrade filter.
The default filters for UNIX, Linux, and Mac computers are as follows:
■
UNIX/Linux/Mac Computers requiring Symantec Management Agent upgrade
■
UNIX/Linux/Mac Computers with NS 7 Symantec Management Agent installed
By default, the Symantec Management Agent for UNIX/Linux/Mac - Uninstall
policy is applied to the UNIX/Linux/Mac Computers with NS 7 Symantec
Management Agent installed filter, and the Symantec Management Agent for
UNIX/Linux/Mac - Upgrade policy is applied to the UNIX/Linux/Mac Computers
requiring Symantec Management Agent Upgrade filter.
See “Creating or modifying a filter” on page 386.
Note: You need to be careful when you perform Symantec Management Agent
upgrades based on resource targets. In a large environment you may prefer to
stagger the upgrades by using a trial target first, and then a staggered rollout
through suitable targets, rather than perform them all at the same time. For
example, there may be some issues with the upgrade, so you can test it on a small
number of computers and identify and resolve the problems without affecting
every computer. A staggered upgrade also helps to manage the load on the network
as the agents typically need to request data from Notification Server as soon as
they have been upgraded.
Configuring the Symantec Management Agent
Upgrade and Uninstall policies
You can configure the Symantec Management Agent upgrade and Symantec
Management Agent uninstall policies from the Symantec Management Console.
See “About the Symantec Management Agent upgrade and uninstall policies”
on page 302.
To configure the agent upgrade and uninstall policies
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Settings > Agents/Plug-ins > Symantec Management
Agent, and then perform one of the following actions:
303
304
Introducing the Symantec Management Agent
Configuring the Symantec Management Agent Upgrade and Uninstall policies
Configure the Symantec
■ To configure the policy that upgrades Windows x64
Management Agent upgrade
computers to the 64-bit Symantec Management
policy.
Agent 7.1 that contains no site services, expand
Windows > Non Site Server, and then click
Symantec Management Agent for Windows x64
(Non-Site Server) - Upgrade to 64-bit Symantec
Management Agent 7.1.
■ To configure the policy that upgrades Windows x86
computers to the 32-bit Symantec Management
Agent 7.1 that contains no site services, expand
Windows > Non Site Server, and then click
Symantec Management Agent for Windows x86
(Non-Site Server) - Upgrade to 32-bit Symantec
Management Agent 7.1.
To configure the policy that upgrades Windows x64
computers to the 64-bit Symantec Management
Agent 7.1 that contains 1 or more site services,
expand Windows > Site Server, and then click
Symantec Management Agent for Windows x64
(Site Server Only) - Upgrade to 64-bit Symantec
Management Agent 7.1.
■ To configure the policy that upgrades Windows x86
computers to 32-bit Symantec Management Agent
7.1 that contains 1 or more site services, expand
Windows > Site Server, and then click Symantec
Management Agent for Windows x86 (Site Server
Only) - Upgrade to 32-bit Symantec Management
Agent 7.1.
■
To configure the Symantec Expand the Windows folder, and then click Symantec
Management Agent uninstall Management Agent for Windows - Uninstall.
policy.
3
To configure the Symantec
Management Agent for
UNIX/Linux/Mac upgrade
policy.
Expand the UNIX/Linux/Mac folder, and then click
Symantec Management Agent for UNIX/Linux/Mac
- Upgrade.
To configure the Symantec
Management Agent for
UNIX/Linux/Mac uninstall
policy.
Expand the UNIX/Linux/Mac folder, and then click
Symantec Management Agent for UNIX/Linux/Mac
- Uninstall.
(Optional) To turn the policy on or off, at the upper right of the appropriate
policy page, click the colored circle, and then click On or Off.
Introducing the Symantec Management Agent
Configuring the Symantec Management Agent Upgrade and Uninstall policies
4
Make the appropriate configuration changes:
Program name
The name of the Symantec Management Agent package program
that is run when the policy is triggered. The default setting is the
program that is appropriate to the policy, and you should not
need to change it. However, if you have added a new program to
the Symantec Management Agent package, you may want to use
that instead.
See “Managing package programs” on page 405.
See “Programs tab settings” on page 406.
Enable Verbose
Reporting of
Status Events
Enable the sending of package status events to Notification
Server.
The Notification Server Event Capture settings in the Global
Symantec Management Agent Settings policy take precedence
over the Enable Verbose Reporting of Status Events setting
here. Events are sent only if they are enabled in the Global
Symantec Management Agent Settings policy.
See “Configuring the global agent settings” on page 342.
Applied to
Specify the computers to which the policy applies.
You can use the predefined filters that are supplied with
Notification Server or create your own.
See “Specifying the targets of a policy or task” on page 413.
PackageMulticast Disables package download through multicast.
Multicast typically slows down the rollout of a package, so you
may want to turn it off for an urgent patch. Additionally, in some
environments multicast does not work. For example, it may be
disabled at routers and switches.
The Package Multicast settings in the Global Symantec
Management Agent Settings policy take precedence to the
settings here.
See “About the Package Multicast settings” on page 346.
Schedule
Specify the policy schedule.
See “Specifying a policy schedule” on page 420.
305
306
Introducing the Symantec Management Agent
Configuring a Symantec Management Agent package
Extra schedule
options
5
Additional schedule options are as follows:
■
Run once ASAP
■
User can run
■
Notify user when the task is available
■
Warn before running
Click Save changes.
Configuring a Symantec Management Agent package
The Symantec Management Agent installation policies use the appropriate
Symantec Management Agent package when you upgrade or uninstall an agent.
We recommend not changing any settings in this package.
After you configure a Symantec Management Agent package, you need to update
the package distribution points to update the package information on each package
server.
See “Updating the distribution points for a package” on page 402.
To configure a Symantec Management Agent package
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, expand Settings > Agents/Plug-ins > Symantec Management
Agent.
3
In the Windows or UNIX/Linux/Mac folder, whichever is appropriate, click
the Symantec Management Agent package that you want to configure.
4
On the Symantec Management Agent Package page, make the necessary
configuration changes on the appropriate tabs:
Package
See “Package tab settings” on page 403.
Programs
See “Managing package programs” on page 405.
See “Programs tab settings” on page 406.
5
Package Servers
See “Package Servers tab settings” on page 408.
Advanced
See “Advanced tab settings” on page 409.
Click Save changes.
Chapter
15
Installing the Symantec
Management Agent for
Windows
This chapter includes the following topics:
■
Installing the Symantec Management Agent for Windows with a manual push
■
Selecting Windows computers for a Symantec Management Agent manual
installation
■
Symantec Management Agent for Windows installation prerequisites
■
Configuring Windows XP computers for a Symantec Management Agent
installation
■
Symantec Management Agent for Windows installation options
■
Setting Symantec Management Agent for Windows installation options
■
Installing the Symantec Management Agent for Windows with a manual pull
■
Scheduling a Symantec Management Agent for Windows installation
■
Configuring the Symantec Management Agent for Windows installation
schedule
■
Uninstalling the Symantec Management Agent for Windows manually
■
Removing the Symantec Management Agent for Windows manually
308
Installing the Symantec Management Agent for Windows
Installing the Symantec Management Agent for Windows with a manual push
Installing the Symantec Management Agent for
Windows with a manual push
You can push the Symantec Management Agent to any of the Windows computers
that you select.
See “Installing the Symantec Management Agent manually” on page 296.
To install the Symantec Management Agent for Windows with a manual push
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, select the Windows
computers on which to install the Symantec Management Agent.
See “Selecting Windows computers for a Symantec Management Agent manual
installation” on page 308.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, click Install.
4
In the Symantec Management Agent Installation Options dialog box, make
any necessary changes to the installation settings, and then click Proceed
With Install.
See “Setting Symantec Management Agent for Windows installation options”
on page 313.
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, in the computer list, the Status column shows the success or
failure of the installation on each computer. Note that the newly installed
Symantec Management Agent reports its status back to the originating
Notification Server, even if it is going to be managed by another Notification
Server.
5
When the installation process is complete, which can take up to 10 minutes,
view the Status Report to confirm that the Symantec Management Agent
has been installed successfully on all of the computers.
See “Viewing the installation status report” on page 299.
Selecting Windows computers for a Symantec
Management Agent manual installation
You can select Windows computers for a manual Symantec Management Agent
installation or uninstallation.
Installing the Symantec Management Agent for Windows
Selecting Windows computers for a Symantec Management Agent manual installation
See “About selecting computers for a Symantec Management Agent manual
installation” on page 298.
If you install the Symantec Management Agent, verify that each computer meets
the Symantec Management Agent installation prerequisites.
See “Symantec Management Agent for Windows installation prerequisites”
on page 310.
See “Configuring Windows XP computers for a Symantec Management Agent
installation” on page 310.
To select Windows computers for a Symantec Management Agent manual installation
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
(Optional) On the Symantec Management Agent Install page, under Rollout
Agent to Computers, click Discover Computers and then, on the Domain
Membership/WINS Import page, configure and run resource discovery to
discover all the available computers; then click Save changes.
This feature is available for Windows computers only.
See “About resource discovery” on page 223.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, select the computers on which to install the Symantec
Management Agent.
To manually add a computer In the text box, type the computer name (which must
be a DNS-resolvable name) or IP address, and then click
Add.
To select from the available
computers
Click Select Computers, in the Select Computers dialog
box, add the appropriate computers from the Available
computers list to the Selected computers list, and
then click OK.
To import computers from a 1
.csv file
2
4
In the toolbar, click Import computers from a
selected file.
In the Select file to import dialog box, select the
appropriate .csv file, and then click Open.
If you want to remove a computer from the list, select it in the list, and then
click Remove Computer.
309
310
Installing the Symantec Management Agent for Windows
Symantec Management Agent for Windows installation prerequisites
Symantec Management Agent for Windows
installation prerequisites
Before you can install the Symantec Management Agent, verify that the computers
meet the installation prerequisites.
See “Methods for installing the Symantec Management Agent” on page 294.
If you want to install the Symantec Management Agent on a computer that is
running Windows XP, you need to configure the computer to allow the installation
operation to take place.
See “Configuring Windows XP computers for a Symantec Management Agent
installation” on page 310.
Your computers must meet the following hardware and software prerequisites.
Table 15-1
Symantec Management Agent for Windows installation prerequisites
Prerequisite
Description
Operating system
Any of the following:
■
Windows 2003
■
Windows XP SP2, SP3
■
Windows Vista
■
Windows 2008
■
Windows 7 (x86_64)
Hard disk space
60 MB minimum
RAM
64 MB minimum (128 MB recommended)
Internet Explorer
Version 6.0 or later
Access rights
Local administrator rights
Configuring Windows XP computers for a Symantec
Management Agent installation
If you want to install the Symantec Management Agent on a computer that is
running Windows XP, you need to configure the computer to allow the installation
operation to take place.
See “Methods for installing the Symantec Management Agent” on page 294.
Installing the Symantec Management Agent for Windows
Symantec Management Agent for Windows installation options
See “Symantec Management Agent for Windows installation prerequisites”
on page 310.
To configure a Windows XP computer for Symantec Management Agent installation
1
On the Windows XP SP2 computer, in the taskbar, click Start > Control Panel
> Windows Firewall.
2
(Optional) If the computer has firewall enabled, in the Windows Firewall
dialog box, on the Exceptions tab, unblock ports 80 and 445, and then click
OK.
If all Symantec Management Agents are installed in one location, you can
apply a group policy to create the exception on all XP SP2 computers.
You can re-block these ports after the agent has been installed.
If these ports are blocked on a computer, Notification Server cannot download
the Symantec Management Agent package to it.
3
4
To create an exception for the Symantec Management Agent, perform the
following steps in order:
■
On the Exceptions tab, click Add Program.
■
In the Add a Program dialog box, click Symantec Management Agent,
and then click OK.
On the Exceptions tab, check File and Printer Sharing, and then click OK.
Symantec Management Agent for Windows
installation options
You can set the installation options for the Symantec Management Agent at any
time. You can set the default settings from the Symantec Management Agent
Installation page, and can change them for each manual push and pull installation
as part of the installation process.
See “Setting Symantec Management Agent for Windows installation options”
on page 313.
See “Installing the Symantec Management Agent for Windows with a manual
push” on page 308.
See “Installing the Symantec Management Agent for Windows with a manual
pull” on page 313.
311
312
Installing the Symantec Management Agent for Windows
Symantec Management Agent for Windows installation options
Table 15-2
Option
Symantec Management Agent for Windows installation options
Description
Show the Symantec Management Adds the Symantec Management Agent option to the Start menu on the
Agent icon on the start menu
managed computer.
This option lets the managed computer user open the Symantec Management
Agent management window from their Start menu, by clicking Start > Symantec
> Symantec Management Agent.
Show the Symantec Management Adds the Symantec Management Agent icon to the system tray on the managed
Agent icon in the system tray
computer.
This option lets the managed computer user open the Symantec Management
Agent management window from their system tray by double-clicking the icon.
Use proxy
Use this option if the computer that you push needs to connect to Notification
Server through a proxy server. The same proxy settings are used to connect to
Notification Server as the proxy settings that are used by Internet Explorer.
Override the default installation
path
If you want to install the Symantec Management Agent in a particular location
on the managed computer, specify the appropriate path.
Specify different Notification
Server
If you want the computer to be managed by a different Notification Server to
the one that is installing the Symantec Management Agent, specify the
appropriate Notification Server name and domain.
This option may be used to specify a different name for Notification Server
when it has multiple names in DNS.
Download agent package from
closest Package Server
The computer downloads the Symantec Management Agent installation package
from the closest package server instead of Notification Server.
List the Symantec Management
Agent in the Add/Remove
Programs list
Lets the managed computer user uninstall the Symantec Management Agent
software from the Add/Remove Programs list.
Use the following admin account An administrator account is needed to start the install service on the computer
instead of application credentials on which the Symantec Management Agent is being installed. By default
Notification Server application identity is used. If this account does not have
permission to access the computer, another account needs to be used.
You need to specify the appropriate administrator account user name and
password to use.
Additional parameters
Adds other installation parameters if you need to use them. These parameters
are appended to the command line that runs the package installation. For
example, you may want to use diagnostic tools or enable log file access.
This option is not commonly used.
Installing the Symantec Management Agent for Windows
Setting Symantec Management Agent for Windows installation options
Setting Symantec Management Agent for Windows
installation options
You can set the installation options for a manual Symantec Management Agent
push or pull installation.
See “Symantec Management Agent for Windows installation options” on page 311.
To set the Symantec Management Agent for Windows installation options
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, click Settings.
3
In the Symantec Management Agent Installation Options dialog box, check
the options that you want to use and specify the necessary settings in the
appropriate boxes; then click OK.
4
On the Symantec Management Agent Installation page, click Save changes.
Installing the Symantec Management Agent for
Windows with a manual pull
If you want to install the Symantec Management Agent on the remote computers
that have limited network access, or are behind a firewall, you may need to pull
the Symantec Management Agent to each computer. You, or anybody else with
administrator rights, can log on to each computer, access Notification Server
through a URL, and start the Symantec Management Agent installation process.
The installation process then runs automatically, with no further user interaction
required.
See “About the Symantec Management Agent” on page 293.
The Symantec Management Agent pull installation uses the settings that are
specified in the Symantec Management Agent Installation Options dialog box,
except for Download agent package from closest Package Server, which is
irrelevant.
See “Symantec Management Agent for Windows installation options” on page 311.
The URL of the Symantec Management Agent Download page is shown on the
Symantec Management Agent Install page, under Download Page URL. You
cannot change this setting.
313
314
Installing the Symantec Management Agent for Windows
Scheduling a Symantec Management Agent for Windows installation
To preview the Symantec Management Agent Kit Download page
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, under Download Page
URL, click Show me this page.
To install the Symantec Management Agent for Windows with a manual pull
1
Log on to the computer as an administrator.
You can log on remotely, using a remote access application such as
pcAnywhere, or you can let a user at the remote site log on with the
appropriate account.
2
Ensure that the remote computer meets the Symantec Management Agent
installation prerequisites.
See “Symantec Management Agent for Windows installation prerequisites”
on page 310.
See “Configuring Windows XP computers for a Symantec Management Agent
installation” on page 310.
3
On the remote computer, open Internet Explorer and go to the following URL:
http://NSName/Altiris/NS/Agent/AltirisAgentDownload.aspx
where NSName is the name of your Notification Server computer.
4
In the Symantec Management Agent Download window, click Click here to
begin download and install.
The agent installation process runs silently and no further action is required.
Scheduling a Symantec Management Agent for
Windows installation
You can configure a scheduled Symantec Management Agent installation. A
scheduled installation is performed at a defined time, unlike manual push
installations, which are performed immediately. For example, if you want to install
the agent on a particular group of computers at a suitable time, you could set up
a no repeat schedule to run at the appropriate time.
See “About the Symantec Management Agent” on page 293.
See “Methods for installing the Symantec Management Agent” on page 294.
You can also configure a schedule to automatically install the Symantec
Management Agent on new computers as they are added to your environment.
Installing the Symantec Management Agent for Windows
Configuring the Symantec Management Agent for Windows installation schedule
The resource discovery schedule runs daily to detect new computers, and you can
configure filters to sort the new computers into the appropriate groups. You can
then schedule Symantec Management Agent installation on all computers in
particular groups at appropriate intervals.
You need to be careful when you implement an automatic installation method,
and we recommend that you include a manual step to verify that the agent is
installed on the appropriate computers.
Table 15-3
Process for a scheduled Symantec Management Agent installation
Step
Action
Description
Step 1
Determine which computers
require the Symantec
Management Agent installed.
Each computer must meet the hardware and software
prerequisites before you can install the Symantec Management
Agent on it.
See “Symantec Management Agent for Windows installation
prerequisites” on page 310.
Filter the computers in your organization to select those that
require the Symantec Management Agent and meet the
installation prerequisites.
See “About resource filters” on page 385.
Step 2
Select the computers on which to You can specify an existing organizational group, filter, or
install the Symantec Management resource target. You can also select individual resources.
Agent.
See “Configuring the Symantec Management Agent for Windows
installation schedule” on page 315.
Step 3
Specify the schedule to use.
Specify the scheduled time or schedule window to perform the
installation.
See “Configuring the Symantec Management Agent for Windows
installation schedule” on page 315.
Step 4
View the installation status report The installation status report contains details of all the Symantec
to verify successful installation. Management Agent installation attempts that were made in the
last week.
See “Viewing the installation status report” on page 299.
Configuring the Symantec Management Agent for
Windows installation schedule
You can configure the Symantec Management Agent installation schedule to suit
your requirements. For example, you may set up a no repeat schedule to install
315
316
Installing the Symantec Management Agent for Windows
Uninstalling the Symantec Management Agent for Windows manually
the Symantec Management Agent on a specified group of computers at a particular
time.
See “Scheduling a Symantec Management Agent for Windows installation”
on page 314.
To configure the Symantec Management Agent for Windows installation schedule
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, under Scheduled Push
to Computers, at the right of the page, click the colored circle, and then click
On.
3
Under Apply To, specify the computers on which the Symantec Management
Agent is to be installed.
You can specify an existing organizational group, filter, or resource target.
You can also select individual resources.
See “Specifying the targets of a policy or task” on page 413.
4
Under When to Schedule panel, specify the scheduled time or schedule
window to perform the installation and select the appropriate options.
See “Specifying a policy schedule” on page 420.
5
Click Save changes.
Uninstalling the Symantec Management Agent for
Windows manually
Manual uninstallation is initiated from the Symantec Management Console and
removes the agent immediately. You can remove the agent from any number of
computers in the same uninstallation operation.
See “Methods for uninstalling the Symantec Management Agent” on page 301.
Table 15-4
Process for uninstalling the Symantec Management Agent manually
Step
Action
Description
Step 1
Select the computers that require You can select the computers that have been discovered with
the Symantec Management Agent resource discovery, enter the computer names manually, or
to be removed.
import the computer names from a .csv file.
See “Selecting Windows computers for a Symantec Management
Agent manual installation” on page 308.
Installing the Symantec Management Agent for Windows
Removing the Symantec Management Agent for Windows manually
Table 15-4
Process for uninstalling the Symantec Management Agent manually
(continued)
Step
Action
Description
Step 2
Uninstall the Symantec
Management Agent from the
selected computers.
The uninstallation operation removes the agent from the selected
computers immediately. You can also customize the
uninstallation options for each operation.
See “Removing the Symantec Management Agent for Windows
manually” on page 317.
Step 3
View the installation status report The installation status report lets you view details of all the
to verify successful uninstallation. manual uninstallations and scheduled agent uninstallations that
have been attempted.
See “Viewing the installation status report” on page 299.
Removing the Symantec Management Agent for
Windows manually
You can manually remove the Symantec Management Agent from any of the
computers that you select.
See “Uninstalling the Symantec Management Agent for Windows manually”
on page 316.
To remove the Symantec Management Agent manually
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, select the Windows
computers from which to remove the Symantec Management Agent.
See “Selecting Windows computers for a Symantec Management Agent manual
installation” on page 308.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, click Uninstall.
317
318
Installing the Symantec Management Agent for Windows
Removing the Symantec Management Agent for Windows manually
4
In the Symantec Management Agent Uninstall Options dialog box, check
the options that you want to use, and specify the necessary settings in the
appropriate boxes.
Use proxy (if configured on target Use this option if the computer that you push
computer)
needs to connect to Notification Server through
a proxy server. The same proxy settings are used
to connect to Notification Server as the proxy
settings that are used by Internet Explorer.
Use the following admin account
An administrator account is needed to start the
uninstall service on the computer from which
the Symantec Management Agent is removed.
By default Notification Server application
identity is used. If this account does not have
permission to access the computer, another
account needs to be used.
You need to specify the appropriate
administrator account user name and password
to use.
5
Click Proceed with Uninstall.
6
When the process is complete, view the Status Report to confirm that the
Symantec Management Agent has been removed from all of the computers.
See “Viewing the installation status report” on page 299.
Chapter
16
Installing the Symantec
Management Agent for
UNIX, Linux, and Mac
This chapter includes the following topics:
■
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a
manual push
■
About the Symantec Management Agent for UNIX, Linux, and Mac push
installation
■
Selecting UNIX, Linux, and Mac computers for a Symantec Management Agent
manual installation
■
Creating a .csv file for importing UNIX, Linux, and Mac computers
■
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites
■
Specifying the Symantec Management Agent for UNIX, Linux, and Mac
installation settings
■
Installation Settings dialog box
■
Installation Settings: Connection and Authentication tab
■
Installation Settings: Agent settings tab
■
Installation Settings: Install XML tab
■
SSH Key Generator dialog box
320
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual push
■
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a
manual pull
Installing the Symantec Management Agent for UNIX,
Linux, and Mac with a manual push
You can push the Symantec Management Agent for UNIX, Linux, and Mac to any
of the computers that are listed in the Symantec Management Agent Install page.
See “Installing the Symantec Management Agent manually” on page 296.
The push installation of the Symantec Management Agent for UNIX, Linux, and
Mac is performed by the Symantec Management Platform computer. The Symantec
Management Platform computer establishes a connection to the target UNIX,
Linux, or Mac computer, uploads the required files, and then executes them on
the target computer.
See “About the Symantec Management Agent for UNIX, Linux, and Mac push
installation” on page 321.
To install the Symantec Management Agent for UNIX, Linux, and Mac with a manual
push
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux, and Mac tab.
3
On the Install Agent for UNIX, Linux, and Mac tab, under Rollout Agent for
UNIX, Linux, and Mac to Computers, select the UNIX, Linux, and Mac
computers on which to install the Symantec Management Agent.
See “Selecting UNIX, Linux, and Mac computers for a Symantec Management
Agent manual installation” on page 323.
4
If necessary, configure the appropriate installation settings.
If you added computers manually, you need to specify the appropriate
installation settings for each target computer before you install the Symantec
Management Agent for UNIX, Linux, and Mac. If you imported computers
from a .csv file, you may have specified the installation settings for each
computer in the .csv file. You can change these settings for individual
computers or groups of computers.
See “Specifying the Symantec Management Agent for UNIX, Linux, and Mac
installation settings ” on page 327.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
About the Symantec Management Agent for UNIX, Linux, and Mac push installation
5
(Optional) In the Simultaneous Tasks box, specify the number of installations
to run simultaneously.
This value defines the number of threads running in parallel and serving
Symantec Management Agent pushing. All of the threads share a common
queue from which they take the next computer to install to. The default value
is 5, but you may want to use a different value to suit the performance of the
Symantec Management Platform, the client computers, and the network
capacity. Increasing the number of simultaneous tasks may reduce the total
installation time.
6
Click Install.
7
In the Push install dialog box, check the checkbox to agree to 3rd-party
software installation, and then click OK.
Note: If the target platform is 64-bit RHEL 6.0 or higher and doesn’t have
32-bit compatibility layer installed, the agent push fail if you do not agree to
3rd-party software installation.
The Status column in the computer list shows the success or failure of the
installation on each computer. Note that the newly installed Symantec
Management Agent reports its status back to the originating Notification
Server, even if another Notification Server manages it.
8
If the computer list does not refresh automatically, in the toolbar, click
Refresh to view the current push installation status for each computer.
9
When the installation process is complete, which can take up to 10 minutes,
view the Status Report to confirm that the Symantec Management Agent
has been installed successfully on all of the computers.
See “Viewing the installation status report” on page 299.
About the Symantec Management Agent for UNIX,
Linux, and Mac push installation
The push installation of the Symantec Management Agent for UNIX, Linux, and
Mac is performed by the Symantec Management Platform computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 320.
321
322
Installing the Symantec Management Agent for UNIX, Linux, and Mac
About the Symantec Management Agent for UNIX, Linux, and Mac push installation
Table 16-1
The Symantec Management Agent for UNIX, Linux, and Mac push
installation process
Step
Description
Step 1
The Symantec Management Platform attempts to connect to the target
computer through SSH.
The SSH protocol supports logon with either privileged or unauthorized
user accounts and multiple passwords.
Step 2
When connection is established, the Symantec Management Platform
determines the client computer’s operating system and environment, and
then it launches the appropriate platform-specific push-install script.
Step 3
The push-install script creates a directory structure on the client computer,
and then it attempts to download the aex-bootstrap utility from the
Symantec Management Platform computer.
The push-install script tries each of the following methods, in order, until
one succeeds: SCP/SFTP, wget, curl.
If all of these methods fail, the script uses dd command to transfer the
aex-bootstrap.Z.uu archive to the target computer. It then uses uudecode
to convert the archive to a native format.
Step 4
The .aex-agent-install-config.xml file that contains all of the
Symantec Management Agent installation settings is downloaded to the
client computer.
Step 5
The aex-bootstrap script is executed, and the connection to Symantec
Management Platform is closed.
Step 6
The aex-bootstrap script downloads the rest of the Symantec Management
Agent from the Symantec Management Platform computer and configures
the Symantec Management Agent with settings from the
.aex-agent-install-config.xml file.
Step 7
When the Symantec Management Agent for UNIX, Linux, and Mac runs
for the first time, it collects basic inventory and posts it to the Symantec
Management Platform.
Step 8
The Symantec Management Agent for UNIX, Linux, and Mac receives the
appropriate tasks and policies from the Symantec Management Platform.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Selecting UNIX, Linux, and Mac computers for a Symantec Management Agent manual installation
Selecting UNIX, Linux, and Mac computers for a
Symantec Management Agent manual installation
You can select UNIX, Linux, and Mac computers for a manual Symantec
Management Agent installation.
See “About selecting computers for a Symantec Management Agent manual
installation” on page 298.
If you install the Symantec Management Agent, verify that each computer meets
the Symantec Management Agent installation prerequisites.
See “Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites” on page 325.
To select UNIX, Linux, and Mac computers for a Symantec Management Agent
manual installation
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
(Optional) On the Symantec Management Agent Install page, select the
Install Agent for UNIX, Linux, and Mac tab.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, select the computers on which to install the Symantec
Management Agent.
To manually add a computer In the text box, type the computer name (which must
be a DNS-resolvable name) or IP address and then click
Add.
To select from the available
computers
Click Select Computers, in the Select Computers dialog
box, add the appropriate computers from the Available
computers list to the Selected computers list, and
then click OK.
To import computers from a 1
.csv file
2
In the toolbar, click Import computers from a
selected file.
In the Select File to Import dialog, select the
appropriate .csv file, and then click Open.
See “Creating a .csv file for importing UNIX, Linux,
and Mac computers” on page 324.
4
If you want to remove a computer from the list, select it in the list, and then
click Remove Computer.
323
324
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Creating a .csv file for importing UNIX, Linux, and Mac computers
Creating a .csv file for importing UNIX, Linux, and Mac
computers
If you want to install the Symantec Management Agent for UNIX, Linux, and Mac
on a large number of computers that require different connection and
configuration settings, we recommend that you use a .csv file to import the
computers and configure the installation settings. The .csv file is a
comma-delimited text file that includes the DNS names or the IP addresses of the
client computers on which you want to install the Symantec Management Agent.
Each line in the .csv file represents a computer entry that is imported into the
Symantec Management Agent Install page. The .csv file can also contain the
installation settings for each computer.
See “Installing the Symantec Management Agent manually” on page 296.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 320.
A .csv template file for importing UNIX, Linux, and Mac computers
(CSVTemplate.csv) is provided with the Symantec Management Platform. The
column header of the .csv template indicates the data that is required and the
valid values that you can use.
Warning: The .csv file format (list separator) must meet the regional settings of
the server. For example, the sample CSVTemplate.csv file uses the "English (United
States)" regional settings with a comma "," as a list separator. You can view the
Symantec Management Platform’s regional settings in the Windows Control
Panel.
To create a .csv file for importing UNIX, Linux, and Mac computers
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux and Mac tab.
3
On the Symantec Management Agent Install page, under Rollout Agent to
Computers, right-click CSV file template, and then click Save Target As.
4
In the Save As dialog box, type a suitable file name for the CSVTemplate.csv
file, browse to the appropriate location, and then click Save.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Symantec Management Agent for UNIX, Linux, and Mac installation prerequisites
5
Open the saved .csv file in a text editor and enter the information for each
computer on which you want to install the Symantec Management Agent for
UNIX, Linux, and Mac.
You do not have to use all of the fields. You can use only the fields that you
need, such as computer name, root name, root password, and so on.
The settings that you can specify in the .csv file are identical to the settings
that you can set from the Install Settings window in the Symantec
Management Console.
See “Installation Settings dialog box” on page 328.
6
When you have finished, save the .csv file.
Symantec Management Agent for UNIX, Linux, and
Mac installation prerequisites
Your computer must meet the hardware and software prerequisites before you
can install the Symantec Management Agent for UNIX, Linux, and Mac.
See “Methods for installing the Symantec Management Agent” on page 294.
325
326
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Symantec Management Agent for UNIX, Linux, and Mac installation prerequisites
Table 16-2
Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites
Prerequisite
Description
Operating system
Any of the following operating systems:
■
Solaris 9
■
Solaris 10 (x86 and SPARC)
Red Hat Enterprise Linux 4, 4 (x86_64), 5, 5 (x86_64),
5.1, 5.1 (x86_64), 5.2, 5.2 (x86_64), 5.3, 5.3 (x86_64), 5.4,
5.4 (x86_64), 5.5, 5.5 (x86_64), 5.6, 5.6 (x86_64), 6.0, 6.0
(x86_64), 6.1, 6.1 (x86_64)
■ SUSE Linux Enterprise Server 10, 10 (x86_64), 11, 11
(x86_64)
■ SUSE Linux Enterprise Desktop 10, 10 (x86_64), 11, 11
(x86_64), 11 SP1, 11 SP1 (x86_64)
■ VMware ESX Server 3.0.1, 3.0.2, 3.0.3, 3.5
■
■
VMware vSphere / ESX / ESXi 4.0 (Agentless)
■
VMware vSphere/ ESX / ESXi 5.0 (Agentless)
Mac OS X 10.4.x (Universal binary), 10.5.x (Universal
binary), 10.6.x (Universal binary), 10.7.x (Universal
binary)
■ Mac OS X Server 10.4.x (Universal binary), 10.5.x
(Universal binary), 10.6.x (Universal binary), 10.7.x
(Universal binary)
■ HP-UX 11.11 (PA-RISC), 11.23 (PA-RISC/IA64), 11.31
(PA-RISC/IA64)
■
■
AIX 5.2, 5.3, 6.1
Hard disk space
35 MB minimum
RAM
15 MB minimum
Access rights
Root user access rights are required on all UNIX/Linux
platforms. For Mac OS X administrative or root user access
rights are required.
Remote SSH connections
enabled
Remote SSH connections must be enabled. There must be
an SSH server running on the client computer and the
firewall must be configured to allow an incoming SSH
connection.
Outgoing connection to
Notification Server enabled
The firewall must be configured to allow an outgoing
connection to a WEB port on Notification Server.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Specifying the Symantec Management Agent for UNIX, Linux, and Mac installation settings
Specifying the Symantec Management Agent for UNIX,
Linux, and Mac installation settings
The Symantec Management Agent installation settings are the communication
and the authentication settings for the Symantec Management Agent for UNIX,
Linux, and Mac. You must specify the appropriate privileged account login name
and password for each target computer.
See “Installing the Symantec Management Agent for UNIX, Linux, and Mac with
a manual push” on page 320.
When you import computers from a .csv file, you can specify the appropriate
installation settings for each computer in the .csv file. If you do not specify any
settings in the .csv file, or if you added computers manually, you need to specify
the appropriate settings for each target computer before you install the Symantec
Management Agent for UNIX, Linux, and Mac.
You can specify installation settings for a particular computer or for multiple
computers. If you select multiple computers, the same installation settings are
applied to each computer. You can also clone the current installation settings
from a computer and apply it to other computers.
See “Creating a .csv file for importing UNIX, Linux, and Mac computers”
on page 324.
To specify the Symantec Management Agent installation settings
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Agent
for UNIX, Linux and Mac tab.
3
Under Rollout Agent to Computers, in the computer list, click the computer
for which you want to change the Symantec Management Agent installation
settings.
If you want to specify identical installation settings for multiple computers,
or if you want to clone the current installation settings from another
computer, select the appropriate computers.
4
Click Installation settings.
5
(Optional) If you want to clone the current installation settings from a
particular computer, in the Installation Settings dialog box, in the Load
settings drop-down list, select the appropriate computer.
The option Load settings of appears at the upper right of the Installation
Settings dialog box if you have selected multiple computers.
327
328
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings dialog box
6
Specify the appropriate installation settings for the selected computers.
See “Installation Settings dialog box” on page 328.
7
In the Installation Settings dialog box, click OK.
Installation Settings dialog box
The Installation Settings dialog box lets you configure the Symantec Management
Agent for UNIX, Linux, and Mac push installation settings.
In the Installation Settings dialog box, the name of the computer that you selected
on the Symantec Management Agent Install page is displayed in the Applies to
line. If you selected multiple computers, the number of selected computers is
displayed.
If you have selected multiple computers, the option Load settings of appears. This
drop-down list lets you select the computer from which to clone the current
installation settings. The cloned settings are applied to all the computers that you
selected in the Symantec Management Agent Install page.
See “Specifying the Symantec Management Agent for UNIX, Linux, and Mac
installation settings ” on page 327.
Table 16-3
Tabs on the Installation Settings dialog box
Tab
Description
Connection and
authentication
This tab lets you configure the communication and the
authentication settings for the Symantec Management Agent for
UNIX, Linux, and Mac push installation.
See “Installation Settings: Connection and Authentication tab”
on page 329.
Agent Settings
This tab lets you configure the Symantec Management Agent for
UNIX, Linux, and Mac upgrade, configuration, and startup
settings.
See “Installation Settings: Agent settings tab” on page 335.
Install XML
This tab displays the Symantec Management Agent for UNIX,
Linux, and Mac upgrade, configuration, and startup settings in
XML format. You can save the XML to a file, upload the file to a
client computer, and use it to manually install and configure the
Symantec Management Agent for UNIX, Linux, and Mac.
See “Installation Settings: Install XML tab” on page 337.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Installation Settings: Connection and Authentication
tab
The Connection and Authentication tab lets you configure the communication
and the authentication settings for the Symantec Management Agent for UNIX,
Linux, and Mac push installation.
See “Installation Settings dialog box” on page 328.
Warning: Do not use non-ASCII characters in file or directory names when you
configure installation settings.
Table 16-4
Installation Settings: Connection and Authentication tab
Setting
Description
Try connect via SSH using
SSH Key authorization
When this option is enabled, these settings are used to
establish an SSH connection to the target UNIX, Linux, or
Mac computer using SSH key authorization.
See “Try connect via SSH using SSH Key authorization
settings” on page 330.
Try connect via SSH using
password authorization
When this option is enabled, these settings are used to
establish an SSH connection to the target UNIX, Linux, or
Mac computer using SSH password authorization.
See “Try connect via SSH using password authorization
settings” on page 330.
Login and password
These settings specify the appropriate user account
credentials for SSH connections.
See “Login and password settings” on page 331.
Timeout settings
These settings specify the login and command timeout
periods and the upload speed of the Symantec Management
Agent package.
See “Timeout settings” on page 334.
Platform detection
These settings specify whether Symantec Management
Platform automatically detects the target computer’s
operating system or whether the target computer’s
operating system is defined manually.
See “Platform detection” on page 335.
329
330
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Try connect via SSH using SSH Key authorization settings
These settings are used to establish an SSH connection to the target UNIX, Linux,
or Mac computer using SSH key authorization. The SSH key authorization method
lets you connect to the target computer from an authorized computer without
entering a user name and a password.
To use SSH key authorization, you first need to generate an SSH key. You then
need to save the SSH private key on the Symantec Management Platform computer,
and configure the target computer with the SSH public key. To generate an SSH
key, you can use a native SSH key generator or the SSH key generation module
that is provided with Symantec Management Platform.
See “Installation Settings: Connection and Authentication tab” on page 329.
Table 16-5
Try connect via SSH using SSH Key authorization settings
Setting
Description
SSH key file
The SSH private key file to use.
You can type the full path and file name, or click ... to select the
appropriate file.
SSH key password
The password that is used to protect the SSH key file.
If no password is configured, leave this field blank.
SSH key type
The type of SSH key encoding: RSA or DSA.
Generate new SSH key Lets you generate a new SSH key.
See “SSH Key Generator dialog box” on page 337.
Port
The port that the target computer’s SSH server is listening to.
Default: 22
Prompt
The target computer’s logon prompt for a privileged user.
Default: %, $, #, >
Try connect via SSH using password authorization settings
This setting specifies the port to use when the Symantec Management Platform
attempts to connect to the target computer using SSH password authorization.
See “Installation Settings: Connection and Authentication tab” on page 329.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Table 16-6
Try connect via SSH using password authorization settings
Setting
Description
SSH port
The port that the target computer’s SSH server is listening to.
Default: 22
Login and password settings
These settings specify the appropriate privileged user account credentials for
SSH connections. You can optionally specify multiple privileged user accounts
and unauthorized user account credentials.
See “Installation Settings: Connection and Authentication tab” on page 329.
Table 16-7
Login and password settings
Setting
Description
Privileged account
logon
The login name of a privileged user account. A privileged user is
one that has permission to install and use system programs.
Default: root.
Privileged account
password
The password for the privileged user account specified above.
Privileged account
prompt
The target computer’s logon prompt for a privileged user.
Separate multiple values with a comma.
Default: %, $, #, >
331
332
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Table 16-7
Setting
Login and password settings (continued)
Description
Use privileged account This option lets you install the Symantec Management Agent on
multiple password
a group of computers that have different privileged user account
names and passwords. The specified login name and password
combinations are tried on each target computer until the
connection succeeds.
Warning: The passwords that you type in this section are not
hidden.
You need to specify the following information:
Logins: The list of privileged account login names, one entry
per line.
■ Passwords: The corresponding list of privileged account login
passwords, one entry per line.
■ Prompts: The target computer’s logon prompt for a privileged
user.
Separate multiple values with a comma.
Default: %, $, #, >
■
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Table 16-7
Login and password settings (continued)
Setting
Description
Login first using
unprivileged user
This option lets you log in with an unauthorized user account
first, and then switch to a privileged user account. You can use
this option if the target computer does not allow remote
privileged user logons. Specify unauthorized user credentials or
enter multiple users and passwords.
You need to specify the following information:
Unprivileged user login: The login name of an unauthorized
user account.
■ Unprivileged user password: The password for the privileged
user account specified above.
■ Unprivileged user prompt: The target computer’s logon
prompt for an unauthorized user .
Separate multiple values with a comma.
Default: %, $, #, >
■
Note: A regular unauthorized user on Mac OS X must be given
permissions to SSH to the system. Otherwise, newly created
unauthorized user may not have SSH access to the Mac OS X
system to perform push install. To supply the user with SSH
access, on Mac OS X go to System Preferences > Sharing >
Remote Login.
A regular unauthorized user on Mac OS X can only be used to
perform a push install through the users that are allowed to
administer the computer. On Mac OS X, see System Preferences
> Accounts. Due to the implemented security on Mac OS X,
unauthorized users cannot use root user to perform a
push-install.
333
334
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Connection and Authentication tab
Table 16-7
Login and password settings (continued)
Setting
Description
Use unprivileged user
multiple password
This option lets you install the Symantec Management Agent on
a group of computers that have different unauthorized user
account names and passwords. The specified login name and
password combinations are tried on each target computer until
the connection succeeds.
Warning: The passwords that you type in this section are not
hidden.
You need to specify the following information:
Logins: The list of unauthorized account login names, one
entry per line.
■ Passwords: The corresponding list of unauthorized account
login passwords, one entry per line.
■ Prompts: The target computer’s logon prompt for an
unauthorized user .
Separate multiple values with a comma.
Default: %, $, #, >
■
Timeout settings
These settings specify the login and command timeout periods and the upload
speed of the Symantec Management Agent package.
See “Installation Settings: Connection and Authentication tab” on page 329.
Table 16-8
Timeout settings
Setting
Description
Login timeout
Specifies how long the Symantec Management Platform waits
for a successful login to the target computer.
Default: 120 seconds
Command timeout
Specifies how long the Symantec Management Platform waits
for a reply from the commands that are executed during the push
installation.
Default: 60 seconds
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Agent settings tab
Table 16-8
Timeout settings (continued)
Setting
Description
Upload speed
Specifies the upload speed of the Symantec Management Agent
installation package. The available values are Fast, Medium, Slow.
This option affects uploading with the dd command only.
See “About the Symantec Management Agent for UNIX, Linux,
and Mac push installation” on page 321.
Platform detection
These settings specify whether the Symantec Management Platform automatically
detects the target computer’s operating system or whether the target computer’s
operating system is defined manually. If the target computer’s operating system
is defined manually, you need to select the appropriate value.
See “Installation Settings: Connection and Authentication tab” on page 329.
Warning: Be careful with the manual selection option if you configure installation
settings for multiple computers.
Table 16-9
Platform detection settings
Setting
Description
Automaticallydiscover The Symantec Management Platform automatically detects the
OS type
target computer’s operating system when the push installation
process starts.
Manually select OS
type
This drop-down list specifies the target computer operating
system.
Installation Settings: Agent settings tab
The Agent settings tab lets you configure the Symantec Management Agent for
UNIX, Linux, and Mac upgrade, configuration, and startup settings. If you upgrade
the Symantec Management Agent from an earlier version, you can choose to keep
the current Symantec Management Agent settings. The Directories settings specify
the directories that are used by the Symantec Management Agent. The Symantec
Management Agent execution settings define the behavior of the Symantec
Management Agent during and after installation.
See “Installation Settings dialog box” on page 328.
335
336
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Agent settings tab
Warning: Do not use non-ASCII characters in file or directory names when you
configure installation settings.
Table 16-10
Installation Settings: Agent settings tab
Setting
Description
Keep the current Symantec If you upgrade the Symantec Management Agent from an
Management Agent settings earlier version, this option preserves the current Symantec
if possible
Management Agent settings where applicable.
Disable this option if you want to reinstall the Symantec
Management Agent and configure it with the installation
settings that you specify on this tab.
Installation directory
The directory where the Symantec Management Agent is
installed.
Default: /opt/altiris/notification/nsagent
Note: On AIX and Macintosh, the Symantec Management
Agent is always installed into the default directory.
Links directory
The directory where links to the Symantec Management
Agent’s executable binaries are placed.
Default: /usr/bin
Directory for packages
The directory to which software delivery policies and tasks
download packages.
Default: %INSTDIR%/var/packages
RunSymantecManagement Specifies the run levels at which the Symantec Management
Agent for UNIX and Linux Agent operates on UNIX and Linux computers.
on the following run levels
Default: RC2, RC3, RC5
Run Agent for Mac on
startup
Specifies that the Symantec Management Agent is to run
in the background each time the Macintosh computer starts.
Start the Agent after
installation
Specifies that the Symantec Management Agent is to start
immediately after the push installation.
Disable this option if you want to start the Symantec
Management Agent at the computer startup (if configured).
Allow unprivileged users to Specifies that unauthorized users are allowed to run
run programs
software delivery policies and tasks on the target computer.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installation Settings: Install XML tab
Installation Settings: Install XML tab
The Install XML tab displays the Symantec Management Agent for UNIX, Linux,
and Mac upgrade, configuration, and startup settings in XML format. You can
save the XML to a file, upload the file to a client computer, and use it to manually
install and configure the Symantec Management Agent for UNIX, Linux, and Mac.
See “Installation Settings dialog box” on page 328.
Table 16-11
Installation Settings: Install XML tab
Setting
Description
Main display area
The main display area shows the Symantec Management Agent
for UNIX, Linux, and Mac upgrade, configuration, and startup
settings in XML format.
Save as file
This button lets you save the displayed XML to a file.
SSH Key Generator dialog box
The SSH Key Generator dialog box lets you generate SSH keys to push install the
Symantec Management Agent for UNIX, Linux, and Mac using the SSH Key
authorization.
When you have generated the keys, you need to save the SSH private key on the
Symantec Management Platform computer and then configure the target UNIX,
Linux, and Mac computers with the SSH public key.
See “Installation Settings: Connection and Authentication tab” on page 329.
See “Try connect via SSH using SSH Key authorization settings” on page 330.
Table 16-12
Settings on the SSH Key Generator dialog box
Setting
Description
Key files folder
The folder that is used to store the generated SSH key files.
Private key file name
The name of the key file. Both the generated private key
and public key have this name but with different extensions.
The public key has a *.pub.sk extension while the private
key has a *.sk extension.
Passphrase
The password that is used to protect the private key.
This setting is optional.
Encryption type
The key encryption type: RSA or DSA
337
338
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual pull
Table 16-12
Settings on the SSH Key Generator dialog box (continued)
Setting
Description
Public key type
The key format, which may be one of the following:
Bits count
■
SSH - for commercial SSH implementations
■
OpenSSH - for open source implementations.
The number of bits for the key: 256, 512, 1024, or 2048
Warning: OpenSSH RSA keys with bits count lower than
768 are rejected by most UNIX systems.
Generate new
Generates the new key according to the settings that you
specify. The new key is saved in the specified folder with
the specified name.
Public key
Displays the public key.
This setting lets you copy the key and paste it to an email.
For example, if you want an administrator to configure
target computers for you, you can send them this key.
Installing the Symantec Management Agent for UNIX,
Linux, and Mac with a manual pull
If SSH is not available, or if you want to install the Symantec Management Agent
for UNIX, Linux, and Mac on remote the computers that have limited network
access, or the target computers are behind a firewall, you can pull the Symantec
Management Agent to each computer. You, or anybody else with administrator
rights, can log on to each computer, access Symantec Management Platform
through a URL, and download the install bootstrap program that performs the
Symantec Management Agent for UNIX, Linux, and Mac installation.
The URL of the Download Symantec Management Agent for UNIX, Linux and
Mac page is shown on the Symantec Management Agent Install page, under
Download Page URL for UNIX, Linux and Mac. You can view the page, but you
cannot change this setting.
See “About the Symantec Management Agent” on page 293.
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual pull
To preview the Download Symantec Management Agent for UNIX, Linux and Mac
page
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Symantec Management Agent.
2
On the Symantec Management Agent Install page, click the Install Symantec
Management Agent for UNIX, Linux and Mac tab.
3
Under Download Page URL for UNIX, Linux and Mac, in the Select platform
drop-down list, select the appropriate platform.
4
Click View page.
To pull the Symantec Management Agent for UNIX, Linux and Mac to a remote
computer
1
Log on to the remote computer as an administrator.
2
Ensure that the remote computer meets the Symantec Management Agent
for UNIX, Linux, and Mac installation prerequisites.
See “Symantec Management Agent for UNIX, Linux, and Mac installation
prerequisites” on page 325.
3
On the remote computer, open a Web browser , and then go to the following
URL:
http://SMPName/Altiris/UnixAgent/AltirisUnixAgentDownload.aspx?ID=Platform
where SMPName is the name of your Symantec Management Platform
computer and Platform is the appropriate one of the following options:
4
■
Linux
■
Solaris (SPARC)
■
Solaris (x86)
■
Mac
■
AIX
■
HP-UX (PA-RISC)
■
HP-UX (IA64)
Follow the instructions that are displayed on the Download Symantec
Management Agent for UNIX, Linux and Mac page for downloading and
running the install bootstrap program on the remote computer.
339
340
Installing the Symantec Management Agent for UNIX, Linux, and Mac
Installing the Symantec Management Agent for UNIX, Linux, and Mac with a manual pull
Chapter
17
Configuring the Symantec
Management Agent
This chapter includes the following topics:
■
About configuring the Symantec Management Agent
■
Configuring the global agent settings
■
Configuring the targeted agent settings
■
About maintenance windows for managed computers
■
Configuring maintenance window policies
About configuring the Symantec Management Agent
The default Symantec Management Agent configuration settings are suitable for
a small Symantec Management Platform environment. As your environment
grows, or if your organization has particular requirements, you need to make the
appropriate configuration changes.
The agent configuration settings are applied to the appropriate managed
computers using agent configuration policies. You can modify these policies to
change the settings at any time. The new configuration settings are applied to
the agents when the managed computers get their next policy updates (which is
typically once a day).
The Symantec Management Platform provides the following types of agent
configuration policies:
342
Configuring the Symantec Management Agent
Configuring the global agent settings
Global settings
The global configuration settings apply to all Symantec
Management Agents on all managed computers. These settings
are applied as a single policy that automatically targets every
managed computer.
See “Configuring the global agent settings” on page 342.
Targeted settings
The targeted agent settings are the general parameters that
control the Symantec Management Agent, including how the agent
communicates with Notification Server. You can modify the default
policies that are supplied with the Symantec Management
Platform. You can create your own targeted agent settings policies
and apply them to the appropriate managed computers.
See “Configuring the targeted agent settings” on page 348.
Maintenance windows A maintenance window is a scheduled time and duration when
maintenance operations may be performed on a managed
computer. A maintenance window policy defines one or more
maintenance windows. You can modify the default policy that is
supplied with the Symantec Management Platform. You can create
your own maintenance window policies and apply them to the
appropriate managed computers.
See “About maintenance windows for managed computers”
on page 361.
The targeted settings policies and maintenance window policies are applied to
the managed computers that are included in the specified policy targets. These
targets may not be mutually exclusive. Two or more policies of the same type may
apply to the same managed computer.
If a managed computer has two or more targeted settings policies that are applied
to it, Notification Server selects the policy to use. The selection is based on the
policy GUID, and is not transparent to the user. You cannot determine beforehand
which policy is chosen. However, once the selection has been made, it is used
consistently to ensure that the same policy is applied at every policy update.
If two or more maintenance window policies apply to the same managed computer,
the policies are merged. All of the specified maintenance windows are used.
Configuring the global agent settings
The global configuration settings are those that you would not need to set
differently on different computers, so they apply to all Symantec Management
Agents on all managed computers. These settings are applied as a global agent
settings policy, so they are updated in the same way as any other policy. By default,
Configuring the Symantec Management Agent
Configuring the global agent settings
the global agent settings policy is refreshed hourly. You cannot delete or disable
the global agent settings policy, or create alternative versions of it.
If you want to specify agent settings for particular groups of managed computers,
you need to configure the appropriate targeted agent settings policies.
See “Configuring the targeted agent settings” on page 348.
To configure the global agent settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Global Settings.
2
Make the appropriate configuration settings on the following tabs:
General
Specify the Tickle/Power Management and Package Multicast
settings.
See “Symantec Management Agent Settings – Global: General
tab” on page 343.
See “About the Tickle/Power Management settings”
on page 345.
See “About the Package Multicast settings” on page 346.
Authentication
Specify the user name and password that the Symantec
Management Agent uses when it connects to Notification
Server or a package server.
See “Symantec Management Agent Settings – Global:
Authentication tab ” on page 346.
Events
Specify Notification Server events that you want to capture.
See “Symantec Management Agent Settings – Global: Events
tab ” on page 347.
3
Click Save Changes.
Symantec Management Agent Settings – Global: General tab
The General tab contains the Tickle/Power Management settings and the Package
Multicast settings.
The Tickle/Power Management settings are the TCP/IP Port numbers and IP
addresses, which the Symantec Management Agents use to communicate with
the Power Management tool.
See “About the Tickle/Power Management settings” on page 345.
343
344
Configuring the Symantec Management Agent
Configuring the global agent settings
Table 17-1
Tickle/Power Management settings
Setting
Description
TCP/IP port
The TCP/IP Port number must be between 1024 and 65535.
The default is port 52028.
TCP/IP multicast address
The IP address that the Symantec Management Agents use
to listen to multicast Power Management commands on the
network.
The TCP/IP Multicast Addresses should be between 224.0.0.1
and 239.255.255.254. The last octet should not be 255.
The default IP address is 224.0.255.135.
TCP/IP multicast port
The port number that the Symantec Management Agents
use to listen to Power Management messages on the
network.
The TCP/IP Multicast Port number must be between 1024
and 65535.
The default is port 52029.
The Package Multicast settings are the IP addresses, which the Symantec
Management Agents use for multicasting.
See “About the Package Multicast settings” on page 346.
Table 17-2
Package Multicast settings
Setting
Description
TCP/IP multicast address
The IP address that the Symantec Management Agents use
to listen to multicast negotiation messages on the network.
The default IP address is 224.0.255.135.
TCP/IP multicast port
The port number that the Symantec Management Agents
use to listen to multicast messages on the network.
The TCP/IP multicast port number must be between 1024
and 65535.
The default port is 52030.
Configuring the Symantec Management Agent
Configuring the global agent settings
Table 17-2
Package Multicast settings (continued)
Setting
Description
TCP/IP Listener range
The range of IP addresses from which a multicast session
chooses to use during the multicasting of the package by
the master.
You can add new ranges, and specify the appropriate IP
addresses for each range.
TCP/IP Exclusion range
The range of IP addresses that cannot be used for
multicasting.
You can add new ranges, and specify the appropriate IP
addresses for each range.
About the Tickle/Power Management settings
The Power Management tool lets Notification Server communicate directly with
an Symantec Management Agent. Under normal working conditions, the agent
requests its targeted agent settings policies from Notification Server and then
responds accordingly. With power management, Notification Server can contact
the agent directly through a tickle, and instruct it to act immediately.
See “Configuring the global agent settings” on page 342.
See “Symantec Management Agent Settings – Global: General tab” on page 343.
Power management allows Notification Server to perform the following tasks:
Wake on LAN
Notification Server immediately sends a signal to turn on
the managed computer if it is currently turned off .
The managed computer must have a Wake on LAN-enabled
network card, and Wake On LAN must be enabled in the
managed computer’s BIOS settings.
If you tickle an agent, Notification Server starts the
computer using Wake on LAN, and then waits five minutes
before sending the tickle. This delay allows time for the
managed computer to turn on.
Get Client configuration
Notification Server contacts the agent and instructs it to
request its targeted agent settings immediately.
Send basic inventory
Notification Server contacts the agent and instructs it to
send its basic inventory immediately.
345
346
Configuring the Symantec Management Agent
Configuring the global agent settings
If a multicast address and port are not supplied, only the Wake on LAN action
works when performing power management on multiple computers in a single
operation.
The subnet or the proxy computers (relay computers) are never pinged to
determine whether they are alive. To determine the most suitable relay computers,
data from the CMDB is evaluated to create a prioritized list of computers. For each
subnet, Notification Servers are given the highest priority, followed by package
servers. All other computers in that subnet have priority in the order that they
last communicated with Notification Server (the more recent the communication,
the higher the priority). The computers on the list are tried in order of priority
until communication with a relay computer is successful. The attempt stops after
the first 50 computers have been tried without success.
Some solutions use power management to perform solution-specific functions.
Consult the appropriate solution Help for information.
The Tickle/Power Management settings are relevant only when power
management has been enabled on a managed computer. This setting is specified
in the targeted agent settings policy.
See “Targeted Agent Settings: General tab” on page 351.
See “Targeted Advanced Settings: Advanced tab ” on page 360.
About the Package Multicast settings
The Package Multicast settings are applied to a managed computer only if multicast
is enabled in the appropriate targeted agent settings policy.
See “Symantec Management Agent Settings – Global: General tab” on page 343.
See “Targeted Agent Settings: Downloads tab ” on page 354.
See “Configuring the global agent settings” on page 342.
When you change these settings, be aware of the following:
■
There must be at least one listener IP address range specified that cannot be
deleted.
■
The Exclusion IP address ranges can be a subset of Listener IP address ranges
but not vice versa.
Symantec Management Agent Settings – Global: Authentication tab
The Authentication tab contains the Agent Connectivity Credential (ACC)
settings, which are the user name and password that the Symantec Management
Agent uses to connect to a secured resource. The package server also uses the
Agent Connectivity Credential to add file-based security to download package
Configuring the Symantec Management Agent
Configuring the global agent settings
files, if so configured. The credentials that you specify must be a known account
on Notification Server and every package server.
See “Configuring the global agent settings” on page 342.
See “Enabling access to a package at a UNC source location” on page 404.
Table 17-3
Settings on the Authentication tab
Setting
Description
Use application credentials Use the application identity credentials that you specified
on the Processing tab of the Server Settings page.
See “Notification Server processing settings” on page 52.
Use these credentials
Specify the appropriate ACC user name and password.
This account usually has a lower level of rights than the
Application Identity account, and is a dedicated account
created for use on package servers.
Warning: You cannot use special characters (any of the
following: ~!#$%^&(){}) in the user name or password. You
may use only alphanumeric characters.
Symantec Management Agent Settings – Global: Events tab
The Events tab lets you enable or disable individual Notification Server event
captures. We recommend that you leave the Notification Server Event options
enabled. However, if you have a large number of managed computers and receive
unneeded events, you can disable them. You specify Notification Server events
that you want to capture by checking the appropriate checkboxes.
See “Configuring the global agent settings” on page 342.
Table 17-4
Settings on the Events tab
Setting
Description
AeX Package Server
Package Event
Sent when a package server has started or finished
downloading a package.
AeX Package Server IIS
Status
Contains IIS data that describes what has been downloaded
and any errors encountered by Symantec Management
Agents performing downloads.
AeX Client LogOn
Sent when users log on and off a computer.
347
348
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-4
Settings on the Events tab (continued)
Setting
Description
Agent Install Status
Sent during push and pull installs to keep track of how the
install progresses.
AeX SWD Execution
Sent when a software management task is run.
AeX SWD Package
Sent when a package is modified or downloaded.
AeX SWD Status
Sends status information about the software management
tasks that the Symantec Management Agent receives. For
example, when a new task is received or existing tasks have
been updated or disabled.
NS Client Pkg Info Request
Generated internally by Notification Server when Symantec
Management Agents request information on packages.
Configuring the targeted agent settings
The targeted agent settings policy lets you configure the general parameters that
control the Symantec Management Agent, including how the agent communicates
with Notification Server . You can apply these settings to particular groups of
computers. For example, some groups of computers may have different purposes,
or you may want to treat servers differently from other managed computers. You
can modify the default policies that are supplied with Notification Server or create
your own targeted agent settings policies.
See “About configuring the Symantec Management Agent” on page 341.
The targeted agent settings policies supplied with Notification Server are as
follows:
■
All Desktop computers (excluding ‘Site Servers’)
■
All Site Servers
■
All Windows Mobile
■
All Windows Servers (excluding ‘Site Servers’)
If you want to specify some configuration settings that apply to all Symantec
Management Agents on all managed computers, you need to configure the global
agent settings policy.
See “Configuring the global agent settings” on page 342.
Configuring the Symantec Management Agent
Configuring the targeted agent settings
To configure the targeted agent settings
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Targeted Agent Settings.
2
In the left pane, do one of the following:
3
■
To create a new targeted agent settings policy, click Create New.
■
To modify an existing targeted agent settings policy, click the appropriate
policy.
To set or change the policy name, click Rename.
In the Rename Item dialog box, type the new name, and then click OK.
349
350
Configuring the Symantec Management Agent
Configuring the targeted agent settings
4
In the right pane, make the appropriate configuration settings on the following
tabs:
General
General settings include the policy download and inventory
collection frequencies, and the computers, users, or resource
targets to which the policy applies.
See “Targeted Agent Settings: General tab” on page 351.
UNIX/Linux/Mac If the Symantec Management Agent for UNIX, Linux, and Mac
is installed, this tab is available and provides general settings for
UNIX, Linux, and Mac managed computers.
See “Targeted Agent Settings: UNIX/Linux/Mac tab” on page 352.
Downloads
Download settings control how each agent downloads packages
during software deliveries. You can enable multicast downloads
and configure multicast for both master and client sessions.
See “Targeted Agent Settings: Downloads tab ” on page 354.
See “About multicasting packages” on page 357.
You can override these settings for individual software delivery
policies and tasks.
For more information, see the topics about Software Management
settings in the Software Management Solution User Guide.
Blockouts
Blockout periods are times when all communication between the
agent and Notification Server is disabled. You can set up any
number of blockout periods.
See “Targeted Agent Settings: Blockouts tab ” on page 358.
User Control
The user control settings are the options that affect what the
user of the managed computer can see.
See “Targeted Agent Settings: User Control tab ” on page 359.
Advanced
Lets you specify an alternate URL that the Symantec Management
Agent can use to access Notification Server, and turn on the
power management feature.
See “Targeted Advanced Settings: Advanced tab ” on page 360.
5
(Optional) To restore the policy to its default settings, click Restore Defaults.
6
Click Save changes.
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Targeted Agent Settings: General tab
The targeted agent general settings include the policy download and inventory
collection frequencies, and whether to compress large events when sending them
to Notification Server. You also need to specify the computers, users, or resource
targets to which the targeted agent settings policy applies.
See “Configuring the targeted agent settings” on page 348.
See “Recommended Symantec Management Agent data update intervals”
on page 352.
Table 17-5
Settings on the General tab
Setting
Description
Download new
configuration
The interval at which the Symantec Management Agent requests
new policy information from Notification Server.
The default and recommended interval is one hour.
When you first set up your Notification Server, set this time to 1,
5, or 15 minutes. This setting lets you find out how Notification
Server interacts with the Symantec Management Agents. This
time should then be increased to suit the number of managed
computers that you have.
Upload basic
inventory
The interval at which the Symantec Management Agent sends
basic inventory to Notification Server.
The default interval is one day. You should adjust this value
according to the number of managed computers in your
organization.
Compress events over Select this option to compress events when they are sent to
Notification Server, and set the minimum size.
The recommended minimum size is 200 KB, which is a compromise
between bandwidth and CPU usage.
The value you choose here is a trade-off between bandwidth usage
and CPU usage on the server. For example, you may want to set a
low value for the events that are sent from mobile computers. You
can set a higher value for events on well-connected LAN
computers.
Applies to
Displays the details of the resource targets, computers, or users
to which the agent settings policy currently applies. You can set
or change the policy target as appropriate.
351
352
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Recommended Symantec Management Agent data update intervals
The Symantec Management Agent regularly sends basic inventory data to and
receives agent configuration data from Notification Server. You can configure
the intervals for these updates. The more computers you manage, the less
frequently you should update the data to reduce the load on Notification Server.
See “Configuring the targeted agent settings” on page 348.
Table 17-6
Recommended Symantec Management Agent data update intervals
Number of managed
computers
Basic inventory
Configuration request
0 - 499
30 minutes
15 minutes
500 - 1999
8 hours
4 hours
> 2000
24 hours
8 hours
Notification Server includes an automation policy that automatically sends you
an email when the update intervals are lower than the recommended values. This
policy, the Scalability Check, saves you from regularly checking the update
intervals as computers are added to or removed from your network. You can turn
the Scalability Check policy on or off as necessary, and set the appropriate
schedule.
See “Managing automation policies” on page 426.
Targeted Agent Settings: UNIX/Linux/Mac tab
The UNIX/Linux/Mac tab lets you define the settings that apply to UNIX, Linux,
and Mac computers in the targeted group of computers.
See “Configuring the targeted agent settings” on page 348.
Table 17-7
Settings on the UNIX/Linux/Mac tab
Setting
Description
Symantec log directory
The directory where the Agent log is written.
Default: %INSTDIR%/var
Symantec log name
The name of the log file.
Default: aex-client.log
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-7
Settings on the UNIX/Linux/Mac tab (continued)
Setting
Description
Symantec log size
The maximum amount of disk space that the Agent log uses.
Default: 1024 KB
Symantec logging level
The Agent log detail level: Error, Warning, Info.
Default: Error
Syslog logging level
The system logging level: None, Error, Warning, Info.
This option lets you specify whether the Symantec Management Agent should post
messages to the system log and set the appropriate log level.
Default: None
Enable NIC error
When this option is enabled, the Symantec Management Agent for UNIX, Linux, and
Mac will report an error when the client computer’s host name and IP address are
not the same as reported by DNS.
You can view the NameServ Error in the Symantec Management Console, in the
Resource Manager, at View > Inventory > Data Classes > Inventory > Basic Inventory
> AeX AC TCPIP > DNS Server 3.
Enforce host certificate is in When this option is enabled, the local certificate authority is used to validate the
CA
host for all HTTPS connections.
Name of the CA certificates Specifies the full path to the file containing one or more CA certificates in PEM (Base64
file
encoded) format.
Enforce hostname
verification for HTTPS
connection
When this option is enabled, the Symantec Management Agent communicates with
a host using HTTPS only if that host’s name matches the name in the host’s certificate.
Return the following
information as computer
name
Specifies which name the client computer will report as its computer name: DNS
Name or Computer Name (the local computer name).
Return the following
information as computer
domain
Specifies what the client computer will report as its domain: Empty (an empty string)
or DNS Domain (its DNS domain name).
Read computer DNS domain When this option is enabled, the Symantec Management Platform reads the client
name from /etc/resolv.conf computer’s domain name from the resolv.conf file, instead of performing a host
name lookup.
Software Delivery
The settings in this section specify the preferred values for each process priority
level that is used by software delivery tasks.
353
354
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-7
Settings on the UNIX/Linux/Mac tab (continued)
Setting
Description
Use proxy server for
agent/server
communication
When this option is enabled, the ULM Agent communicates with Notification Server
via the specified proxy server.
You can specify the following proxy server settings:
■
Proxy server URL
■
Port number
■
Username
■
Password
Targeted Agent Settings: Downloads tab
The Downloads tab lets you define the throttling settings and configure multicast
settings.
See “Configuring the targeted agent settings” on page 348.
The tab contains the following groups of settings:
Throttling
Lets you define the throttling settings, which
enable throttling of downloads to the agent
and set the slow-connection threshold.
See Table 17-8
Throttling periods
Lets you create and modify the throttling
periods that you want to use.
See Table 17-9
Multicast Configuration Settings
Lets you enable multicast downloads and
configure multicast for both master session
and client session.
See Table 17-10
Table 17-8
Throttling settings
Setting
Description
Use bandwidth throttling
Enables bandwidth throttling.
Only throttle when
bandwidth is below ... KB/s
Specifies a slow-connection threshold.
If the connection speed falls below the value that you specify, the bandwidth throttling
settings that you specify are applied.
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-9
Throttling Periods settings
Setting
Description
Add throttling period
You can specify any number of throttling periods. If two or more periods overlap, the
lowest throttling value is used.
For each throttling period, you can set the following:
■
Start time
Duration
The start time and duration of the throttling period.
■ Value
■
■
Unit
The amount of throttling, where the numerical value is either a percentage of the
maximum download rate, or a specific download rate in KB/sec.
Delete
Deletes the selected throttling period from the list.
Time zone
The time zone to use for defining the throttling periods.
The available time zones are as follows:
Use agent time
The times are specified without time zone information, and are applied at the
local time at each managed computer. Throttling periods start and end at different
times depending on the time zones of the managed computers.
■ Use server time
The times are specified with time zone information, where the time zone offset
is that of the server’s time zone where the policy is defined. The throttling periods
start simultaneously irrespective of time zones, and are compensated for daylight
saving.
This option ensures that throttling periods are always coordinated with the
specified local time on the server where the policy is created.
■ Coordinate using UTC
The times are specified with time zone information, where the time zone offset
is 0. The throttling periods start simultaneously irrespective of time zones and
are not affected by daylight saving.
■
Table 17-10
Setting
Multicast Configuration settings
Description
Allow Symantec
Enables multicasting for downloading packages.
Management Agents to use
See “About multicasting packages” on page 357.
multicast for downloading
packages
355
356
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-10
Setting
Multicast Configuration settings (continued)
Description
By default the Symantec
If multicast is set as the default for downloading packages in the Global Agent Settings
Management Agent should policy, this option lets you turn it off. However, individual packages may override
use multicast when
this setting.
downloading packages
If the Global Agent Settings policy has multicast turned off, you cannot turn it on
with this option.
Maximum master sessions
per computer
The maximum number of concurrent sessions for which a Symantec Management
Agent can be the master.
The default value is 2 for new policies and for most of the default targeted agent
settings policies that are supplied with Notification Server. The exception is the All
Package Servers policy, which has a default value of 10. This is the suggested default
for package servers.
Minimum receiving
computers per session
The minimum number of Symantec Management Agents (excluding the master) that
must join the session before package multicasting can proceed.
Wait time to begin session
The maximum time to wait for the minimum number of Symantec Management
Agents (excluding the master) to join the session, before the session times out.
This value can be defined as a percentage of the Download new configuration interval
on the General tab, or in minutes.
The default value is 50% of the Download new configuration interval.
The larger the value, more agents will join the session and reduce bandwidth
utilization on the local segment, but it will take longer for the package to arrive.
Configure this value higher than the minimum time to start multicast (around 10
minutes).
If a session times out, the Symantec Management Agents that were members of the
session will attempt to download the package again through multicast, until the
Maximum transmission attempts per package value is reached.
Number of receiving
The number of Symantec Management Agents (excluding the master) that must join
computers required to begin a session to enable multicasting to begin.
session before wait time has
The default value is 100.
expired
This setting cannot be less than the value that you specified for Minimum receiving
computers per session.
This setting can be used to override the wait time when enough agents have joined
the session to represent significant bandwidth savings. The wait time is specified in
the Wait time to begin session field.
Maximum bandwidth to use The maximum bandwidth that multicasting can use per package.
for multicasting
The default value is 125 Kbytes/sec.
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-10
Multicast Configuration settings (continued)
Setting
Description
Maximum transmission
attempts per package
The maximum number of times that the Symantec Management Agent may attempt
to receive the same package through multicast. If all attempts fail, the agent reverts
to the normal package download procedure.
The default number is 3.
Maximum sessions per
physical subnet
Specifies the maximum number of multicast sessions that can occur concurrently
per physical subnet.
The default number is 10.
Disable multicast for
packages smaller than
Specifies the minimum package size that may be downloaded using multicast.
The default size is 512 KB.
About multicasting packages
Multicasting lets you transmit packages to a select group of recipients. It improves
package server performance on large networks and protects package servers from
being overloaded, especially when distributing large packages. It also reduces the
load on package servers by reducing the number of Symantec Management Agents
that connect to each package server. It decreases network utilization by enabling
agents to multicast package data to other managed computers.
See “Configuring the targeted agent settings” on page 348.
Multicasting can reduce WAN utilization in the remote sites that do not have a
dedicated package server. In such situations, only one agent needs to cross the
WAN to download the package. The other Symantec Management Agents on the
same site can then download the package from that agent using multicast.
Symantec Management Agents revert to unicast for downloading packages in the
following conditions:
■
The Maximum sessions per physical subnet value has been reached more times
than the Maximum transmission attempts per package value specified.
■
The Symantec Management Agent connection to the multicast session falls
below 64 Kbytes/sec.
■
The maximum bandwidth that is used for multicasting has been reached.
■
The Maximum sessions per physical subnet value has been reached.
■
The package is smaller than the Disable multicast for packages smaller than
value.
357
358
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Targeted Agent Settings: Blockouts tab
The targeted agent blockout periods are times when all communication between
the Symantec Management Agent and Notification Server is disabled. The
Blockouts tab lets you set up any number of blockout periods in a targeted agent
settings policy.
See “Configuring the targeted agent settings” on page 348.
Table 17-11
Settings on the Blockouts tab
Setting
Description
Disable
communication at
startup and after
blockouts for up to
Disables the communication between Notification Server and the Symantec Management
Agents for a specified period after the computer is turned on and after a blockout period
has expired.
Time zone
The available time zones are as follows:
This setting prevents all Symantec Management Agents communicating with Notification
Server at the same time. For example, at the start of the working day when all the computers
are turned on, or after blockouts have finished. The actual time that communication is
disabled is a random interval from 0 to the time specified.
Use agent time
The times are specified without time zone information, and are applied at the local time
at each managed computer. Blockouts start and end at different times depending on
the time zones of the managed computers.
■ Use server time
The times are specified with time zone information, where the time zone offset is that
of the server's time zone where the policy is defined. The blockout periods start
simultaneously irrespective of time zones, and are compensated for daylight saving.
■ Coordinate using UTC
The times are specified with time zone information, where the time zone offset is 0. The
blockout periods start simultaneously irrespective of time zones and are not affected
by daylight saving.
■
Blockout periods
The blockout periods that you want to have available.
See “Adding a blockout period to the targeted agent settings” on page 358.
Adding a blockout period to the targeted agent settings
You need to specify the blockout periods that you want to use. You can specify
any number of blockout periods.
See “Configuring the targeted agent settings” on page 348.
See “Targeted Agent Settings: Blockouts tab ” on page 358.
Configuring the Symantec Management Agent
Configuring the targeted agent settings
If a blockout prevents a software delivery package download, the package download
starts immediately when the blockout expires, according to the download options
you selected.
To add a blockout period
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Targeted Agent Settings.
2
In the left pane, click the policy for which you want to add a blockout period
to the targeted agent settings.
3
In the right pane, click Blockouts.
4
On the Blockouts tab, click Add blockout period.
5
Specify the Start Time and Duration in the corresponding boxes.
6
In the Unit drop-down list, select the blockout period type:
7
Download
The package server and Symantec Management Agent do not
download any software delivery packages. However, the Symantec
Management Agent still sends events and gets Symantec
Management Agent Settings policy requests from Notification
Server . Events and Symantec Management Agent Settings policy
requests are typically small amounts of information and have
minimal effect on the network traffic. However, packages can be
large and can affect the network load. This setting can help
minimize the effect of package servers and Symantec
Management Agents on the network during business hours.
Total
There is no communication between the package server/Symantec
Management Agent and Notification Server during the specified
time period. All events from the Symantec Management Agent
are queued (on the Agent) and are sent after the blockout.
Click Save changes.
Targeted Agent Settings: User Control tab
The targeted agent user control settings are the options that affect what the user
of the managed computer can see.
See “Configuring the targeted agent settings” on page 348.
359
360
Configuring the Symantec Management Agent
Configuring the targeted agent settings
Table 17-12
Settings on the User Control tab
Setting
Description
Show client tray icon
Displays the Symantec Management Agent icon in the
system tray on the managed computer.
Display locale
The language that the Symantec Management Agent
displays as the chosen language regardless of the operating
system locale.
The default is Local Regional Settings.
Warning Countdown
duration
The Software Delivery task notification countdown prior
to running the task or restarting the target computer.
The options are 1, 2, 3, 5, 10, 15, 30, 60, and 120 minutes.
The default is 5 minutes.
Targeted Advanced Settings: Advanced tab
The Advanced tab lets you specify an alternate URL that the Symantec
Management Agent can use to access Notification Server, and turn on the power
management feature.
See “Configuring the targeted agent settings” on page 348.
Table 17-13
Settings on the Advanced tab
Setting
Description
Alternate URL for accessing Specifies an alternate URL that the Symantec Management
NS
Agent can use to access Notification Server. You may need
to change these settings when you configure Notification
Server to use SSL.
Server Name
We recommend that you use the fully qualified domain
name.
Server Web
The Server Web address should be in the following format:
http://<NS_FQDN>:<port>/Altiris/
https://<NS_FQDN>:<port>/Altiris/
Enable tickle on Symantec
Management Agents
Turns on the power management feature. The relevant
settings are specified in the global agent settings policy.
See “About the Tickle/Power Management settings”
on page 345.
Configuring the Symantec Management Agent
About maintenance windows for managed computers
About maintenance windows for managed computers
A maintenance window is a scheduled time and duration when maintenance
operations may be performed on a managed computer. A maintenance operation
is one that changes the state of a computer, causes it to restart, or interferes with
a user’s ability to operate the computer. For example, installing software and
operating system patches, or running a virus scan.
A maintenance window policy defines one or more maintenance windows and is
applied to a resource target in the same way as any other policy. These policies
provide the maximum flexibility for assigning maintenance windows to computers,
without complicating the management of agent settings. If multiple maintenance
window policies apply to a single computer, changes to the computer are permitted
during any of the maintenance windows.
See “About configuring the Symantec Management Agent” on page 341.
Using maintenance windows lets you schedule maintenance work on managed
computers with minimal impact on work flow and productivity. Also, you can
schedule maintenance work on critical servers at different times so no two servers
are ever restarted at the same time. A maintenance window may be scheduled for
certain times, such as daily, weekly or monthly. The maintenance window may
be available indefinitely or restricted to a particular date range.
When you apply a maintenance window to a managed computer, maintenance
tasks, such as patches and software deliveries, can only be carried out on them
in the scheduled time period. Symantec Management Agents can download
software delivery packages any time, but associated programs can be run only
during the maintenance windows.
The Symantec Management Agent processes the policy and provides the
functionality that solutions use to determine whether a maintenance window is
currently open. Functionality is also provided to allow solutions to inform
Notification Server that a maintenance task has been performed.
If the Symantec Management Agent is performing a task as part of a job when the
maintenance window expires, the maintenance window is automatically extended
until all tasks that are contained in the job are completed.
See “Configuring maintenance window policies” on page 361.
Configuring maintenance window policies
You can create and modify the maintenance window policies that you need and
apply them to the appropriate targets. The default maintenance window policy
is applied to all managed computers.
361
362
Configuring the Symantec Management Agent
Configuring maintenance window policies
See “About maintenance windows for managed computers” on page 361.
To configure maintenance window policies
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Maintenance Windows.
2
In the left pane, in the Maintenance Windows folder, do one of the following:
3
■
To create a new maintenance window policy, right-click and then click
New > Maintenance Window. In the right pane, edit the default new policy
name and description as appropriate.
■
To modify an existing maintenance window policy, select the appropriate
policy.
In the right pane, in the Time Zone box, select the appropriate option:
Use agent time
The times are specified without time zone information and
are applied at the local time at each managed computer.
Maintenance windows open and close at different times
depending on the time zones of the managed computers.
Use server time
The times are specified with time zone information, where
the time zone offset is that of the server’s time zone where
the policy is defined. The maintenance windows open
simultaneously irrespective of time zones and are
compensated for daylight saving.
This option ensures that maintenance windows are always
coordinated with the specified local time on the server where
the policy is created.
Coordinate using UTC The times are specified with time zone information, where
the time zone offset is 0. The maintenance windows open
simultaneously irrespective of time zones and are not
affected by daylight saving.
The time zone applies to all of the maintenance windows that are specified
in this policy.
Configuring the Symantec Management Agent
Configuring maintenance window policies
4
If you want the policy to take effect on a particular date, rather than as soon
as it is enabled, in the upper right corner, click Advanced, then in the
Advanced Options dialog box, set the start date and end date, and click OK.
Start
The date that the policy takes effect. The policy must be enabled
in the same way as any other policy. You can enable the policy
at any time before or after the start date.
End
If you want the policy to be available for a limited period of time,
set the appropriate end date. The policy is unavailable after this
date, whether or not it is enabled.
This setting is optional. If no end date is specified, the policy is
available indefinitely.
5
6
Create the maintenance windows that you want to include in the policy.
To add a new maintenance
window
Click Add Maintenance Window.
To delete a maintenance
window
Click anywhere in the maintenance window that you
want to delete, and then click Delete.
In each maintenance window, under Daily Times, specify the start time of
the maintenance window and either the end time or the duration in the
corresponding boxes.
Alternatively, you can drag the green (start time) and red (end time) arrows
to the appropriate places on the time line.
363
364
Configuring the Symantec Management Agent
Configuring maintenance window policies
7
8
Under Repeat Schedule, in the Repeat every box, select a schedule and then
specify the appropriate schedule filters:
No repeat
The maintenance window is open only once, on the day
that it is applied to the managed computer.
Day
The maintenance window is open every day.
Week
Specify the weekdays on which the maintenance
window is open.
Month (week view)
Specify the days of the week and the weeks of the
month on which the maintenance window is open.
Month (date view)
Specify the dates of the month on which the
maintenance window is open.
Yearly (week view)
Specify the days of the week, the weeks of the month,
and the months on which the maintenance window is
open.
Year (date view)
Specify the dates of the month and the months on
which the maintenance window is open.
In the Applied to panel, specify the maintenance window policy target.
You can select an existing organizational group, filter, or resource target.
You can also select individual resources.
See “Specifying the targets of a policy or task” on page 413.
Details of the selected items are displayed in the grid. You can view the list
by targets, resources, computers, or users, and make any necessary additions
and deletions.
9
Click Save Changes.
Section
4
Managing Symantec
Management Platform
resources
■
Chapter 18. Configuring resource security
■
Chapter 19. Configuring resource filters and targets
■
Chapter 20. Configuring packages
■
Chapter 21. Using policies
■
Chapter 22. Using tasks
■
Chapter 23. Using Resource Manager
■
Chapter 24. Using Notification Server reports
■
Chapter 25. Creating custom Notification Server reports
■
Chapter 26. Viewing resource information
366
Chapter
18
Configuring resource
security
This chapter includes the following topics:
■
About resource security
■
Configuring resource security
■
About organizational views and groups
■
About the Default organizational view
■
Creating organizational views
■
Configuring organizational groups
■
Specifying the organizational groups displayed
■
Adding resources to an organizational group
■
Viewing and managing resources in an organizational group
■
Setting security on organizational groups
■
Setting custom security permissions on organizational groups
■
Configuring permission inheritance for organizational groups
About resource security
The resource security model has changed significantly for Notification Server
7.0. Resources, which includes all computers, users, and everything else that is
defined in the CMDB or resource model, now obtain all of their permission grants
from the organizational views and groups to which they belong. This replaces the
368
Configuring resource security
About resource security
Notification Server 6.0 implementation, which required securing both standard
collections and resource folders.
Note: There are a few exceptions, such as packages, which are resources but are
also items that appear in the Symantec Management Console folder structure.
The security options for these items are disabled in the folder structure. Security
for these is set in the same way as other resources.
An organizational view is a hierarchical grouping of resources (as organizational
groups) that reflects a real-world structure, or "view", of your organization. For
example, you may create organizational views to group your resources by
geographical location, or by department, or by network structure. As in the real
world, a resource may (but is not required to) appear once only in an organizational
view.
The Symantec Management Console has a default Default organizational view
that contains all known resources. As new resources are discovered in scheduled
updates and added to the CMDB, they are automatically placed in the Default
organizational view. The Default view organizes resources by type, with each type
of resource (computer, user, package, etc.) being placed in the corresponding
organizational group. You can manually copy the newly-discovered resources
into the appropriate organizational views.
The assignment of resources into organizational groups is automatic and you
cannot change it. Note that there may be a delay between the resource being
discovered and being shown in the appropriate organizational group. Each newly
discovered resource is placed in the top level organizational group, and remains
there until being moved into the appropriate organizational group when the
Organizational View refresh schedule runs.
See “About the Default organizational view” on page 371.
You can remove resources from any organizational view except the Default view.
When a resource is deleted from the CMDB, it is automatically removed from all
organizational views using the delta update schedule.
See “Scheduling resource membership updates” on page 398.
You set up security by assigning the appropriate permissions for each security
role on each organizational view, and on the organizational groups within each
view. A permission that is assigned to an organizational group applies to all
resources in that group and, by default, applies to all of its child groups. You
cannot assign permissions directly to a particular resource.
Permission grants on a resource are accumulated across organizational views.
The permissions that a security role has on a particular resource is the union of
Configuring resource security
Configuring resource security
all the permissions that the resource has been assigned through the organizational
groups to which it belongs. If a security role has permission to perform an action
on a resource in one organizational view, the role can perform that action
regardless of whether the permission is applied to other organizational views that
contain the same resource. For example, if a security role has read access to a
resource in one organizational view, write access to the same resource in another
organizational view, but no access to the resource in a third organizational view,
the role has both read and write access to the resource.
Implementing resource security in this way gives each security role its own unique
view, or "scope", of the available resources. The security role determines which
resources its members can access, and what actions they can perform on those
resources. Filters, targets, and report results are dynamic and automatically
scoped according to the role of the user who owns them. Therefore, filters, targets,
and report results always contain only the resources to which that user has the
necessary access permissions.
See “Configuring resource security” on page 369.
Configuring resource security is an optional step in the process of setting up
Symantec Management Platform security.
See “Setting up Symantec Management Platform security” on page 71.
Note: When a target is evaluated, only resources to which the user has read access
are available. Consequently, the only security permission that a user requires to
apply a task or policy to a resource is the read permission on the resource.
Configuring resource security
After you have created the security roles that you want to use in your environment,
you can configure resource security. You configure resource security by creating
the appropriate organizational views for your resources. You then assign the
appropriate permissions for each security role to each organizational view, and
to the organizational groups within each view.
See “About resource security” on page 367.
369
370
Configuring resource security
Configuring resource security
Table 18-1
Process for setting up resource security
Step
Action
Description
Step 1
Identify your resource
management and security
requirements.
You need to determine your resource management and security
requirements, and plan the organizational view structures that
best meet your requirements. You can use any structure that you
want. For example, you may want to use organizational views
that are based on geography, business function, or management
structure.
For more information, see the Symantec Management Platform
Installation Guide.
Step 2
Create the organizational views
that you want.
Create the organizational views that you need to model the
appropriate logical structures in your organization.
See “Creating organizational views” on page 372.
Step 3
In each view, create the
organizational groups that you
want.
Within each organizational view, you can create a hierarchy of
groups to represent the organizational structure that you want
to model.
See “Configuring organizational groups” on page 373.
See “Specifying the organizational groups displayed” on page 375.
Step 4
Assign the appropriate resources New resources are automatically added to the default All
to each organizational group.
Resources organizational view. You can move them to the
appropriate groups within each of your organizational views. A
resource may be included in any number of organizational views.
See “About the Default organizational view” on page 371.
See “Adding resources to an organizational group” on page 375.
Step 5
Assign the appropriate security
Assigning a security role to an organizational group gives users
roles to each organizational group. with that role access to all resources that are directly included
in that group. You need to specify the permissions that each role
has on the group.
By default, security settings on a group apply to all of its child
groups. You can break the inheritance when necessary.
See “Setting security on organizational groups” on page 379.
Step 6
Maintain the organizational view You can add new resources to the appropriate organizational
structure and content as
groups, and can create, modify, or delete groups when required.
necessary.
Configuring resource security
About organizational views and groups
About organizational views and groups
An organizational view is a hierarchical grouping of resources (as organizational
groups) that reflects a real-world structure, or "view", of your organization. For
example, you may create organizational views to group your resources by
geographical location, or by department, or by network structure. As in the real
world, a resource may (but is not required to) appear once only in an organizational
view.
See “About resource security” on page 367.
See “Configuring resource security” on page 369.
Organizational views provide a secure means of segregating your resources into
well structured and manageable units. Each organizational view contains one or
more organizational groups, each of which may contain resources and child
organizational groups. The membership of an organizational group includes the
resources that are contained in all of its child groups. An organizational view
cannot contain any resources directly - all resources must be contained in
organizational groups. You can use organizational views and groups to model a
wide variety of organizational requirements. You can secure your organizational
views using the familiar NT security inheritance model that is used throughout
the Symantec Management Platform.
When you assign security roles and permissions to your organizational views and
groups, you give each security role its own unique view, or "scope", of the available
resources. The security role determines which resources its members can access,
and what actions they can perform on those resources. A user can see any
organizational view or group on which they have permissions, and have those
permissions on all resources that are contained in the group. If permission
inheritance is enabled, they also have the same permissions on all sub-groups. If
a user does not have permission on an organizational view, they can still see it if
they have permission on one or more of its organizational groups.
You can use organizational views and groups within targets when you want to
apply a policy or task to selected computers, users, or resources. The organizational
view or group is used in the same way as a filter, but provides the security that is
required to ensure that only the resources to which the target owner has
permission are included.
See “About resource targets” on page 397.
About the Default organizational view
The Symantec Management Console has a default Default organizational view in
which all resources are automatically placed. The default structure is a hierarchy
371
372
Configuring resource security
Creating organizational views
of organizational groups that are based on resource type. All newly discovered
resources are automatically placed into the appropriate group in the Default
organizational view.
You cannot add or remove organizational groups from the Default organizational
view, but you can copy resources to different organizational groups. You can also
view and manage the resources in the same way as for user-defined organizational
views and groups.
Warning: You can delete any resources from the Default organizational view. When
you delete a resource, the resource is removed from the CMDB. You should not
delete any resources that are critical to the Symantec Management Platform
activity and functionality. Critical resources include the Notification Server
computer, sites, and subnets.
See “Viewing and managing resources in an organizational group” on page 376.
When you install the Symantec Management Platform, the default configuration
is that all roles have full permission on the Default organizational view. The
default configuration gives all roles full access to all resources. If you want to
configure resource security (which is optional), you can use the Default
organizational view to set default permissions on all resources or particular types
of resources. You need to break inheritance for the appropriate security roles and
clear the permissions down the organizational group structure. You can then
assign the appropriate permissions for each security role to the relevant
organizational groups. The Administrator role cannot be modified, and always
has full permissions on all organizational groups.
See “Setting security on organizational groups” on page 379.
You can filter the organizational groups to specify those that you want to be visible
in the left pane.
Creating organizational views
You can create the organizational views that you require to manage the resources
in your organization. Each organizational view typically models a particular
physical organization, or view, of the resources. For example, a geographical view
could organize the resources by physical location. A functional view could organize
the same resources by department or business function.
See “About resource security” on page 367.
See “Configuring resource security” on page 369.
Configuring resource security
Configuring organizational groups
To create an organizational view
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
Do one of the following:
To create a new
organizational view
In the left pane, right-click the Organizational Views
folder and then click New > Organizational View.
The new organizational view is created immediately
and appears in the Organizational Views folder. It is
selected automatically.
To modify an existing
organizational view
3
(Optional) In the Organizational View page, edit the name and description of
the organizational view:
To change the view name
To change the view
description
4
In the Organizational Views folder, select the
organizational view that you want to modify.
1
Click the heading text to make it editable, and
then type the view name.
2
Click outside the edit box to finish editing the
name.
1
Click the description text to make it editable, and
then type the description.
2
Click outside the edit box to finish editing the
description.
Add the organizational groups that you want to include in the organizational
view, and configure them to suit your requirements.
See “Configuring organizational groups” on page 373.
Configuring organizational groups
You need to create the organizational group structure that you want within each
organizational view, and assign the appropriate resources to each group. The
hierarchical structure of organizational groups can have as many levels as you
require to represent the way that resources are organized in your environment.
Group names have no restrictions, so you may have multiple groups with the same
name. A resource item may belong to only one organizational group in each
organizational view.
373
374
Configuring resource security
Configuring organizational groups
See “Creating organizational views” on page 372.
See “Configuring resource security” on page 369.
To configure an organizational group
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, expand the Organizational Views folder and then do one of
the following:
To create a new
organizational group
Right-click the organizational view or group to which
you want to add a new group, and then click New >
Organizational Group.
The new organizational group is created immediately
and appears in the parent (view or group) folder. It is
selected automatically.
To modify an existing
organizational group
3
Select the organizational group that you want to
modify.
(Optional) In the Organizational Group page, edit the name and description
of the organizational group:
To change the group name
To change the group
description
1
Click the heading text to make it editable, and
then type the group name.
2
Click outside the edit box to finish editing the
name.
1
Click the description text to make it editable, and
then type the description.
2
Click outside the edit box to finish editing the
description.
Configuring resource security
Specifying the organizational groups displayed
4
(Optional) Expand the status panel to view details of the resources that are
contained in the group.
The status panel lists the policies that are assigned to resources in the group,
and indicates the status of the resources. If a computer or resource has a
problem, the relevant information is displayed.
5
In the Resources panel, configure the organizational group to suit your
requirements:
To add resources to the
group
See “Adding resources to an organizational group”
on page 375.
To view the resources in the See “Viewing and managing resources in an
group
organizational group” on page 376.
Specifying the organizational groups displayed
You can specify the organizational groups that are displayed when working with
organizational views and groups. You can hide the groups that you do not want
to see and reduce the number of groups listed.
See “Configuring organizational groups” on page 373.
To specify the organizational groups displayed
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, select the organizational view for which you want to specify
the visible organizational groups.
3
In the right pane (the organizational view page), click Filter.
4
In the Filter Visible Groups window, select the organizational groups that
you want to be visible for this organization view.
5
Click OK.
Adding resources to an organizational group
A resource may be included in only one organizational group in each organizational
view. A resource is automatically removed from an organizational group when
you assign that resource to another organizational group in the same organization
view.
See “Configuring organizational groups” on page 373.
375
376
Configuring resource security
Viewing and managing resources in an organizational group
See “Configuring resource security” on page 369.
You can add resources to an organizational group from the Resources panel on
the Organizational Group page, or directly from the left pane.
To add resources to an organizational group from the Resources panel
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, select the organizational view for which you want to add
organizational groups.
3
On the Organizational Group page, in the Resources panel, click Add, and
then click one of the following:
Computers
Add managed computers to the group.
Users
Add users to the group.
Resources
Add resources of any type to the group.
You can select computers and users using this option.
4
In the Edit Group window, select the appropriate resources, and then click
OK.
To add resources to an organizational group directly
1
In the left pane, right-click the organizational group, and then click Edit
Group.
2
In the Edit Group window, select the appropriate resources, and then click
OK.
This option duplicates the Add > Resources option in the Resource panel.
Viewing and managing resources in an organizational
group
The Resources panel displays all of the resources that are directly included in the
organizational group, and all the resources that are included in any of its child
groups. You can change the view to see only the computers that are in the group.
See “Configuring resource security” on page 369.
You can view the list of resources that are available for a particular security role.
For example, you may want to verify that you have correctly set up the resource
security for a particular role. The security roles that are assigned to an
Configuring resource security
Viewing and managing resources in an organizational group
organizational group determine the access to all resources that are directly
included in that group. Each security role has access to only the resources that
are directly included in the groups to which the role is assigned.
When you view the resources for a particular security role, you see only the
resources that are available for both the selected role and your role. If your role
is the Administrator role (which has access to all resources), you always see all
the resources that are available to the selected role. However, if you have another
role (which may not have access to all resources), you may not see all of the
resources that are available to the selected role.
Note: If you do not belong to a role (i.e. user-based security has been applied rather
than role-based), choose None to have no security role selected. This ensures that
all the resources to which you have access are shown. If you select a role that you
do not belong to, all resources are filtered out and you will not see anything.
You can perform management actions on resources in an organizational group.
The available actions include opening the Resource Manager, exporting the
resource to an XML file, viewing the resource properties, adding the resource to
a different group, and deleting the resource from the group.
To view computers or all resources
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, expand the Organizational Views folder and then select the
appropriate organizational group.
3
On the Organizational Group page, in the Resources panel, in the View
drop-down list, select one of the following:
All
Display all of the resources that are included in the
group.
Computers
Display only the computers that are included in the
group.
377
378
Configuring resource security
Viewing and managing resources in an organizational group
To view resources for a particular security role
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, expand the Organizational Views folder and then select the
appropriate organizational group.
3
On the Organizational Group page, in the Resources panel, in the Role
drop-down list, select the appropriate role.
To perform an action on a resource
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, expand the Organizational Views folder and then select the
appropriate organizational group.
3
On the Organizational Group page, in the Resources panel, right-click the
resource and then click the appropriate option:
Resource Manager
Open the Resource Manager console to view and
manage the resource.
Export
Export the resource to an XML file.
See “Saving console elements as XML files” on page 200.
Properties
Display properties of the resource.
Add to organizational group 1
2
In the Add to Organizational Group window,
select the organizational group to which you want
to assign the resource.
Click OK.
If the new group is in the same organizational
view as the current group, the resource is removed
from the current group.
Delete
Delete the resource from the group. The resource is
not deleted from any other groups (in different
organizational views) that it belongs to.
Edit
This option is available only for the resources that you
can edit.
The appropriate page is displayed.
Configuring resource security
Setting security on organizational groups
Setting security on organizational groups
You set the security on an organizational group by assigning it the appropriate
security roles. When a security role is assigned to a group, the members of that
security role have access to the resources that are in the group. By default, all
child groups inherit all security assignments on an organizational group. The
inheritance gives the role the same access to all resources in those child groups.
You can break the inheritance at any level, and can restore it when necessary.
See “About resource security” on page 367.
See “Configuring resource security” on page 369.
To set security on organizational groups, you require the Change Permissions
system permission.
You can assign a security role to an organizational group with the permissions
that are appropriate for that role. For example, an administrator role would require
full management rights to all resources in a group, but an end user role may
require only read access to those resources. By default, assigning a security role
some permissions on an organizational group gives that role the same permissions
on all of its child groups.
To set security on an organizational group
1
In the left pane, right-click the organizational group, and then click Manage
Security.
2
Click the appropriate option:
Assign Management Rights
Assigns all available permissions to the organizational
group.
In the Assign Management Rights window, select the
appropriate security roles, and then click OK.
Assign Read
Assigns the Symantec System "Read" permission to
the organizational group.
In the Assign Read Rights window, select the
appropriate security roles, and then click OK.
Assign Custom
Opens the Security Role Manager, which lets you assign
the appropriate permissions to the organizational
group for each security role. You can also set or change
the permission inheritance for each role.
See “Setting custom security permissions on
organizational groups” on page 380.
379
380
Configuring resource security
Setting custom security permissions on organizational groups
Setting custom security permissions on organizational
groups
You can specify the non-inherited permissions that apply to each organizational
group for each security role. These are combined with the inherited permissions
to determine the access that the security role has to the resources in the group.
By default, any child groups inherit the combined set of permissions as inherited
permissions.
See “Setting security on organizational groups” on page 379.
See “About resource security” on page 367.
See “Configuring resource security” on page 369.
Table 18-2
Non-inherited permissions that you can set on each organizational
group
Permission Type
Permissions
System Permissions
■
Delete
■
Write
■
Clone
■
Read
■
Change Permissions
■
Read Permissions
■
Read Resource Data
■
Read Resource Association
■
Write Resource Data
■
Write Resource Association
Resource Management
Permissions
Task Server Permissions
Run Task on Resource
To set custom security permissions on an organizational group
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, right-click the organizational group for which you want to
set permissions and then click Security.
3
In the Security Role Manager, in the Role drop-down list, select the security
role for which you want to set custom permissions.
4
In the View drop-down list, select All Resources.
Configuring resource security
Configuring permission inheritance for organizational groups
5
In the left pane, select the organizational view or group for which you want
to set permissions.
6
On the Organizational Group page, in the Noninherited panel, make the
appropriate changes to the permission settings.
7
(Optional) If you want to configure permission inheritance for this group,
click Advanced.
See “Configuring permission inheritance for organizational groups”
on page 381.
8
Click Save Changes.
Configuring permission inheritance for organizational
groups
By default, permission inheritance is enabled for all organizational views and
groups. The security permissions for each role that is assigned to an organizational
view or group apply to its child groups. The inherited permissions cannot be
modified on the child groups, but additional non-inherited permissions can be
specified. The non-inherited permissions are applied directly to the group and
can be modified at any time. The permission settings on each group are the
combination of both the inherited and non-inherited settings. Child groups inherit
the combined set of permissions. Any changes to permission settings for an
organizational view or group are immediately applied to all of its child groups.
See “Setting custom security permissions on organizational groups” on page 380.
See “Setting security on organizational groups” on page 379.
See “About resource security” on page 367.
See “Configuring resource security” on page 369.
You can disable permission inheritance for any organizational group. For example,
you may want to remove some of the inherited permissions from the group, but
want to preserve them on its parent organizational view or group. The permission
inheritance settings that you apply to an organizational group may be different
for each security role.
You can also remove all non-inherited permissions from child groups of an
organizational view or group, leaving only the inherited permissions. For example,
you may want to remove custom permissions from child groups, or to restore a
standard set of permissions on all child groups.
381
382
Configuring resource security
Configuring permission inheritance for organizational groups
To configure permission inheritance for an organizational group
1
In the Symantec Management Console, in the Manage menu, click
Organizational Views and Groups.
2
In the left pane, right-click the organizational group for which you want to
set permissions and then click Security.
3
In the Security Role Manager, in the left pane, select the organizational
group for which you want to configure permission inheritance.
4
In the Organizational Group page, click Advanced.
5
In the Permissions for: Group Name window, select the security role for which
you want to view permissions.
6
(Optional) In the Permissions for panel, change the permissions that are
assigned to the selected security role for this group.
You can change only the non-inherited permissions. You cannot edit the
inherited permissions.
7
Do any of the following:
To inherit permissions from Check Inherit the permission entries from parent
the parent organizational
object that apply to child objects.
view or group
The inherited permission settings on the group are
updated to reflect the current permission settings on
the parent organizational view or group.
To disable permissions
inheritance
Uncheck Inherit the permission entries from parent
object that apply to child objects.
You have the choice of copying the current inherited
permissions from the parent organizational view or
group, or removing all inherited permissions.
Any subsequent changes to the permission settings on
the parent organizational view or group do not affect
the permission settings on the group.
To remove all non-inherited Check Replace permissions on all child objects.
permissions from child
The non-inherited permissions settings are cleared on
groups
all child groups, leaving only the inherited permissions.
8
Click Apply.
Configuring resource security
Configuring permission inheritance for organizational groups
9
(Optional) If you have disabled permission inheritance, in the Inherited
Permissions Behavior dialog box, click the appropriate option:
Copy
The current inherited permissions are merged with the
non-inherited permission settings on this group.
Remove
The current inherited permissions are cleared, leaving only the
non-inherited permissions.
Ensure that you have the appropriate non-inherited permissions
on the group before you select this option.
10 Click Cancel to close the Permissions for: Group Name window.
383
384
Configuring resource security
Configuring permission inheritance for organizational groups
Chapter
19
Configuring resource filters
and targets
This chapter includes the following topics:
■
About resource filters
■
Creating or modifying a filter
■
Creating a new filter
■
Modifying an existing filter
■
Selecting the filter query type
■
Defining a resource query for a filter
■
Defining an SQL query for a filter
■
Specifying filter inclusions and exclusions
■
Updating the membership of a filter
■
Performing actions on filter resources
■
Viewing filter dependencies
■
About resource targets
■
Scheduling resource membership updates
About resource filters
A resource filter, usually known as a filter, is a dynamic definition of a set of
resources. The resources may be grouped by some specified parameters, and they
386
Configuring resource filters and targets
Creating or modifying a filter
may also be explicitly included in a filter or excluded from a filter. A filter typically
isolates only one aspect of a resource, such as its operating system, available disk
space, or RAM. Filters are used with organizational groups to identify the resources
(a resource target) that a task or policy applies to.
See “About resource targets” on page 397.
A filter does not contain any specific resources. All resources are contained in the
organizational groups that are set up in organizational views. The organizational
groups and organizational views are the same as are used for resource security.
A filter operates on a specific organizational view or group to identify the
appropriate resources. Consequently, filters are portable and can be applied to
any organizational view or group, and they can be used with other filters. For
example, you may want to apply a policy to all Windows XP computers in a
particular department of your organization. In this case, to select only the
computers that run Windows XP, you can apply a filter to the organizational group
that represents the appropriate department.
See “About resource security” on page 367.
See “Creating or modifying a filter” on page 386.
Creating or modifying a filter
You can create a new filter from scratch, or clone an existing filter and modify it
to suit your requirements. You can modify any filter that you have created or have
write permission on. You cannot modify any of the default filters that are supplied
with Notification Server. You cannot modify any of the filters that are added by
hierarchy replication from a parent Notification Server. Only the filters that have
been created on your Notification Server can be edited locally.
See “About resource filters” on page 385.
You can also create a filter by saving a report. A filter created this way is a static
filter and has no query. The filter membership is a fixed list of inclusions that is
determined when the filter is created. You can modify a static filter by adding
further inclusions or exclusions, which may be dynamic filters. However, you
cannot add a query directly to a static filter.
See “Creating a static filter from Notification Server report results” on page 506.
Configuring resource filters and targets
Creating or modifying a filter
Table 19-1
Process for creating or modifying a filter
Step
Action
Description
Step 1
Create a new filter or select an
existing filter to modify.
You can create a new filter from scratch, or modify an existing
filter to suit your requirements.
See “Creating a new filter” on page 388.
See “Modifying an existing filter” on page 388.
Step 2
Select the query type.
This step applies only to a new filter. You cannot change the
query type when you modify an existing filter.
If you want to create a dynamic filter, you need to select the
appropriate query type. If you choose no query, the filter
membership is the specified inclusions and exclusions.
See “Selecting the filter query type” on page 389.
Step 3
Specify the query to use.
You can write the query SQL yourself or use the Query Builder
to build the filter query. The Query Builder is a user-friendly tool
that lets you select the tables and fields that you want to use. It
helps you define the query to suit your requirements.
See “Defining a resource query for a filter” on page 390.
See “Defining an SQL query for a filter” on page 391.
Step 4
Specify the inclusions and
exclusions.
You can specify particular resources or filters to include or
exclude in the filter. The filters that you include or exclude may
contain further filters. You can select from the resources and
filters that are available in the CMDB, and you can import
resources from a CSV file.
See “Specifying filter inclusions and exclusions” on page 392.
Step 5
Verify the filter configuration by The membership of a filter is determined by running the filter
viewing the filter membership.
query on the CMDB to extract the appropriate resources. You
can update the membership to verify that the filter is correctly
defined.
See “Updating the membership of a filter” on page 394.
Step 6
Save the filter.
You can save the new filter definition or modified filter definition.
Once a new filter is saved, you cannot change its query type.
See “Creating a new filter” on page 388.
See “Modifying an existing filter” on page 388.
387
388
Configuring resource filters and targets
Creating a new filter
Creating a new filter
You can create any new filters that you need, and you can specify the query,
inclusions, and exclusions to define the membership that you want.
See “About resource filters” on page 385.
See “Creating or modifying a filter” on page 386.
To create a new filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, right-click the folder to which you want to add the new filter,
and then click New > Filter.
3
In the right pane, specify the filter name and description.
4
Select the query type.
See “Selecting the filter query type” on page 389.
5
Do any of the following actions:
Define the query
See “Defining a resource query for a filter” on page 390.
See “Defining an SQL query for a filter” on page 391.
6
Specify any necessary
inclusions and exclusions
See “Specifying filter inclusions and exclusions”
on page 392.
Update the filter
membership
See “Updating the membership of a filter” on page 394.
Click Save Changes.
Modifying an existing filter
You can modify any filter that you have created or that you have write permission
on. You cannot modify any of the default filters that are supplied with Notification
Server. You cannot modify any filters that are added by hierarchy replication
from a parent Notification Server. Only the filters that were created on your
Notification Server can be edited locally. The only action that you can perform
on a read-only filter is to update the filter membership.
See “About resource filters” on page 385.
See “Creating or modifying a filter” on page 386.
If you want to modify a read-only filter, clone it to create a new filter, and then
modify the new filter to suit your requirements. When you modify a filter, you
Configuring resource filters and targets
Selecting the filter query type
can modify the filter query and the specific inclusions or exclusions, but you
cannot change the query type.
To modify an existing filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to modify.
3
(Optional) In the right pane, change the filter name and description.
4
In the upper-right corner, click Edit.
If the Edit option is unavailable, the filter is read-only and you cannot modify
it.
5
Do any of the following actions:
Modify the query
See “Defining a resource query for a filter” on page 390.
See “Defining an SQL query for a filter” on page 391.
6
Modify the inclusions and
exclusions
See “Specifying filter inclusions and exclusions”
on page 392.
Update the filter
membership
See “Updating the membership of a filter” on page 394.
Click Save Changes.
Selecting the filter query type
When you create a new filter, you need to specify the type of query to use. You
can use the Query Builder to define the filter query, or you can write the query
SQL yourself. You can also choose to have no query in the filter. You cannot change
the query type after the filter has been saved.
See “About resource filters” on page 385.
See “Creating or modifying a filter” on page 386.
See “Creating a new filter” on page 388.
389
390
Configuring resource filters and targets
Defining a resource query for a filter
To select the filter query type
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, right-click the folder to which you want to add the new filter,
and then click New > Filter.
3
On the New Filter page, in the Filter Definitiondrop-down list, select the
query type that you want to use:
None
The filter does not use a query. The inclusions and exclusions of
specific resources and filters defines the filter membership.
Query Builder
Use the Query Builder to build the filter query. The Query Builder
is a user-friendly tool that lets you select the tables and fields that
you want to use. It helps you define the query to suit your
requirements.
See “Defining a resource query for a filter” on page 390.
Raw SQL
Write your own SQL query. For example, you may want to copy a
query from another filter or report and modify it to suit your
requirements.
See “Defining an SQL query for a filter” on page 391.
Defining a resource query for a filter
A resource query is based on the tables that are available in the CMDB. The Query
Builder is a user-friendly tool that provides a standard template and lets you select
the tables and fields that you want to use. It helps you to define the query to suit
your requirements. You do not need any SQL knowledge to define a resource
query. The resource query is converted to SQL automatically, and the SQL is run
on the CMDB to extract the appropriate resources.
See “Creating or modifying a filter” on page 386.
See “Selecting the filter query type” on page 389.
Configuring resource filters and targets
Defining an SQL query for a filter
To define a resource query for a filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to modify.
3
In the right pane, in the Filter Definition panel, specify the resource query
details on the appropriate tabs.
Query
The resource query syntax.
See “Building a resource query for a custom report or filter”
on page 521.
Fields
The fields and the data class attributes to use in the query.
See “About setting up resource query fields for a custom
report or filter” on page 525.
Query Parameters
The parameters that are used in the query. These are internal
parameters for SQL use, not user parameters.
Parameters are not commonly used in filter queries, but may
be useful for getting registry information. For example, an
agent version number for an upgrade.
See “About using parameters in custom report and filter
queries” on page 532.
Filter Expressions
The conditional statements that are used to further refine
the results of the query. Each statement or grouped statement
can be considered a filter. You need to create the statements
that you want to use and group them accordingly.
See “About setting up filter expressions to refine the query
results” on page 529.
Resolved Query
The SQL code that is run on the CMDB to extract the filter
results.
See “Viewing the resolved query of a custom report or filter”
on page 535.
Defining an SQL query for a filter
You can write an SQL query to define the resources that you want to include in
the filter. You can write the SQL code from scratch. Alternatively, you can copy
the SQL from another filter or report and modify it to suit your requirements. For
example, you can create a resource query using the Query Builder, and then copy
the generated SQL from the Resolved Query tab. You can also use the Query Builder
391
392
Configuring resource filters and targets
Specifying filter inclusions and exclusions
to define the basic structure of your query, convert it to SQL, and then modify the
SQL directly to create the query that you want.
See “Converting a resource query to an SQL query for a custom report” on page 521.
You need the Edit SQL privilege to create or modify SQL queries, and you should
have a good understanding of the CMDB table structure.
See “Creating or modifying a filter” on page 386.
See “Selecting the filter query type” on page 389.
To define an SQL query for a filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to modify.
3
In the right pane, in the Filter Definition panel, specify the SQL query details
on the appropriate tabs.
Parameterized Query
The SQL code for the query.
See “Writing an SQL query for a custom report or filter”
on page 538.
Query Parameters
The parameters that are used in the query. These are internal
parameters for SQL use, not user parameters.
Parameters are not commonly used in filter queries, but may
be useful for getting registry information. For example, an
agent version number for an upgrade.
See “About using parameters in custom report and filter
queries” on page 532.
Resolved Query
The SQL code that is run on the CMDB to extract the filter
results.
See “Viewing the resolved query of a custom report or filter”
on page 535.
4
Click Save Changes.
Specifying filter inclusions and exclusions
You can specify particular resources or filters to include or exclude in your filter.
The filters that you include or exclude may contain further filters. You can select
resources and filters from the list of those available in the CMDB, and you can
also import resources from a .csv file.
Configuring resource filters and targets
Specifying filter inclusions and exclusions
See “Creating or modifying a filter” on page 386.
If you import resources from a .csv file, the file may identify a computer by name,
fully qualified domain name, or IP address. Any item that is not found in the CMDB
is ignored.
The filter membership is determined by adding the inclusions to the query results,
and then removing the exclusions. Filters and resources have no difference in
priority.
To specify resources to include or exclude
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to modify.
3
In the right pane, in the Filter Definition panel, under Explicit Inclusions
and Exclusions, do any of the following:
To include selected resources 1
2
Under Inclusions, click Select a resource.
In the Select Resources window, select the
resources that you want to include, and then click
OK.
To include the resources that 1
are listed in a file
Under Inclusions, click Import from a file.
To exclude selected resources 1
Under Exclusions, click Select a resource.
2
2
To exclude the resources that 1
are listed in a file
2
In the Select File to Import window, select the
appropriate CSV file, and then click Open.
In the Select Resources window, select the
resources that you want to exclude, and then click
OK.
Under Exclusions, click Import from a file.
In the Select File to Import window, select the
appropriate CSV file, and then click Open.
The selected resources are listed beside the appropriate fields.
To specify filters to include or exclude
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to modify.
3
In the right pane, in the Filter Definition panel, under Explicit Inclusions
and Exclusions, do any of the following:
393
394
Configuring resource filters and targets
Updating the membership of a filter
To include selected filters
To exclude selected filters
1
Under Inclusions, click Select a filter.
2
In the Select Filters window, select the filters that
you want to include, and then click OK.
1
Under Exclusions, click Select a filter.
2
In the Select Filters window, select the filters that
you want to exclude, and then click OK.
The selected filters are listed beside the appropriate fields.
Updating the membership of a filter
The membership of a filter is determined by running the filter query on the CMDB
to extract the appropriate resources. To keep the filter membership up-to-date
as the resource information in the CMDB changes, you should update the
membership at suitable intervals. You can use the scheduled filter updates to
update the filter membership, or you can run the update manually at appropriate
times. For example, when you create or modify a filter, you can update the
membership to verify that the filter is correctly defined.
See “About resource filters” on page 385.
See “Scheduling resource membership updates” on page 398.
The Filter Membership panel on the Filter Name page shows details of the resources
in your scope that are currently identified as members of the filter. The filter
membership may be different for different user roles. Only the resources that a
user has Read permission on are visible to that user. However, when a user
manually updates the membership of a filter, the filter query is run on all resources
in the CMDB. The console restricts the results to show only the resources that are
within the viewing user's scope.
Configuring resource filters and targets
Performing actions on filter resources
To update the membership of a filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter for which you want to update the membership.
3
In the right pane, in the Filter Membership panel, do any of the following:
To update the filter membership
immediately
Click Update Membership.
To update the filter membership
using the filter update schedules
Click Update Membership > Auto.
To allow manual filter membership Click Update Membership > Manual.
updates only
This option turns off the scheduled updates for
the filter membership. For example, the filter
contains a complex query that you want to run
only when necessary.
Performing actions on filter resources
You can perform actions on selected filter resources. These options are the same
as those that are available on the context (right-click) menu. The available actions
depend on the type of resource that is selected, so some options may not be
available for all resources.
See “About resource filters” on page 385.
See “About the context menu” on page 205.
To perform an action on a filter resource
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter that you want to use.
395
396
Configuring resource filters and targets
Viewing filter dependencies
3
In the right pane, in the Filter Membership panel, select the resource on
which you want to perform an action.
4
Click Actions, and then click the appropriate option:
Resource Manager
Opens the resource in the Resource Manager console.
Export
Exports the resource to an XML file.
Properties
Displays the properties of the resource.
Set Asset Status > Active
Sets the status of an asset to Active.
This setting is relevant to Asset solution.
Set Asset Status > Retired
Sets the status of an asset to Retired.
This setting is relevant to Asset solution.
Add to Organizational Group Assign the resource to an organizational group.
Delete
Delete the resource from the filter.
Power Management Task
Schedule or run the power management task.
Viewing filter dependencies
Before you modify a filter, you may want to find out what other items depend on
it. You can view a list of all the filters, targets, tasks, and policies that use a
particular filter.
See “About resource filters” on page 385.
The list of dependencies contains all of the targets that include the specified filter
directly or within an included filter. The list also contains all policies and tasks
that are applied to those targets. The inclusion of the filter in the target defines
the dependency. The dependency does not necessarily mean that the policy or
task is currently applied to a resource in the filter.
To view the dependencies of a filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click the filter for which you want to view dependencies.
3
In the right pane, in the Filter Membership panel, click Referenced By.
4
In the Items applied to this filter dialog box, view the list of filters, targets,
tasks, and policies that use the filter.
5
Click Close.
Configuring resource filters and targets
About resource targets
About resource targets
A resource target, usually known as a target, is a framework that lets you apply
tasks and policies to a dynamic collection of resources. A target consists of at least
one organizational view or group, and a number of filters. The filters refine the
available resources to identify those that you want. The organizational view or
group acts as a security filter. It ensures that the policy or task is applied only to
resources that the user's security role has permission to work with.
See “Specifying the targets of a policy or task” on page 413.
Targets are cached in the CMDB and dynamically evaluated when the task or
policy is run. The target is evaluated against the scope of the current user. Only
the resources that appear in the organizational view or group and in the filters
are returned. The target includes only the resources to which the user has Read
access. Resources outside the current user's scope are never visible.
The system filters that are supplied with Notification Server contain only managed
resources, but targets and organizational views and groups may contain
unmanaged resources. You can also create your own custom filters that include
unmanaged resources. However, when you apply a target to a policy or task, only
the managed computers in the target can request the policy or run the task.
There are two types of targets that you can apply to a policy or task:
Autogenerated resource
targets
These are targets that have not been explicitly named and
saved. Autogenerated targets are used only by the policy or
task in which you create them. For example, if you use the
Quick Apply option to select a filter, or the Select Resources
dialog box to select a set of resources, the corresponding
target is created and added to the policy or task. The
autogenerated target is given a default name that is based
on the organizational group, filter, or set of resources that
it contains.
You can edit these targets when you modify the policy or
task , but you cannot apply them to any other policies or
tasks.
Named resource targets
These are targets that have been explicitly saved as named
resource targets. Named targets can be applied to any
number of tasks and policies, and can be modified by any
user that has the appropriate permissions.
See “About resource filters” on page 385.
See “Creating or modifying a filter” on page 386.
397
398
Configuring resource filters and targets
Scheduling resource membership updates
Scheduling resource membership updates
You can keep all of your resource filters, organizational groups, and resource
targets up to date by configuring the appropriate filter update schedules. These
schedules let you update the filters, organizational groups, and targets that you
need at suitable intervals. These schedules help you manage the processing load
that is imposed on Notification Server.
See “About resource filters” on page 385.
Predefined resource membership update schedules are supplied with the Symantec
Management Platform. These schedules are suitable for most purposes and you
should not need to change them. However, as the requirements of your
organization change, you can make the necessary changes.
Table 19-2
Schedule
Resource membership update schedules
Description
Delta Update schedule Updates the membership of the following:
Filters that have had membership changes since the last
update.
■ All dynamic organizational groups.
■
■
All invalid targets.
A target may be invalidated by the following events:
■ Its definition is saved.
■
A filter that it uses has membership changes.
An organizational group that it uses has membership
changes.
■ The security that is applied to an organizational group that
it uses changes.
■
By default, this schedule runs every five minutes.
Complete Update
schedule
Completely re-creates the membership of all filters, organizational
groups, and targets, regardless of inventory status or any changes
to policies. The complete update may impose a significant load
on Notification Server and should be scheduled accordingly.
By default, this schedule once a day.
Configuring resource filters and targets
Scheduling resource membership updates
Table 19-2
Schedule
Resource membership update schedules (continued)
Description
Policy Update schedule Updates the membership of filters that a policy uses, if the policy
has changed since the last update.
This schedule ensures that when you update or create a policy,
all the filters that are included in the new policy targets or
modified policy targets are updated automatically.
By default, this schedule runs every five minutes.
See “About Symantec Management Platform schedules” on page 121.
See “Viewing the Notification Server internal schedule calendar” on page 128.
To configure the resource membership update schedules
1
In the Symantec Management Console, on the Settings menu, click
Notification Server > Resource Membership Update.
2
On the Resource Membership Update page, configure the update schedules
that you want to use.
See “Specifying a policy schedule” on page 420.
3
If you want to run an update schedule immediately, in the appropriate panel,
click Run.
For example, you can ensure that all the changes to your filters take effect
immediately, rather than waiting until the scheduled update.
4
Click OK.
399
400
Configuring resource filters and targets
Scheduling resource membership updates
Chapter
20
Configuring packages
This chapter includes the following topics:
■
Changing the configuration settings for a package
■
Updating the distribution points for a package
■
Package tab settings
■
Enabling access to a package at a UNC source location
■
Managing package programs
■
Programs tab settings
■
Package Servers tab settings
■
Advanced tab settings
Changing the configuration settings for a package
A package includes a set of files that can be delivered to a managed resource. For
example, the Symantec Management Agent Package includes the
AeXClientUpgrade.exe file. The AeXClientUpgrade.exe file installs the agent to
managed resources.
The Package page lets you configure the package settings, such as package source,
package location, and how the package runs.
To change the configuration settings for a package
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, select the package that you want to modify.
402
Configuring packages
Updating the distribution points for a package
3
In the Package page, make the necessary configuration changes on the
appropriate tabs:
Package
See “Package tab settings” on page 403.
Programs
See “Managing package programs” on page 405.
See “Programs tab settings” on page 406.
4
Package Servers
See “Package Servers tab settings” on page 408.
Advanced
See “Advanced tab settings” on page 409.
Click Save changes to confirm the new settings.
You need to update the package distribution points to update the package
information on each package server.
See “Updating the distribution points for a package” on page 402.
Updating the distribution points for a package
Package distribution points are the locations where the package is stored, such
as package servers or UNC source locations. Information on each package is
contained in an XML file that is stored with the package. This information must
be updated each time the package is modified. Notification Server and package
servers use this information to provide the appropriate files when a managed
computer requests the package. The package information is updated on a schedule,
but you can perform a manual update when needed. For example, you can manually
update the distribution points for a modified package to immediately update the
package information on all of its distribution points.
See “Changing the configuration settings for a package” on page 401.
You can update distribution points for a package in the Software Catalog or for a
package that is accessed from the Settings menu.
To update the package distribution points for a package in the Software Catalog
1
In the Symantec Management Console, on the Manage menu, click Software
Catalog.
2
In the Software Catalog window, do one of the following:
■
For a software component that is undefined, in the Newly
discovered/undefined software list, select it and then click the Edit
symbol. If the undefined software component is not in the list, click Show
all software at the bottom of the list.
Configuring packages
Package tab settings
■
For a software component that is defined, locate the software product
that the software component is associated with in the Managed software
products or Unmanaged software list. You then click the Plus sign that
precedes the software product, and click the link for the software
component that appears below the software product.
3
On the software resource page, on the Package tab, in the Packages panel,
click the package for which you want to update distribution points.
4
Click Actions > Update Distribution Points.
To update the package distribution points for a package accessed from the Settings
menu
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, select the package for which you want to update distribution
points.
3
In the Package page, at the bottom of the page, click Update Distribution
Points.
Package tab settings
The Package tab lets you set package options such as the package name, version,
and source file location.
See “Changing the configuration settings for a package” on page 401.
Table 20-1
Settings on the Package tab
Setting
Description
Name
The package name.
Description
A user-friendly description of the package.
Publisher
The package publisher.
Language
The package language.
Version
The package version.
403
404
Configuring packages
Enabling access to a package at a UNC source location
Table 20-1
Settings on the Package tab (continued)
Setting
Description
Package Source
The location from which to access the package source files:
■
Package does not contain source files
The package is a command line that is sent to the target computer. For example,
a call to a utility such as Chkdsk.exe. The package contains no source files.
Access Package from a local directory in the Notification Server computer
The package is stored in a local directory on the Notification Server computer.
■ Access Package from existing UNC
The package is stored on a UNC source path and is downloaded through HTTP
using the appropriate distribution point credential.
See “Enabling access to a package at a UNC source location” on page 404.
■ Access Package from a URL
The package is accessed through an anonymous URL that points to the appropriate
UNC source location.
■
Package Location
The location where the package is stored. This can be a local directory on the
Notification Server, a UNC path, or a URL.
Package files will be deleted The length of time after which an unused package is deleted from a managed
from the client computer if computer.
unused for
The following options are available:
■
Never Delete
■
0 Days (delete immediately)
■
1, 2, 3 days, 1, 2 weeks, 1 month, 1 year
Enabling access to a package at a UNC source location
The Symantec Management Agent uses the agent connectivity credential (ACC)
to connect to IIS on Notification Server to download UNC packages through HTTP.
IIS then authenticates to the UNC source using the distribution point credential
(DPC). The Symantec Management Agent uses the ACC to connect to download
sources. Ensure that ACC has read access when the Symantec Management Agent
downloads directly from the UNC package source.
See “Package tab settings” on page 403.
The DPC is not used if the Symantec Management Agent downloads a package
from a package server. The package server applies either anonymous access or
the ACC to the downloaded package files.
Configuring packages
Managing package programs
To enable access to a package at a UNC source location
1
Specify the package distribution point credentials that you want to use.
You specify these credentials on the Distribution Point Credentials tab of
the Notification Server Settings page. We recommend selecting Use Agent
Connectivity Credential when you specify the package distribution point
credentials. This option ensures that only one credential, the ACC, needs to
exist on UNC package source locations.
See “Distribution point credential settings” on page 56.
2
Give these credentials Read access on the UNC source folder.
Managing package programs
A package may have more than one program. You can manage the programs in a
package to suit your requirements. You can change program details, add new
programs to the package, and delete any programs that you no longer need.
See “Programs tab settings” on page 406.
See “Changing the configuration settings for a package” on page 401.
To display details of a package program
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, select the package that you want to modify.
3
On the Package page, on the Programs tab, select the program that you want
to view.
To create a new package program
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, select the package that you want to modify.
3
On the Package page, on the Programs tab, click New.
4
Specify the program details in the appropriate fields.
5
Click Apply.
To remove a program from a package
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, select the package that you want to modify.
405
406
Configuring packages
Programs tab settings
3
On the Package page, on the Programs tab, select the program that you want
to remove, and then click Delete.
4
Click Apply.
Programs tab settings
The Programs tab lets you configure the programs that are included in the
package.
See “Managing package programs” on page 405.
See “Changing the configuration settings for a package” on page 401.
Table 20-2
Settings on the Programs tab
Setting
Description
Name
The program name.
This field contains a drop-down list of programs that the package contains.
The other settings on this tab apply to the selected program.
This field is required.
Description
A user-friendly description of the selected program.
This field is optional.
Command Line
The command line to run the program, including switches and parameters if
applicable. The command-line entry must be in the same location or path as the
package.
This field is required.
Working Directory
The directory where files that are needed by the program are temporarily stored
during deployment.
If no directory is specified here, the system/temp directory is used.
Success Codes
Failure Codes
Determined by the exit code that is returned when an application ends. Applications
can define their own exit codes for success and failures, but typically a zero value is
used for success and a non-zero value for failure.
These fields are optional.
Estimated Disk Space
The estimated amount of disk space that the program requires to run on the target
computer. The Symantec Management Agent ensures that at least one physical drive
with the specified space is available before executing the program.
This field is optional.
Configuring packages
Programs tab settings
Table 20-2
Settings on the Programs tab (continued)
Setting
Description
Estimated Run Time
The estimated time in minutes that the program requires to run on the target
computer.
This field is optional.
Terminate After
The time-out period, after which the program is terminated (as a failure) if it has not
finished running. If this field is left blank or set to zero, the program terminates after
360 minutes.
After Running
The action that is performed when the program finishes running:
Starting window
Run with rights
Program can run
User Input Required
■
No action required
■
Restart computer
■
Log off user
The status of the command window that runs the program on a managed computer:
■
Normal
■
Hidden
■
Minimized
■
Maximized
The rights with which the program runs on the target computer:
■
System account
■
Logged in user
■
Specified user
If you select this option, you need to specify the user domain in the following box.
The conditions under which the program can run:
■
Whether or not a user is logged on
■
Only when a user is logged on
■
Only when no user is logged on
Specifies that the program brings up a user interface that may require user input to
complete the process.
This field is valid only when the Only when a user is logged on option is selected.
407
408
Configuring packages
Package Servers tab settings
Table 20-2
Setting
Settings on the Programs tab (continued)
Description
Minimum connection speed Specifies the minimum connection speed for software delivery programs to be
executed. Before the program is run, the connection speed from the Symantec
Management Agent to Notification Server is tested. If the connection speed is less
than the specified minimum speed, the program will not run.
The options are as follows:
No network connection required
There is no default minimum connection speed.
■ 1, 2, 5, 10, 50, 100, 256, 512 KB/sec, or 1 MB/sec
The minimum connection speed.
■
Note: This setting applies to package execution, not to package download. The package
must already be downloaded.
Package Servers tab settings
The Package Servers tab lets you assign the package to the appropriate package
servers and specify the location at which the package files are stored.
See “Changing the configuration settings for a package” on page 401.
Table 20-3
Setting
Settings on the Package Servers tab
Description
Package Destination
Lets you assign the package to a specific directory on the package servers instead of
LocationonPackageServers the default directory. You only need to specify a directory if you do not want to use
the default location. Specify a UNC path.
If nothing is specified here, the default location is used:
installation_path\Altiris\Altiris Agent\Agents\SoftwareManagement\Software
Delivery\package_GUID\cache
Configuring packages
Advanced tab settings
Table 20-3
Settings on the Package Servers tab (continued)
Setting
Description
Assign packages to
Specifies the package servers to which the package is assigned.
The options are as follows:
All Package Servers
Assign the package to all package servers.
■ Package Servers individually
Assign the package to selected package servers.
■ Package Servers by site
Assign sites to packages from a list of sites that is configured in the Site
Maintenance configuration page. When a site is assigned to a package, all package
servers within the selected site host the package.
■ Package Servers automatically with manual prestaging
This assignment occurs when a task that requires the package is assigned to a
resource target. All the computers that are identified by the resource target require
the package. The package is assigned to all of the sites that are associated with
those computers. The package is downloaded to all the package servers that are
in those sites.
This option also lets you manually assign packages to additional sites if necessary.
■
Advanced tab settings
The Advanced tab lets you specify additional package settings. You can specify
the agent display name and description, enable the sending of package status
events to Notification Server, and specify an alternate download destination
managed computers.
See “Changing the configuration settings for a package” on page 401.
Table 20-4
Settings on the Advanced tab
Setting
Description
Agent display name
The package name to be displayed on the Symantec Management Agent. This name
can be different than the package name that is specified on the Package tab.
This setting lets you supply a package name that makes sense to the end user. The
name that is specified on the Package tab may make sense only to an administrator.
Agent display description
Agent display description to inform the end user. This description can be different
than the package description that is specified on the Package tab.
This setting lets you supply a package description that tells the end user what the
package does on the managed computer.
409
410
Configuring packages
Advanced tab settings
Table 20-4
Setting
Settings on the Advanced tab (continued)
Description
Enable verbose reporting of Enable the sending of package status events to Notification Server. Disabling events
Package Status events
for the package prevents Symantec Management Agents from sending AeX SWD
Package events to Notification Server.
The Notification Server Event Capture settings in the Global Symantec Management
Agent Settings policy take precedence to the Enable Verbose Reporting setting here.
Events are sent only if they are enabled in the Global Symantec Management Agent
Settings policy.
See “Configuring the global agent settings” on page 342.
The following types of AeX SWD Package events are not sent if package events are
disabled:
Use alternate download
destination on client
■
New Package
■
Package Updated
■
Package To Be Removed
■
Package Removed
■
Unable To Check Package
■
Insufficient Disk To Download Package
■
Download Complete
■
Package Download Blocked
If this option is enabled, package files are delivered to managed computers at the
specified alternate destination.
When the task executes, package files are copied to the new location.
Copied package files are never deleted by the Symantec Management Agent. They
are copied each time the task is run so, if the task is running on a recurring schedule,
the files are copied repeatedly. This may be useful to ensure that the user of a managed
computer does not delete a required file.
If this option is not enabled, the default location is used:
installation_path\Altiris\Altiris Agent\Agents\SoftwareManagement\Software
Delivery\package_GUID\cache
Chapter
21
Using policies
This chapter includes the following topics:
■
About Symantec Management Platform policies
■
About user-based policies
■
Managing Symantec Management Platform policies
■
Specifying the targets of a policy or task
■
Selecting named resource targets
■
Specifying a policy schedule
■
Configuring the agent upgrade and uninstall policies
■
About automation policies
■
Managing automation policies
■
Creating or modifying scheduled automation policies
■
Creating or modifying message-based automation policies
■
Creating and modifying automation policy tasks
About Symantec Management Platform policies
A Symantec Management Platform policy is a set of rules that apply to a resource
or set of resources (known as the policy target). A policy may be evaluated based
on a schedule or based on incoming data. When a policy is evaluated, the
appropriate action is taken. This action typically includes running tasks on the
target resources to ensure that they all comply with the policy.
412
Using policies
About user-based policies
Table 21-1
Common Symantec Management Platform policy types
Policy type
Description
Agent
Specifies the Symantec Management Agent configuration settings
on client computers.
See “About configuring the Symantec Management Agent”
on page 341.
Automation
Specifies automated actions to perform on client computers or
the Notification Server computer. These policies are dynamic.
They target the appropriate computers when the policy is activated
and perform whatever action is required based on the current
state of each target computer. Automation policy targets may be
based on report results or a query, rather than filters and resource
targets as for other policy types.
See “About automation policies” on page 424.
User
Specifies the settings that apply to particular users. These settings
are applied to the computers that the users are logged into.
See “About user-based policies” on page 412.
Solution
Solutions may supply their own policies that are targeted at
computers or users of those solutions.
About user-based policies
User-based policies can be applied to specific users or groups of users. They may
(but not necessarily) also be applied to specific computers.
See “About Symantec Management Platform policies” on page 411.
For example, some organizations have a large number of Active Directory security
groups and want to assign their policies using these security groups. The security
groups that contain managed computers or users are imported into the CMDB.
Using user-based policies enables the administrator to manage computers using
the existing Active Directory infrastructure. Workgroups and local users are
supported.
User-based policies apply only when the user is logged on to a managed computer.
These policies apply only to the user who is logged on to the console session. Each
time a user logs on to a managed computer, the Symantec Management Agent
searches for the user-based policies that apply to that user. Policies are cached
on the computer for a week. The Symantec Management Agent also performs
regular configuration requests for any active policies that use the current logged
on user’s SID, in addition to the managed computer GUID, to receive both
Using policies
Managing Symantec Management Platform policies
user-based and computer-based policies. The agent makes this request the first
time that a user logs onto a managed computer. The agent repeats the request
every time that it performs its normal configuration request.
Note: Users who are logged on to managed computers through terminal services
do not receive the policies that target them. All the users see the policies that
apply to the user who is logged on to the console session.
You may want to exclude some computers or users from user-based policies. For
example, a managed computer that many users share, or an administrator who
may log on to many different computers every day. If such a computer or user
was a target for a user-based policy, the frequent policy-driven changes could
impose significant overhead on the affected computers.
You can create a list of computers to which user-based policies do not apply. You
can create a list of users to whom user-based policies should not be targeted. You
can use these lists as exclusions in the appropriate filters.
See “About resource filters” on page 385.
See “Creating or modifying a filter” on page 386.
Managing Symantec Management Platform policies
The Policies view gathers all of the available policies in a single folder structure.
This standard structure lets you easily access the policies that you want to view
or modify.
See “About Symantec Management Platform policies” on page 411.
See “About automation policies” on page 424.
To manage policies
1
In the Symantec Management Console, in the Manage menu, click Policies.
2
In the left pane, under the Policies folder, select the policy or group of policies
that you want to manage.
Specifying the targets of a policy or task
You need to specify one or more targets of a policy or task. A target defines the
computers, users, and resources to which the policy or task applies. A policy or
task may have multiple targets.
You can apply the following types of targets to a policy or task:
413
414
Using policies
Specifying the targets of a policy or task
Autogenerated resource
targets
These targets have not been explicitly named and saved.
Autogenerated targets are used only by the policy or task
in which you create them. You can edit these targets when
you modify the policy or task , but you cannot apply them
to any other policies or tasks.
Named resource targets
These targets have been explicitly saved as named resource
targets. Named targets can be applied to any number of
tasks and policies, and they can be modified by any user
that has the appropriate permissions.
See “Saving a named resource target” on page 417.
Targets are not shown as items anywhere in the Symantec Management Console.
However, you can use the Quick apply option to select existing named targets to
apply to a policy or task. You can also view the list of available named targets in
the Save As dialog box when you create or modify a named target.
See “About resource targets” on page 397.
To specify the target of a policy or task
1
In the Symantec Management Console, in the Manage menu, click Policies.
2
In the left pane, under the Policies folder, select the policy or group of policies
that you want to manage.
3
On the Policy Name page or Task Name page, under Applies To/Compliance,
click Apply To, and then click one of the following options:
Quick apply
Computers
1
In the Quick apply dialog, in the drop-down list, select
the appropriate named target, organizational group, or
filter.
2
(Optional) Type the first few letters of the item that you
want. The options on the list are reduced to those that
match.
3
Click Apply.
In the Select Computers window, select the computers that
you want.
See “Building a resource target” on page 416.
Users
In the Select Users window, select the users that you want.
See “Building a resource target” on page 416.
Using policies
Specifying the targets of a policy or task
Resources
In the Select Resources window, select the resources that
you want.
See “Building a resource target” on page 416.
Note that some options may not be available for all policies.
Each selection is added to the list of targets in the Apply To grid.
Repeat this step to add as many targets as you want.
4
(Optional) In the View drop-down list, click the appropriate option: Computers
and Users, Applied by, or Task Runs.
The list shows only the items that were explicitly selected. For example, if
you view computers you can see only the computers that you selected in the
Select Computers window. You cannot see any additional computers that
are contained in the targets that you selected in the Quick apply dialog box.
5
If you want to modify a target or delete it from the list, select it in the Applies
To/Compliance grid, and then click Edit or Delete, whichever is appropriate.
See “Modifying a resource target” on page 415.
6
Click Save changes.
Modifying a resource target
When you modify a policy or task, you can modify any autogenerated targets that
it contains and any named resource targets to which you have access.
See “Specifying the targets of a policy or task” on page 413.
See “Managing Symantec Management Platform policies” on page 413.
To modify a resource target
1
In the Symantec Management Console, in the Manage menu, click Policies.
2
In the left pane, under the Policies folder, select the policy or group of policies
that you want to manage.
3
On the Policy Name page or Task Name page, in the Applies To/Compliance
panel, in the View drop-down list, click Computers and Users.
4
In the Applies To/Compliance grid, select the target that you want to modify.
5
Click Edit.
6
In the Edit Selected Group window, make the necessary changes to the target.
See “Building a resource target” on page 416.
415
416
Using policies
Specifying the targets of a policy or task
Building a resource target
The Select Computers, Select Users, and Select Resources windows let you select
the items that you want to include in a new resource target. The Edit Selected
Group window lets you change the selection for an existing resource target.
See “Specifying the targets of a policy or task” on page 413.
To build a resource target
1
In the Symantec Management Console, in the Manage menu, click Policies.
2
In the left pane, under the Policies folder, select the policy or group of policies
that you want to manage.
3
On the Policy Name page or Task Name page, in the Applies To/Compliance
panel, double-click the resource you want to manage.
4
If you want to base the resource target on an existing named target, in the
Add Target dialog box, click Open and then, in the Open window, select the
appropriate target.
See “Selecting an existing resource target” on page 416.
5
Under Filtering Rules, specify the rules that you want to filter the available
computers, users, or resources with.
See “Specifying filtering rules for resource targets” on page 418.
6
If you want to save the resource target as a named target, click Save As.
See “Saving a named resource target” on page 417.
7
When the Items currently matching rules list shows the items that you want
to include in the target, click OK.
The specified resource target is added to the policy or task. If the target is
autogenerated (one that has not been saved as a named target), it is given a
default name that is based on the names of the organizational groups and
filters that it uses.
Selecting an existing resource target
The Open dialog box lets you select an existing named resource target or named
group of resource targets (which is itself a resource target). If you access this
dialog box from the Resource Target Builder (usually called Select Resources
window) or the Resource Target Selector (usually called the Select Resource
Target or Select a Group window), the target or group of targets that you select
here replaces the current selection in the window. If you access this dialog box
from the resource selector window (Select Computers or Select Resources), the
target membership is added to the current selection in the window.
Using policies
Specifying the targets of a policy or task
See “Specifying the targets of a policy or task” on page 413.
See “Saving a named resource target” on page 417.
To select an existing resource target
1
In the Select Computers/Resources window, the Select a Group window or
the Edit Selected Group window, click Open.
2
In the Open dialog box, in the list of named resource targets or groups, click
the appropriate target or group.
3
Click OK.
Saving a named resource target
If you want to use a resource target in multiple tasks and policies or make it
available for other users, you can save the target as a named resource target.
Named targets can be applied to any number of tasks and policies. Any user who
has the appropriate permissions can access or modify any named targets that you
create. You can also save named groups of resource targets when appropriate,
such as for inclusion in replication rules.
See “Specifying the targets of a policy or task” on page 413.
See “Selecting named resource targets” on page 419.
See “Selecting an existing resource target” on page 416.
If you access the Save As window from the Resource Target Selector (usually
called the Select Resource Target or Select a Group window), you can save the
selected resource targets as a named group of resource targets. If you access the
Save As window from the Resource Target Builder (usually called the Select
Computers or Select Resources window), you can save the selected resources
(which may be explicitly specified or selected dynamically using a query) as a
named resource target.
417
418
Using policies
Specifying the targets of a policy or task
To save a named resource target
1
In the Select Computers/Resources window, the Select a Group window or
the Edit Selected Group window click Save As.
2
In the Save As dialog box, do one of the following actions:
To create a new target or
group
In the Name box, type the appropriate name for the
target or group.
To overwrite an existing
target or group
In the list of named targets or groups, click the
appropriate name.
Only the targets or groups to which you have write
access are selectable. All the read-only targets or
groups are grayed out.
3
Click OK.
Specifying filtering rules for resource targets
The filtering rules let you filter computers, users, and resources to identify the
items that you want to select. The rules are applied in the order in which they are
listed, so any excluded items may be included again by a later rule. The Items
currently matching rules list shows the items that the specified rules have
selected. The list is updated automatically as you add and modify the filtering
rules.
See “Specifying the targets of a policy or task” on page 413.
To specify a filtering rule
1
In the Select Items window, under Filtering Rules, click Add Rule.
2
In the first drop-down list, click the appropriate operation:
Exclude items in
Excludes the items that are in the specified filter or
organizational group, or selected resources from the
item list.
Exclude items not in
Excludes the items that are not in the specified filter
or organizational group, or selected resources from
the item list.
Using policies
Selecting named resource targets
3
4
In the second drop-down list, click the appropriate option:
Filter
Apply the operation to a specific filter.
Group
Apply the operation to a specific organizational group.
Item List
Apply the operation to specified computers, users, or
resources.
In the third drop-down list, select the appropriate item:
To select a filter or group
Type the first few letters of the filter or organizational
group that you want. The options on the list are
reduced to those that match.
To select specific items
Click the ellipses (...) and then, in the Select Item
window, select the appropriate items.
To manage the filtering rules list
1
If you want to move a rule up or down the list of filtering rules, click the up
arrow or down arrow.
2
If you want to remove a filtering rule from the list, click Delete.
Selecting named resource targets
The Select Resource Target or Select a Group window lets you select the named
resource targets that you want to use. The left pane displays the list of available
resource targets, and the right pane displays the list of selected resource targets.
See “Specifying the targets of a policy or task” on page 413.
You can filter the selected resource targets in the left pane by organizational view
or a particular organizational group. The filter restricts the membership of the
selected targets to resources that are contained in the specified organizational
view or group. You can also create new named resource targets.
You need to add the resource targets that you want to select to the list of resource
targets in the right pane. You can also save the selected resource targets as a
named group of resource targets.
419
420
Using policies
Specifying a policy schedule
To select named resource targets
1
(Optional) If you want to filter the membership of the selected resource targets
by a particular organizational view or group, in the Group drop-down list,
select the appropriate organizational view or group.
2
(Optional) If you want to create a new named resource target, click Build
Target.
See “Building a resource target” on page 416.
3
In the left pane, select the resource targets that you want, and then click >
to add them to the selected resource targets list in the right pane.
4
(Optional) If you want to select the resource targets that are contained in an
existing named group of resource targets, click Open, and then in the Open
dialog box, select the appropriate group.
See “Selecting an existing resource target” on page 416.
The resource targets in the selected group are added to the list in the right
pane.
5
(Optional) If you want to remove any resource targets from the selected targets
list, select the appropriate resource targets, and then click <.
6
(Optional) If you want to save the resource targets in the selected targets list
as a named group for later reuse, click Save As and, in the Save As dialog
box, specify the appropriate name.
See “Saving a named resource target” on page 417.
7
Click OK.
Specifying a policy schedule
You need to specify the times that a policy is triggered by configuring the
appropriate schedules. You can specify as many schedules as you need, and can
have any number active at once.
See “About Symantec Management Platform policies” on page 411.
This topic also applies to some other schedules, such as the resource membership
update schedule. Some options that are described here may not be available for
all policies.
To specify a policy schedule
1
On the policy page, under Schedule, click Add Schedule, and then click one
of the following:
Using policies
Specifying a policy schedule
Scheduled Time
Schedule Window
1
In the Start box, specify the appropriate time.
2
If you want the schedule to repeat, click No Repeat and
then, in the Repeat Schedule dialog, specify the
appropriate frequency.
1
In the Start, End, and Duration boxes, specify the
appropriate times.
2
In the During window, check every box, specify the
appropriate interval.
3
If you want the schedule to repeat, click No Repeat and
then, in the Repeat Schedule dialog, specify the
appropriate frequency.
At User Login
The policy is triggered when a user logs on to the managed
computer.
At Computer Startup
The policy is triggered when the managed computer starts
up.
Each schedule is added to the policy schedule list. Repeat this step to add as
many schedules as you want.
2
In the Time Zone drop-down list, select the appropriate time zone:
Use agent time
The times are specified without time zone information and
are applied at the local time at each managed computer. The
schedules run at different times depending on the time zones
of the managed computers.
Use server time
The times are specified with time zone information, where
the time zone offset is that of the server's time zone where
the policy is defined. The schedules run simultaneously
irrespective of time zones and are compensated for daylight
saving.
This option ensures that the schedules are always
coordinated with the specified local time on the server where
the policy is created.
Coordinate using UTC The times are specified with time zone information, where
the time zone offset is 0. The schedules run simultaneously
irrespective of time zones and are not affected by daylight
saving.
3
Click Advanced and then, in the Advanced Options dialog, make the
appropriate changes:
421
422
Using policies
Configuring the agent upgrade and uninstall policies
Only perform check if:
Start/End Dates
Check the appropriate options:
■
Computer is connected to the network
■
Computer is available at the exact scheduled time
■
A user is logged on to the computer
■
A user is not logged on to the computer
The start date is the date that the policy takes effect.
The policy must be enabled in the same way as any
other policy. You can enable the policy at any time
before or after the start date.
If you want the policy to be available for a limited
period of time, set the appropriate end date. The policy
is unavailable after this date, whether or not it is
enabled.
The end date setting is optional. If no end date is
specified, the policy is available indefinitely.
4
Click OK to close the Advanced Options dialog.
5
(Optional) If you want to remove a schedule from the list, select it and then
click Delete.
Configuring the agent upgrade and uninstall policies
You can configure the agent install, agent upgrade, and agent uninstall policies
to suit your requirements. These policies use the same agent package, but each
policy uses a different program.
To configure the agent upgrade and uninstall policies
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, expand the appropriate folder, and then select the policy
that you want to configure.
3
(Optional) To turn the policy on or off, in the Agent Install, Agent Upgrade,
or Agent Uninstall page, click the status symbol and then click On or Off.
4
Make the appropriate configuration changes:
Using policies
Configuring the agent upgrade and uninstall policies
Program name
The name of the agent package program that is run when the
policy is triggered. The default setting is the program that is
appropriate to the policy, and you should not need to change it.
However, if you have added a new program to the agent package,
you may want to use that instead.
See “Managing package programs” on page 405.
See “Programs tab settings” on page 406.
Enable Verbose
Reporting of
Status Events
Enable the sending of package status events to Notification
Server.
Notification Server Event Capture settings in the Global
Symantec Management Agent Settings policy take precedence
to the Enable Verbose Reporting setting here. Events are sent
only if they are enabled in the Global Symantec Management
Agent Settings policy.
See “Configuring the global agent settings” on page 342.
Applied to
Specify the computers to which the policy applies.
You can use the predefined filters that are supplied with
Notification Server or create your own.
See “Specifying the targets of a policy or task” on page 413.
Package Multicast Disables package download through multicast.
Multicast typically slows down the rollout of a package, so you
may want to turn it off for an urgent patch. Additionally, in some
environments multicast does not work. For example, it may be
disabled at routers and switches.
The Package Multicast settings in the Global Symantec
Management Agent Settings policy take precedence to the
settings here.
See “About the Package Multicast settings” on page 346.
Schedule
Specify the policy schedule.
See “Specifying a policy schedule” on page 420.
Extra Schedule
Options
5
Additional schedule options are as follows:
■
Run once ASAP
■
User can run
■
Notify user when the task is available
■
Warn before running
Click Save Changes.
423
424
Using policies
About automation policies
About automation policies
Automation policies are system-defined, or administrator-defined, sets of rules
that govern the execution of automated actions. Examples of automated actions
include running a report using the parameters that were obtained from the policy,
sending an alert to the administrator, and executing a command or running a task
on managed computers.
See “About Symantec Management Platform policies” on page 411.
See “Managing automation policies” on page 426.
See “Key components of automation policies” on page 424.
Automation policies may be run on a schedule or triggered by Notification Server
messages. The policy determines when an action should start, and who or what
should be notified of the results. Automation policies are run on the Notification
Server computer, so are not concerned with agent-related activity on managed
computers. However, some automation policies may be triggered by messages
which are generated by agent activity.
Automation policies are not applied to resource targets, unlike the other types of
Notification Server policies. They are Notification Server actions which are
performed on the appropriate managed computers. Some actions, such as sending
an email to the administrator containing a report or a data source as an HTML
file, do not affect any managed computers.
Many of the solutions that work with Notification Server come with automation
policies. These policies let Notification Server perform a variety of actions when
defined conditions occur. Automation policies can be set on a single process
starting on a computer. , Automation policies can also be set on complex scenarios,
such as multiple processes across a wide range of computers. Each solution that
defines automation policies specifies its own criteria for the type of conditions
that lead to the actions being initiated.
For example, Inventory Solution uses data from the CMDB, and application
metering uses the list of monitored processes. In this solution, however, there are
common sets of actions that can be run automatically.
Key components of automation policies
See “About automation policies” on page 424.
Automation policies have the same key components.
Using policies
About automation policies
Table 21-2
Key components of automation policies
Component
Description
Trigger
Initiates the evaluation of an automation policy.
Notification Server provides the following triggers:
Schedule
Any Notification Server schedule, such as a shared schedule or a specified custom
schedule. You cannot use maintenance windows (which are defined on the managed
computers) as automation policy triggers.
■ Message
An internal Notification Server message. These are sent when events of interest occur.
For example, a resource created, a resource discovered, a resource deleted, a new
computer discovered, or a Notification Server service started.
■
Data Source
Provides information that the automation policy uses after it has been triggered. The data
source is typically a report or a query that returns a list of computers, along with information
about the state of each computer and its current settings that are relevant to the policy.
The report or query is run when the policy is triggered to ensure that the most recent data
is extracted.
The data source defines the managed computers that are targeted by the policy and the
actions that are performed on them. An automation policy may also extract parameters
from the data source and use them as input parameters for tasks or jobs.
Notification Server provides the following data sources:
■
Report
■
Raw SQL Query
■
Resource Query
■
Message
■
None
Solutions may add additional data sources.
Evaluation Rule
Evaluates the data that is contained in the data source and determines whether or not an
action needs to be performed.
Notification Server provides the following evaluation rules:
Action
■
Run for non-empty data
■
Run for each record
■
Message processing
■
Run always
Specifies the task or job that the policy runs. These are standard agent or server-side tasks.
The action may include input parameters that are passed from the data source.
425
426
Using policies
Managing automation policies
Managing automation policies
You can configure and manage the automation policies that you have available
on Notification Server. You can create new policies, edit existing policies, turn a
policy on or off when necessary, set the appropriate security on a policy, and
delete a policy when it is no longer required.
See “About automation policies” on page 424.
Using policies
Managing automation policies
To manage automation policies
1
In the Symantec Management Console, in the Manage menu, click Automation
Policies.
2
On the Automation Policies page, select the appropriate tab:
Schedules
Manage automation policies that run on a defined schedule.
System Messages
Manage automation policies that run when a specific system
message is received.
427
428
Using policies
Creating or modifying scheduled automation policies
3
Do any of the following:
Create or modify a
policy
See “Creating or modifying scheduled automation policies”
on page 428.
See “Creating or modifying message-based automation
policies” on page 430.
Turn a policy on or off In the left pane, select the automation policy that you want
to turn on or off, and then click Turn on or Turn off,
whichever is appropriate.
Delete a policy
In the left pane, select the automation policy that you want
to delete, and then click Delete.
You can delete any automation policies that you have created.
You cannot delete any of the default automation policies that
are supplied with Notification Server.
Set security on a policy In the left pane, select the automation policy that you want
to set security on, and then click Actions > Security.
In the Security Role Manager, set the appropriate security.
See “About the Security Role Manager” on page 112.
Perform other actions In the left pane, select the automation policy that you want
on a policy
to perform an action on, and then click Actions, and then
click the appropriate option.
The available actions are the same as those on the context
menu.
See “About the context menu” on page 205.
Test a policy
In the left pane, select the automation policy that you want
to test, and then in the right pane, click Test Automation
Policy.
You can use the automation policy test to check that all of
the policy components are consistent, and that the input
parameters are mapped properly. The test executes the
policy, and the results of the action are displayed in the
Job/Task log.
Creating or modifying scheduled automation policies
Automation policies may use any Notification Server schedule, such as a shared
schedule or a specified custom schedule. Maintenance windows (which are defined
on the managed computers) cannot be used to schedule automation policies. When
Using policies
Creating or modifying scheduled automation policies
an automation policy is triggered, the appropriate actions are run immediately.
You cannot schedule an automation policy to run at a later time after it has been
triggered.
See “About automation policies” on page 424.
See “Managing automation policies” on page 426.
Note: This topic covers the default options that are supplied with Notification
Server. Solutions may extend these options or add new ones. For more information,
refer to the appropriate solution documentation.
To create or modify a scheduled automation policy
1
In the Symantec Management Console, in the Manage menu, click Automation
Policies.
2
On the Automation Policies page, on the Schedules tab, do one of the
following:
To create a new policy
1
Click New Policy.
2
In the Automation Policy Name dialog, type the
new policy name, and then click OK.
To modify an existing policy In the left pane, select the appropriate policy.
3
(Optional) In the right pane, edit the policy name and description by clicking
the appropriate fields and typing the new details.
4
In the Schedule drop-down list, select the schedule that you want to use.
At Date/Time
Specify the schedule date, time, and repetition in the
appropriate fields.
Shared Schedule
In the Select Shared Schedule drop-down list, select
the appropriate schedule.
See “Managing shared schedules” on page 126.
5
In the Details panel, under Data Source, specify the data source to use.
See “Specifying the automation policy data source” on page 432.
429
430
Using policies
Creating or modifying message-based automation policies
6
Under Conditions, in the Evaluation Rule drop-down list, select the
appropriate evaluation rule:
Run for non-empty
data
Treats the data source table as a single unit. When the policy
is triggered, the action is run only if the table contains one
or more rows, and is run once only.
You need to use this option if the data source contains
information in an HTML file rather than a table.
This option lets you target everything in a single column,
such as a list of GUIDs. You cannot set dynamic parameters
to distinguish targeted computers. If you want to do that,
you must use the Run for each record option.
Run for each record
Evaluates the data source table row by row, which lets you
use fields per row as dynamic parameters for the specified
actions. The action is run once for each row.
Run always
Runs the specified actions without using a data source.
This option is available only when no data source is specified.
7
Under Actions, specify the task or job to run, and set any required input
parameters.
See “Specifying the automation policy action” on page 434.
8
Click Apply to save the policy settings.
9
(Optional) If you want to ensure that all of the policy components are
consistent and that the input parameters are mapped properly, click Test
Automation Policy.
The test is an internal check only and does not affect any resources.
Creating or modifying message-based automation
policies
Automation policies may use an internal Notification Server message as a trigger.
The messages that are available for this purpose are predefined. These messages
relate to Notification Server events such as resources being discovered, created,
or deleted, new computers being discovered, or Notification Server services being
started. Solutions may make additional solution-specific messages available. When
an automation policy is triggered, the appropriate actions are run immediately.
You cannot configure an automation policy to run at a later time after it has been
triggered.
Using policies
Creating or modifying message-based automation policies
See “About automation policies” on page 424.
See “Managing automation policies” on page 426.
Note: This topic covers the default options that are supplied with Notification
Server. Solutions may extend these options or add new ones. For more information,
refer to the appropriate solution documentation.
To create or modify a message-based automation policy
1
In the Symantec Management Console, on the Manage menu, click
Automation Policies.
2
On the Automation Policies page, on the System Messages tab, do one of
the following:
To create a new policy
1
Click New Policy.
2
In the Automation Policy Name dialog, type the
new policy name, and then click OK.
To modify an existing policy In the left pane, select the appropriate policy.
3
(Optional) In the right pane, edit the policy name and description by clicking
the appropriate fields and typing the new details.
4
In the NS Message drop-down list, select the message that you want to use.
5
In the Details panel, under Data Source, specify the data source to use.
See “Specifying the automation policy data source” on page 432.
431
432
Using policies
Creating or modifying message-based automation policies
6
Under Conditions, in the Evaluation Rule drop-down list, select the
appropriate evaluation rule:
Run for non-empty
data
Treats the data source table as a single unit. When the policy
is triggered, the action is run only if the table contains one
or more rows, and is run once only.
You need to use this option if the data source contains
information in an HTML file rather than a table.
This option lets you target everything in a single column,
such as a list of GUIDs. You cannot set dynamic parameters
to distinguish targeted computers. If you want to do that,
you must use the Run for each record option.
Run for each record
Evaluates the data source table row by row, which lets you
use fields per row as dynamic parameters for the specified
actions. The action is run once for each row.
Message processing
Evaluates the data source message text and uses the
appropriate parameters in the specified actions.
This option is available only when a message data source is
used.
Run always
Runs the specified actions without using a data source.
This option is available only when no data source is specified.
7
Under Actions, specify the task or job to run, and set any required input
parameters.
See “Specifying the automation policy action” on page 434.
8
Click Save Changes to save the policy settings.
9
(Optional) If you want to ensure that all of the policy components are
consistent and that the input parameters are mapped properly, click Test
Automation Policy.
The test is an internal check only and does not affect any resources.
Specifying the automation policy data source
The automation policy data source determines which computers to target and
what actions to perform on them. An automation policy may extract parameters
from the data source and use them as input parameters for tasks or jobs.
See “Creating or modifying scheduled automation policies” on page 428.
See “Creating or modifying message-based automation policies” on page 430.
Using policies
Creating or modifying message-based automation policies
You can use external data sources such as reports and messages, or you can use
a query to extract data from the CMDB. An external data source such as a report
may be used by any number of automation policies. You need to be careful when
using reports, because they might be modified later and the parameters that some
actions depend on could be changed or removed. If an action cannot determine a
required parameter from a data source report, it uses the default value that is set
in the automation policy.
See “Creating and modifying custom Notification Server reports” on page 512.
SQL queries and resource queries are embedded in the automation policy definition.
You cannot share queries between automation policies, and you cannot directly
access the queries (also known as data sources) that are components of reports.
If you want to use a report query, you can copy the SQL from the report and paste
it into the automation policy.
An automation policy that does not define a target for its action does not require
a data source. For example, a policy that sends a message to the administrator,
or performs a task on the Notification Server computer.
To specify the automation policy data source
1
In the Symantec Management Console, on the Manage menu, click
Automation Policies.
2
On the Automation Policies page, on the System Messages tab, either select
an existing automation policy or create a new one.
3
In the right pane under Details, under Data Source, in the Data Source
drop-down list, select the appropriate option:
Report
Use the results of a report.
1
In the Report field, click Report Name.
2
In the Select Report window, select the appropriate report,
and then click OK.
433
434
Using policies
Creating or modifying message-based automation policies
Raw SQL Query
Use the results of an SQL query.
1
Click Edit Query.
2
In the Data Source window, specify the SQL query that you
want to use, and then click OK.
See “Defining an SQL query for a filter” on page 391.
If you want to reuse a query from an existing filter or report, you
can copy the content of the Resolved Query tab from the
appropriate filter or report query. You can then paste it into the
Resolved Query tab in the Data Source window. You can then
modify the SQL as necessary.
Note that the query in the Resolved Query tab has any
parameters replaced by the specified test values.
Resource Query
Use the results of a resource query.
1
Click Edit Query.
2
In the Data Source window, specify the resource query that
you want to use, and then click OK.
See “Defining a resource query for a filter” on page 390.
Message
Use the information that is contained in the message that
triggered the policy.
None
No data source is required. The automation policy does not need
to define a target for its action.
Specifying the automation policy action
Automation policy actions are jobs and tasks. Symantec Management Platform
supplies a set of tasks that you can use, and solutions may add more. You can
create your own tasks and extend the options to suit your requirements. If your
Symantec Management Platform is part of a hierarchy, further tasks and jobs
may be replicated down from the parent Symantec Management Platform.
See “About the Jobs and Tasks Portal” on page 444.
See “Creating or modifying scheduled automation policies” on page 428.
See “Creating or modifying message-based automation policies” on page 430.
An automation policy may contain only one action, which may be a task or a job,
that is applied to all the computers that the policy targets. If you want to include
multiple tasks, you need put them into a suitable job. Alternatively you need to
Using policies
Creating or modifying message-based automation policies
create multiple automation policies with the appropriate triggers, data sources,
and actions.
Warning: Any number of automation policies may share a job or task. When you
modify a task that you want to use in an automation policy, your changes can
affect many other policies. You may prefer to clone the relevant task and use the
modified clone in the policy.
Tasks may contain both static input parameters and dynamic input parameters.
Dynamic parameters are set with values extracted from the data source when the
policy is triggered. Static parameters have values set within the task, so are the
same every time that the task runs.
Failure actions or return codes cannot be set in an automation policy, so if any
are needed, you must configure them in the task.
To specify the automation policy action
1
In the Symantec Management Console, on the Manage menu, click
Automation Policies.
2
On the Automation Policies page, on the System Messages tab, either select
an existing automation policy or create a new one.
3
In the right pane, under Actions, in the Run job/task field, click Select a Job
or Task.
4
In the Select Task dialog box, in the left pane, select the appropriate job or
task, and then click OK.
See “Select Task window” on page 436.
5
(Optional) Click Edit Input Parameter and then, in the Edit Job/Task Input
Parameters dialog box, specify the following for each action parameter:
Data Source
The data source field that supplies the parameter.
Select the appropriate option from the drop-down list:
Custom Value
■
Results as HTML
■
Results as CSV
■
Results as text
■
Number of rows
■
Custom
The value that is used when the data source is set to Custom.
This value is the default that is used if the specified data
source field is not available.
435
436
Using policies
Creating and modifying automation policy tasks
This field is not shown if no input parameters are required.
6
(Optional) Click OK to close the Edit Job/Task Input Parameters window.
7
Click Save Changes.
Select Task window
The Select Task window lets you select the job or task to perform when the
automation policy is triggered.
See “Specifying the automation policy action” on page 434.
The left pane displays the Task Management folder structure, and contains all of
the tasks that are available for use in automation policies. The right pane shows
the task configuration page for the selected task, and lets you make any necessary
changes.
See “About the Jobs and Tasks Portal” on page 444.
To select a job or task
1
In the Symantec Management Console, on the Manage menu, click
Automation Policies.
2
On the Automation Policies page, on the System Messages tab, either select
an existing automation policy or create a new one.
3
In the right pane, under Actions, in the Run job/task field, click Select a Job
or Task.
4
In the Select Task dialog box, in the left pane, select the appropriate job or
task, and then in the right pane, make any necessary configuration changes
to the job or task.
5
Click OK.
Creating and modifying automation policy tasks
A set of automation policy tasks is provided with Notification Server. You can use
them in your automation policies, and use them as a template for creating your
own custom tasks and jobs.
See “Specifying the automation policy action” on page 434.
See “Assign to organizational group task” on page 437.
See “Email a report task” on page 437.
See “Send an email task” on page 437.
See “Run a report task” on page 438.
Using policies
Creating and modifying automation policy tasks
To create or modify an automation policy task
1
In the Symantec Management Console, in the Manage menu, click Jobs and
Tasks.
2
In the left pane, expand the Jobs and Tasks > System Jobs and Tasks >
Notification Server > Automation Policy Tasks folder and then do one of
the following:
To create a new job or task
from scratch
1
Right-click the Automation Policy Tasks folder,
and then click New.
2
Click the appropriate option:
■ Server Job
■
Client Job
■
Task
To create a new job or task
Right-click the job or task, and then click Clone.
using an existing job or task
as a template
To modify an existing job or Click the job or task.
task
3
In the right pane, specify the appropriate details for the job or task.
4
Click Save changes.
Assign to organizational group task
Lets you assign resources to an organizational group.
See “Creating and modifying automation policy tasks” on page 436.
Email a report task
Lets you email a specified report as an attachment.
You may want to use this task as part of a job that also includes a run a report
task to create the appropriate report.
See “Creating and modifying automation policy tasks” on page 436.
Send an email task
Lets you send an email with information you define to specified users. The email
can include status, product license, or other information.
437
438
Using policies
Creating and modifying automation policy tasks
See “Creating and modifying automation policy tasks” on page 436.
Run a report task
Lets you run a report.
You may want to use this task as part of a job that also includes an email a report
task to send the report to the appropriate users or Notification Server
administrator.
See “Creating and modifying automation policy tasks” on page 436.
Chapter
Using tasks
This chapter includes the following topics:
■
About Task Management
■
Task Management components
■
Sequencing tasks
■
When to use tasks, jobs, and policies
■
About the Jobs and Tasks Portal
■
Accessing the Jobs and Tasks Portal
■
Refreshing a Web part in the Jobs and Tasks Portal
■
Creating a task
■
Creating a job
■
Deploying a task server
■
About deploying task servers
■
About scaling task servers
■
How task server uses the tickle mechanism
■
Running a job or task
■
Stopping a job or task
■
Adding a schedule to a policy, task, or job
■
New schedule dialog box
■
Creating tasks to input or to output task properties
22
440
Using tasks
About Task Management
■
Changing Client Task Agent settings
■
Cleaning up task data
■
Update Summary Data page
■
Update Task Service Assignments page
■
Viewing the task status on the Symantec Management Agent
■
Viewing and editing permissions on a task type
■
Task advanced options
■
Sample tasks, jobs, and scripts provided by Task Management
■
Task Types
About Task Management
Task Management provides task sequencing and automation for Symantec
solutions. Task sequencing lets you perform complex management operations in
a single job. Tasks can be sequenced in a job, which gives you great flexibility in
your work. The functionality is similar to what Symantec Deployment Solution
software provides with its job engine. However, Task Management is built on the
Symantec Management Platform and lets the rest of the Symantec solution catalog
take advantage of its powerful features.
See “Sequencing tasks” on page 442.
You can run tasks automatically based on events in the system or changes in the
database. You can also run tasks automatically to keep computers compliant with
policies.
Task servers are similar to package servers in that they are designed to reside on
a separate server and are very lightweight. Both task servers and package servers
are site services and install on a site server. Computers can be assigned to a specific
site server by either computer name or by subnet.
See “About site services” on page 131.
You can create, run, or schedule jobs and tasks from the Jobs and Tasks portal.
Task components orchestrate these jobs and tasks smoothly.
See “About the Jobs and Tasks Portal” on page 444.
See “Task Management components” on page 441.
Task Management includes the following features:
■
Executes multiple tasks in a defined sequence that is called a job.
Using tasks
Task Management components
See “Creating a job” on page 447.
■
Lets the users provide logic to handle task errors or other return codes.
See “Task advanced options” on page 462.
■
Includes the powerful command line and VBscript capabilities.
See “Run script task page” on page 477.
See “Run script on server task page” on page 478.
■
Provides the predefined power management tasks.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
■
Executes the client-side and server-side tasks.
See “Deploying a task server” on page 448.
■
Provides the quick acting features for running jobs, such as Run Now options
and near real-time status feedback.
See “Running a job or task” on page 452.
See “Adding a schedule to a policy, task, or job” on page 454.
See “Refreshing a Web part in the Jobs and Tasks Portal” on page 445.
See “Viewing the task status on the Symantec Management Agent” on page 461.
■
Reuses the tasks in multiple jobs or lets you clone and modify tasks as wanted.
Task Management components
Task Management works by leveraging several components. These components
orchestrate the assignment and performance of tasks and jobs on the connected
client computers.
See “About Task Management” on page 440.
See “How task server uses the tickle mechanism” on page 450.
Table 22-1
Task Management components
Component
Description
Task Server
This component distributes jobs and tasks on the network
and it can be run on Notification Server or on a remote
computer.
The task server has the ability to tickle the registered client
computers. This tickle ability is separate from the tickle
server component on the Notification Server computer. The
task server sends the status information to the Data Loader.
It also sends the tickles, the job, and the task information
to the Client Task Agent.
441
442
Using tasks
Sequencing tasks
Table 22-1
Task Management components (continued)
Component
Description
Tickle Server
The tickle server notifies the task server when and where
there are tasks to run on its connected client computers.
The tickle server then tickles those connected client
computers and sends them the XML that contains the job
or the task information using HTTP(S). The tickle server
also collects status information and forwards it to the
Configuration Management Database (CMDB) using HTTP(S).
This component runs only on the Notification Server
computer. It sends an IP tickle packet to task servers when
any of their clients have a job or task to run.
Data Loader
This component receives status information from task
servers and caches it in memory until it can be sent to the
CMDB. The data loader improves scalability by allowing
status information for several hundred clients to be received
at the same time without overwhelming the SQL Server.
This component also runs on each remote task server and
queues up data that waits until it can be sent to Notification
Server.
Client Task Agent
This agent runs on client computers and performs the
following actions:
■
Accepts tickles from a task server.
■
Receives the job and the task information.
■
Passes the information to a handler.
■
Sends the status information back to the task server.
This agent is installed automatically with the Symantec
Management Agent.
Note: When you install the Symantec Management Agent
on a computer, there is a delay before the Client Task Agent
registers with Notification Server. Any tasks that are
targeted at the computer during this time (typically about
10 minutes) have a pending status until the Client Task
Agent registers. When the Client Task Agent is registered,
the tasks are executed immediately.
Sequencing tasks
Task sequencing lets you perform complex management operations in a single
job. Tasks can be sequenced in a job, which gives you great flexibility in your work.
Using tasks
When to use tasks, jobs, and policies
See “About Task Management” on page 440.
Table 22-2
Process for sequencing tasks
Step
Action
Description
Step 1
(Optional) Deploy task Task servers let you distribute your jobs and tasks
servers.
to computers on your network. Then the jobs and
tasks can run on managed computers.
Your first task server that is running on the
computer with Notification Server can serve up
to 500 computers. If you have more than 500
computers, you should deploy one or more task
servers.
See “Deploying a task server” on page 448.
Step 2
Create a task.
Tasks that are run on Notification Server or
managed computers.
See “Creating a task” on page 446.
Step 3
Create a job.
Jobs run tasks, other jobs, and conditions.
See “Creating a job” on page 447.
Step 4
Run jobs and tasks and Jobs and tasks can be run on Notification Server
view real-time status. or managed computers.
View the status of the task or job as it runs.
See “Running a job or task” on page 452.
When to use tasks, jobs, and policies
Tasks, jobs, and policies have different uses in Notification Server. Which one
you use depends on what you want to accomplish.
A policy is a set of rules that apply to a resource or set of resources (known as the
policy target). A policy may be evaluated based on a schedule or based on incoming
data. When a policy is evaluated, the appropriate action is taken. This action
typically includes running tasks on the target resources to ensure that they all
comply with the policy. Using a policy lets you apply actions to particular
resources, which you define as the policy target.
See “About Symantec Management Platform policies” on page 411.
A task is a separate action which does not have ongoing actions and which you
deploy to selected computers. You can run tasks automatically based on events
443
444
Using tasks
About the Jobs and Tasks Portal
in the system or changes in the database. You can also run tasks automatically to
keep computers compliant with policies.
A job is a sequence of tasks which are run in a specific order.
See “About Task Management” on page 440.
In general use policies for ongoing management; and use tasks to enforce policies
or perform one-time actions.
Table 22-3
When to use tasks, jobs, and policies
Option
Criteria
Task
Use a task when the following criteria is true:
■
Job
Policy
You need to perform an action that finishes quickly (no ongoing
actions).
Use a job when the following criteria is true:
■
You need to run actions in a specific order.
■
An action can be useful for a user to sequence or tie to a
Notification Server message.
Use a policy when the following criteria is true:
You have static configuration data to send to the Symantec
Management Agent.
■ You have ongoing actions with no definite end.
■
About the Jobs and Tasks Portal
The Jobs and Tasks Portal gives you easy access to most job and task actions,
which Task Management provides. You can use this portal as the main starting
point when you create, run, sequence, or schedule jobs and tasks.
See “Accessing the Jobs and Tasks Portal” on page 445.
Several Web parts are provided on this page. However, you can configure the page
to show the Web part you want. The Edit option in the top-right corner lets you
change the Web parts that are displayed on this portal.
See “About Task Management” on page 440.
See “Sequencing tasks” on page 442.
You can refresh the data in any pane in the Jobs and Tasks Portal as needed, either
manually or on an interval.
See “Refreshing a Web part in the Jobs and Tasks Portal” on page 445.
Using tasks
Accessing the Jobs and Tasks Portal
Table 22-4
Web parts that the Jobs and Tasks Portal provides
Pane
Description
Jobs and Tasks Quick start
Lets you create, run, or schedule jobs and tasks.
Recently Accessed Jobs and
Tasks
Lets you view recently accessed jobs and tasks and perform
actions on those jobs and tasks.
Task Servers
Lets you view your task servers and how many client
computers are attached to each task server.
Task Computers and Devices Lets you view your task servers and managed computers.
Job and Task Status
Lets you view the status of your jobs and tasks that have
run recently. The Refresh option lets you see the real-time
status after a task or job has run.
These columns are sortable. The Details option lets you get
more specific information on an individual resource.
This information can include the following:
■
Return code for the task.
■
The specific error message in case of a failure.
■
Task output if the task was configured to save script
output with task status.
Accessing the Jobs and Tasks Portal
The Jobs and Tasks Portal lets you create and schedule tasks to run on your
managed resources. You can access the Jobs and Tasks Portal from the Symantec
Management Console.
See “About the Jobs and Tasks Portal” on page 444.
To access the Jobs and Tasks Portal
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
Refreshing a Web part in the Jobs and Tasks Portal
You can refresh the data in any pane in the Jobs and Tasks Portal as needed, either
manually or on an interval. The refresh option lets you see the real-time status
of the data in a pane.
445
446
Using tasks
Creating a task
See “About the Jobs and Tasks Portal” on page 444.
See “Accessing the Jobs and Tasks Portal” on page 445.
To refresh a Web part in the Jobs and Tasks Portal
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, click the Refresh icon in the Web part that you
want to refresh.
To set up an automatic refresh for a Web part in the Jobs and Tasks Portal
1
In the Jobs and Tasks Portal, click the drop-down icon in the Web part for
which you want to set up an automatic refresh.
The drop-down icon is located next to the Refresh icon.
2
Check Refresh every: and select the refresh interval that you want to set up.
Creating a task
You create and deploy tasks to managed computers using predefined task types.
The type of task you choose depends on what you want to accomplish. Many types
of tasks are provided with Task Management. Some Symantec solutions also
provide task types and sample jobs.
See “About the Jobs and Tasks Portal” on page 444.
See “Sequencing tasks” on page 442.
To create a task
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, under Quick Start - Jobs and Tasks, click Create
a new job or task.
See “Accessing the Jobs and Tasks Portal” on page 445.
4
In the Create New Task dialog box, in the left pane, select the task type.
5
In the right pane, configure the task.
See “Sample tasks, jobs, and scripts provided by Task Management”
on page 463.
6
To save the task and exit the dialog box, click OK.
Using tasks
Creating a job
Creating a job
You can create jobs that run multiple tasks or jobs. The two types of jobs are server
jobs and client jobs. Server jobs run on Notification Server. Client jobs are deployed
to managed computers by a task server. The managed computer then runs the
job and reports back to Notification Server.
Jobs can contain multiple tasks, multiple jobs, and multiple conditions, which
gives you great flexibility in setting up the job sequence that you need.
See “Sequencing tasks” on page 442.
To create a job
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, under Quick Start - Jobs and Tasks, click Create
a new job or task.
See “Accessing the Jobs and Tasks Portal” on page 445.
4
In the Create New Task dialog box, in the left pane, select Client Job or Server
Job.
You can now change the name of the job and add tasks, jobs, or conditions to
the job.
5
6
To add a new job to a job, do the following steps in order:
■
Click New > Task.
■
In the Create New Task dialog box, in the left pane, select a client job or
a server job, and change the job name if you want.
■
Add tasks, jobs, or conditions to the job.
■
Click OK to add the job and close the dialog box.
The added job appears in the right pane between Job Start and Stop.
To create a new task to add to a job, do the following steps in order:
■
Click New > Task.
■
In the Create New Task dialog box, in the left pane, select a task.
■
In the right pane, configure the task.
See “Sample tasks, jobs, and scripts provided by Task Management”
on page 463.
■
Click OK to create the task and close the dialog box.
447
448
Using tasks
Deploying a task server
The newly created task appears in the right pane between Job Start and
Stop.
7
8
9
To add an existing task or job to a job, do the following steps in order:
■
Click Add Existing.
■
In the Add Existing Task dialog box, in the left pane, select the task or
job that you want to add.
The task or job then appears in the right pane of the dialog box.
■
Click OK to add the task or job and close the dialog box.
The added task or job appears in the right pane.
A drag-and-drop feature is available that lets you change the order of the
tasks or jobs that are added to a job. You can also use the Up and Down
arrows on the menu to move tasks, jobs, and conditions.
To add a condition to a job, do the following steps in order:
■
Click New > Condition.
A rule is displayed. You can add more rules by clicking the Add Rule.
The rule gives you a Where clause. The Where clause lets you select a task
or job, an operation to perform, and a condition for performing the
operation on the task or job.
■
In a rule in the first drop-down list, select or enter the task or job and the
return code for the condition.
■
In the second field, select the operation for the rule to perform.
Equals: The result of the task or job equals the condition.
Not equal: The result of the task or job does not equal the condition.
Contains: The result of the task or job contains the condition.
Greater than: The result of the task or job is greater than the condition.
Less than: The result of the task or job is less than the condition.
■
In the third field, enter the condition.
■
Click OK to create the condition and close the dialog box.
You can add one or more tasks or jobs to run as a result of the condition
under Else.
To save the changes and exit the Edit mode, click OK.
Deploying a task server
Task servers let you distribute your jobs and tasks to computers on your network.
Then the jobs and tasks can run on managed computers.
Using tasks
About deploying task servers
See “Task Management components” on page 441.
Your first task server that runs on the Notification Server computer can serve up
to 500 computers. If you have more than 500 computers, you should deploy one
or more task servers.
See “About scaling task servers” on page 450.
Symantec recommends that you deploy task servers using site services. However,
you can also manually deploy task servers.
See “About site services” on page 131.
See “Sequencing tasks” on page 442.
See “About deploying task servers” on page 449.
To deploy a task server using site services
◆
Deploy a task server as a site server.
See “Creating and modifying site servers” on page 139.
About deploying task servers
Task servers let you distribute your jobs and tasks to different computers on your
network where Symantec Management Agents can run the jobs and tasks. When
you distribute jobs and tasks, you reduce the load on Notification Server and the
network traffic. The Symantec Management Agent accesses the closest task server
to it for job and task downloads.
Each Notification Server becomes a task server when the Task Server component
is installed. You can then deploy more task servers as needed.
See “Deploying a task server” on page 448.
See “About scaling task servers” on page 450.
See “About site services” on page 131.
See “About configuring the site service settings” on page 143.
Task Server can only be installed on a computer that has IIS installed. The main
advantage of installing a task server on a computer with IIS installed is the ability
to secure the computer.
The requirements for task server computers are as follows:
■
Microsoft .NET Framework version 3.5
■
Minimum supported operating systems are Windows XP SP2 or Windows
Server 2003 SP2
449
450
Using tasks
About scaling task servers
■
Microsoft Internet Information Services (IIS)
■
Symantec Management Agent
The minimum hardware recommendations for task server computers are as
follows:
■
Intel Pentium 4 processor or equivalent
■
1-GB RAM
■
1-GB disk space
About scaling task servers
Your first task server that runs on the computer with Notification Server can
serve up to 500 computers. An additional task server should be set up for every
2500 computers you have after the first the 500 computers.
See “About Task Management” on page 440.
These recommendations are based on the minimum hardware recommendations.
See “About deploying task servers” on page 449.
The number of the managed computers that a task server can serve depends on
the hardware of the task server computer.
How task server uses the tickle mechanism
The tickle server is a component of Task Management. The tickle server component
runs only on the Notification Server computer and is responsible for notifying
task servers of pending tasks for their client computers. Task servers also have
the native ability to tickle their registered client computers. This tickle ability is
separate from the tickle server component on the Notification Server computer.
See “Task Management components” on page 441.
The tickle server sends IP tickle packets to task servers when any of their registered
client computers have a job or task to run. After the tickle packet is received, the
task server immediately requests the task or the job information from Notification
Server for its registered client computers. It also tickles its client computers.
When the Client Task Agent receives the tickle packet, it requests the job or the
task information from its registered task server. Only after the Client Task Agent
receives the task information is the task executed. Status events for completed
tasks are sent back to the registered task server upon completion.
If the tickle packets are blocked or otherwise cannot reach the destination, the
Client Task Agent automatically checks back to its registered task server for any
Using tasks
How task server uses the tickle mechanism
new job information. It performs this check every 5 minutes. This Task Request
Interval is configurable in the Symantec Management Console. Task Server task
and job information is not received through the Symantec Management Agent
configuration policy. It is received directly by the Client Task Agent from its
registered task server. If you force the Symantec Management Agent to update
its configuration policy, it does not force the Client Task Agent to receive pending
task information.
See “Changing Client Task Agent settings” on page 458.
By default, the Tickle Server uses port 50123 for task servers and task servers use
port 50124 to tickle Client Task Agents.
See “About Task Management” on page 440.
The following example assumes the Client Task Agent for ComputerA is registered
with RemoteTaskServer1.
Table 22-5
Sequence for how the task server tickle works
Sequence
Description
One
A Notification Server administrator assigns a task to run
immediately on ComputerA.
Two
The Tickle Server on the Notification Server computer sends
a tickle packet to notify RemoteTaskServer1 of the pending
task.
Three
RemoteTaskServer1 receives the tickle packet and
immediately requests the job information from Notification
Server.
Four
RemoteTaskServer1 tickles ComputerA to notify it of the
pending task.
Five
ComputerA receives the tickle packet and immediately
requests the job information from its registered task server
– RemoteTaskServer1.
Six
ComputerA receives the job information and executes the
task.
Seven
Upon completion of the task, ComputerA sends a status
event back to RemoteTaskServer1.
Eight
RemoteTaskServer1 caches the status event and
immediately attempts to forward it back to Notification
Server.
451
452
Using tasks
Running a job or task
Table 22-5
Sequence for how the task server tickle works (continued)
Sequence
Description
Nine
Notification Server receives the status event from
RemoteTaskServer1 and records the information in the
database.
Figure 22-1
Sequence for how task server tickle works
Running a job or task
The jobs and tasks that you create can be run on Notification Server or on managed
computers depending on whether they are server tasks or client tasks. Server
tasks are the tasks that run on a Notification Server computer. Client tasks are
the tasks that run on a client computer.
If more than one task is added to a job, they are performed one after another. If
a condition is added, the tasks that are performed are based on the results of the
condition. The server must receive status of a previous task that has completed
before it starts the next task in the job. There might be a delay of a few seconds
before the next task begins.
See “Sequencing tasks” on page 442.
See “About the Jobs and Tasks Portal” on page 444.
Using tasks
Stopping a job or task
To run a job or task
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, select the job or task that you want to run.
3
Add a schedule to run the job or task.
See “Adding a schedule to a policy, task, or job” on page 454.
To rerun a previously run task or job
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, in the Job and Task Status Web part, select the
task or job that you want to rerun.
If you do not see the Job and Task Status Web part, click Edit and add it to
the portal page.
4
Right-click on the task or job and select Start Now.
The task or the job reruns with the same parameters (including selected
computers) that were used the first time it was run. If a job is running, the
current version of the job is run with the tasks in the order they are set up to
run. The task run name has “Re-” prefixed to the original name.
Stopping a job or task
You may want to cancel or interrupt the job or the task that you have set up to
run or that is already running. In this case you can stop the task or the job.
Task servers receive the request to stop the job or task and forward that request
to the managed computer. The agent then stops the job or task and sends the
status back to Notification Server.
See “About Task Management” on page 440.
See “Sequencing tasks” on page 442.
To stop a job or task
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
453
454
Using tasks
Adding a schedule to a policy, task, or job
3
In the Jobs and Tasks Portal, in the Job and Task Status Web part, right-click
a job or task.
If you do not see the Job and Task Status Web part, click Edit and add it to
the portal page.
4
Select Stop.
Adding a schedule to a policy, task, or job
When you schedule a policy, task, or job to run, you have two options: quick run
and schedule. The quick run option runs the current policy, task, or job
immediately on a computer you specify. The schedule option provides several
scheduling and target computer options. The schedule option lets you set a
schedule. The target must be defined elsewhere.
See “Running a job or task” on page 452.
To add a quick run schedule
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, select the policy, job, or task to which you want to apply the
quick run.
3
In the right pane under Task Status, click Quick Run.
4
In the Quick Run Now dialog box, select the name of the computer on which
you want to run the policy, task, or job.
5
Click Run.
To add a new schedule
1
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
2
In the left pane, select the policy, job, or task that you want to schedule.
3
In the right pane under Task Status, click New Schedule.
4
In the New Schedule dialog box, configure the schedule.
See “New schedule dialog box” on page 455.
5
Click Schedule.
When tasks or jobs are selected to run, they appear in the Job and Task Status
section.
Using tasks
New schedule dialog box
New schedule dialog box
When you create or edit a schedule, you have several options available. A policy,
task, or job can run immediately or it can be scheduled. If the policy, task, or job
is scheduled, you can choose a specific date and time, or a shared schedule.
Most policy, task, or job schedules have an associated list of computers to which
the schedule applies. Other policy, task, or job schedules apply the schedule to
software resources in the Software Catalog.
Some options that appear in this topic may not appear on the New Schedule dialog
box. Also, the New Schedule dialog box can include other options that are not in
this topic.
See “Adding a schedule to a policy, task, or job” on page 454.
See “Running a job or task” on page 452.
Table 22-6
Options on the New Schedule dialog box
Option
Description
Now
Runs the policy or task one time as soon as possible after the policy
or task is saved.
Schedule
Runs the policy or task at a specific time or multiple times.
The Schedule options are as follows:
At date/time
You specify the date and time and how often the schedule
repeats.
■ Shared schedule
You select a shared schedule to use or can create a new one to
use.
■
Override
Maintenance
Windows
Lets the job or task run regardless of what the Maintenance Window
is set to. As a default, the job or task runs only within the
Maintenance Window if one has been set up and is enabled.
Quick Add
Lets you add a computer to the list of computers to which the
schedule applies. Start typing the name of the computer and a list
of computers that match what you have typed is displayed for you
to select.
455
456
Using tasks
Creating tasks to input or to output task properties
Table 22-6
Options on the New Schedule dialog box (continued)
Option
Description
Add
Lets you add computers to which the schedule applies. You can
select computers individually and by target.
When you select computers by target, it usually requires less
maintenance than by individual computer. If the computers to
which you want a schedule to apply are in a target, you do not need
to change the schedule as the target membership changes. You get
the most flexibility when you add computers individually. You can
add any computer, regardless of how your targets are organized.
In many situations, you can use a combination of targets and
individual computers.
Creating tasks to input or to output task properties
Input properties are the properties that are passed into a task from some source.
Tasks can receive input properties from a set value, from other tasks, or at run
time. Tasks can use these input properties (similar to variables) to perform their
functions. All properties that are available to a task (both input properties and
properties that the task creates) are called task properties.
A task can output its task properties to other tasks. If you have a task that outputs
properties, any subsequent task in that job can use those output properties for
its input properties. The tasks do not need to be concurrent.
You do not need an output task for each input task. Input tasks can also receive
input from a set value or at run time.
See “About Task Management” on page 440.
See “Task advanced options” on page 462.
See “Creating a task” on page 446.
To create a task that outputs properties
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, under Quick Start - Jobs and Tasks, click Create
a new job or task.
4
Create a task that has an Advanced option (example: Run Script).
5
Click Advanced.
Using tasks
Creating tasks to input or to output task properties
6
Check Save script output with task status.
When this box is checked for a task, all of its task properties become viewable
and available to subsequent tasks in a job.
7
Click OK.
8
Configure the task.
See “Sample tasks, jobs, and scripts provided by Task Management”
on page 463.
9
Click OK.
To create a task that gets input properties from another task
1
In the Symantec Management Console, on the Settings menu, click Console
> Portal Pages.
2
In the left pane, click Jobs and Tasks Portal.
3
In the Jobs and Tasks Portal, under Quick Start - Jobs and Tasks, click Create
a new job or task.
4
Create a Script task. Script tasks receive input properties.
5
To use this task to pass the properties to another task, click Advanced, select
Save script output with task status, and then click OK.
6
In the script command section, enter one or more tokens (example:
%!input!%).
These catch the output.
7
Click OK.
To set up tasks within a job for input
1
Create a job and place in it the tasks you created for output and input. Each
output task must precede the task that receives its output.
See “Creating a job” on page 447.
2
Configure each input task in the job.
A Task Input appears on the right side when you click on the task in the
following situations: when a client task has input and is in a client job, or
when there is a client task inside of a server job.
Prompt me for task input
each time this job is run
Select to enter the input manually when the job runs.
457
458
Using tasks
Changing Client Task Agent settings
Enter task input now
Select to enter the task input at this time.
Use a set value
Select to use a value that doesn’t change. Enter the
value in the field that appears when the screen
refreshes. If this task is a client task inside a server
job, you must select the computer or computers
that runs the client task. All client tasks have this
parameter as a default input parameter when they
are inside server jobs.
■ Use a previous task’s output
Select to use a previous task’s output. Use this
parameter if there is an output task in this job you
want to use. When the screen refreshes, the variable
name appears as well as a list of available output
tasks. Select the task whose output you want to use
for this task.
■ Prompt at run time
Select to be prompted for the input at run time.
■
3
Click OK.
Changing Client Task Agent settings
The Client Task Agent is part of the Symantec Management Agent. It receives
jobs and tasks from the task server and runs them on managed computers. It then
reports back to Notification Server.
Note: When you install the Symantec Management Agent on a computer, there
is a delay before the Client Task Agent registers with Notification Server. Any
tasks that are targeted at the computer during this time (typically about 10
minutes) have a pending status until the Client Task Agent registers. When the
Client Task Agent is registered, the tasks are executed immediately.
Note: Usually the Client Task Agent opens a direct connection to Task Server on
port 50124. Task Server uses this connection to tell the agent when new tasks are
available. However, if a proxy is being used, a direct connection is impossible, so
Task Server cannot tell the agent when new tasks become available. To keep
up-to-date, you need to set the appropriate Check Task Server for new tasks value
in the Task Update field.
See “About Task Management” on page 440.
Using tasks
Cleaning up task data
See “Sequencing tasks” on page 442.
See “Task Management components” on page 441.
You can change Client Task Agent settings to improve the efficiency of work
between the Client Task Agent and the Task Server. To improve efficiency, you
can set the time interval that you want the Client Task Agent to request tasks
from the Task Server. You can define the default method by which Notification
Server selects a Task Server. You can also define the action you want to perform
if multiple task servers are available at a site.
To change Client Task Agent settings
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Notification Server > Task Settings > Task Agent
Settings.
3
On the Task Agent Settings page, edit the required details.
Check Task Server for new tasks
every
The interval, in minutes, that you want the agent
to request tasks from the task server.
When multiple Task Servers are
available at a site
The action you want to perform if multiple task
servers are available at a site.
Select the default method by
■ Choose the Task Server to which the agent has
which Notification Server selects
the fastest connection.
a task server
■ Choose the Task Server with the fewest
computers currently connected. (This choice
is the default.)
4
Select the targets, computers, or users for the changes to apply to.
5
Click Save changes.
Cleaning up task data
To decrease the load on your system resources, task data can be archived or deleted
using cleanup options.
See “About Task Management” on page 440.
See “Sequencing tasks” on page 442.
459
460
Using tasks
Update Summary Data page
To clean up task data
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Notification Server > Task Settings > Cleanup Task
Data.
3
On the Cleanup Task Data page, edit the required details.
Every night, the current task data and archived task data gets moved or
deleted according to the following settings.
Maximum number of
working database rows
After the number of working database rows reaches
the maximum number, the oldest rows get archived
until the maximum number is no longer exceeded.
Working database rows are the database rows that
have been used recently. We recommend keeping this
number small to decrease the load on your system
resources.
4
(Optional) Add a schedule to clean up the task data.
See “Adding a schedule to a policy, task, or job” on page 454.
5
Click Save changes
Update Summary Data page
This page lets you make schedule changes to a task that updates the summary
results of the tasks execution. The Update Summary Data task updates the
summary data classes and archives old task data from the database. The Update
Summary Data task is set up to run daily. You can change the schedule as needed.
You access the Update Summary Data page from the Settings menu. The page is
in the Task Settings folder under Notification Server.
See “Updating summary data” on page 184.
Table 22-7
Options on the Update Summary Data page
Option
Description
New Schedule
Lets you enter a new schedule to run the task summary update.
See “New schedule dialog box” on page 455.
View Details (hand icon Lets you view details about any schedule that you have
next to New Schedule) highlighted.
Using tasks
Update Task Service Assignments page
Table 22-7
Options on the Update Summary Data page (continued)
Option
Description
Delete (the X icon)
Lets you delete any update schedule that you have highlighted.
Update Task Service Assignments page
This page lets you make schedule changes to a task that links unmanaged
computers to a Task Server. The Update Task Service Assignments task is set up
to run daily. You can change the schedule as needed. You access the Update Task
Service Assignments page from the Settings menu. The page is in the Task Settings
folder under Notification Server.
Table 22-8
Options on the Update Task Service Assignments page
Option
Description
Log task service assignment changes
Logs the site assignment changes made by
this task to Notification Server log file.
New Schedule
Let’s you enter a new schedule to run this
task.
See “New schedule dialog box” on page 455.
Viewing the task status on the Symantec Management
Agent
The task status (including the task history) is registered on the Symantec
Management Agent. You can view the task status on any computer that runs the
task by opening the Symantec Management Agent. The task status lets you see
which tasks have run and the result.
See “About Task Management” on page 440.
To view task status on the Symantec Management Agent
1
On the computer that you want to view the status, open the Symantec
Management Agent by double-clicking the icon on the system tray.
2
Click the Task Status tab.
461
462
Using tasks
Viewing and editing permissions on a task type
Viewing and editing permissions on a task type
You can view and edit the permissions on task type properties. Changing
permissions on the task type enables you to control which users can create new
tasks. Users who have the Create New Task permission can create new tasks of
that type.
See “About Task Management” on page 440.
See “Sequencing tasks” on page 442.
See “Task Types” on page 468.
See “About security role permissions” on page 107.
See “Task Server permissions” on page 110.
To view and edit permissions on a task type
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Notification Server > Task Settings > Task Types
3
Navigate to the task type that you want to view, and then click it
4
In the right pane, click View permissions.
5
To edit permissions, in the Security Role Manager, edit permissions on the
task type.
See “About the Security Role Manager” on page 112.
See “Assigning security permissions to folders and items” on page 114.
Task advanced options
Some tasks have an Advanced option when you create or edit them. The Advanced
option is on the lower right corner of the Edit page. When you click Advanced, a
dialog box appears. For a Run Script task, there are two tabs: Script and Run
Options. Other tasks have similar tabs.
See “About Task Management” on page 440.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Using tasks
Sample tasks, jobs, and scripts provided by Task Management
Table 22-9
Task advanced options
Tab
Options
Script
Run As - This option lets you select to run the task using either
Symantec Management Agent credentials or a specific user’s
credentials. The default is to use Symantec Management Agent
credentials.
Other - In the Other section, you can choose how you want the script
to appear. If the task has the output parameters that you want to be
saved, select Save script output with task status.
See “Creating tasks to input or to output task properties ” on page 456.
Run Options
Ensure no other tasks are running while this task is running - If
selected, no other tasks can run until this task has completed. If this
parameter is not selected, other tasks can run while this task is
running.
End task after 30 minutes - This task ends after the prescribed number
of minutes. This setting lets you end the tasks that have run longer
than expected. Example: If you expect the task to never run for longer
than 20 minutes, then set this parameter to 30 minutes. The default
is 30 minutes. This option applies to all tasks. If there is no Advanced
option when you edit a task, that task always ends after 30 minutes.
Sample tasks, jobs, and scripts provided by Task
Management
The following sample tasks, jobs, and scripts are provided with Task Management.
You can use them to create tasks and jobs. They are read-only by default. To
change their default options, clone them and then run them.
Some Symantec solutions also provide sample tasks, jobs, and scripts and many
Symantec solutions will provide sample tasks, jobs, and scripts in the future.
See “About Task Management” on page 440.
See “Creating a task” on page 446.
See “Creating a job” on page 447.
See “Running a job or task” on page 452.
You can use the following types of samples:
■
Sample client tasks
See Table 22-10 on page 464.
463
464
Using tasks
Sample tasks, jobs, and scripts provided by Task Management
■
Sample server tasks
See Table 22-11 on page 466.
■
Sample jobs
See Table 22-12 on page 467.
■
Sample scripts
See Table 22-13 on page 468.
See “Task Types” on page 468.
Table 22-10
Sample client tasks
Sample task
name
Task type
Description
Defragment
Computer
See “Defragment computer Runs a Windows defrag on a client
client task page” on page 475. computer.
The options are as follows:
■
Analyze only
■
Force a Disk Fragmentation
■
Verbose Output
Delete Temporary See “Run script task page”
Files
on page 477.
Deletes all files in all temp directories
for all profiles.
DIR Pause
See “Run script task page”
on page 477.
Displays the contents of the directory
in a command window and pauses and
waits for user interaction.
End a Process
See “Run script task page”
on page 477.
Prompts the user to enter a name of a
process to end. It then stops the process
on the client computer.
For example, open Notepad on a client
computer and then run this task. When
you are prompted for the process name,
enter Notepad.exe. After the task has
run, the Notepad window should be
closed.
Using tasks
Sample tasks, jobs, and scripts provided by Task Management
Table 22-10
Sample client tasks (continued)
Sample task
name
Task type
Description
Find File
See “Run script task page”
on page 477.
Prompts the user for a file name and
then searches for that file on a client
computer. When the search is complete,
an HTML page appears with the results.
For example, run this task, and when
prompted for a file name enter
notepad.exe. After the task has
completed, an HTML file appears that
contains the locations of notepad.exe.
Get IP
Configuration
See “Get IP configuration
Runs Ipconfig.exe on a client computer.
client task page” on page 475.
You are given the following options:
Get IP Configuration information
(ipconfig).
■ Renew the IP address (ipconfig
/renew).
■ Purge the DNS Resolver cache
(ipconfig / flushdns).
■ Get DNS Resolver cache information
(ipconfig/displaydns).
■
When you select Get IP Information or
Get DNS Resolver cache information,
the information is displayed on the
Task Instance Details page.
Get NS Registered See “Call Web service client
Services
task page” on page 474.
Displays a list of the Notification Server
computer registered services on a client
computer in the Task Instance Details
page.
Get Stock Quote
from Agent
See “Call Web service client
task page” on page 474.
Displays the current stock quote
information on a client computer. By
default it displays the Symantec stock
quote on the Task Instance Details
page.
Collect Hardware
Summary
See “Run script task page”
on page 477.
Runs a hardware inventory on the
client computer and displays the output
on the Task Instance Details page.
465
466
Using tasks
Sample tasks, jobs, and scripts provided by Task Management
Table 22-10
Sample task
name
Sample client tasks (continued)
Task type
Restart Computer See “Power control task
page” on page 476.
Description
Performs the following power functions
on a client computer:
■
Restart.
■
Shut Down.
■
Log off.
■
Wake up (Wake-on-Lan).
■
Force applications to close without
prompting.
Restart Symantec See “Control service state
Lets you start, stop, restart, pause,
Management
client task page” on page 474. resume, and get status of the Symantec
Agent
Management Agent. You can also
change the startup type and the
account that was used to log on.
Send Basic
Inventory
See “Send basic inventory
task page” on page 472.
Forces the Symantec Management
Agent to send Basic Inventory.
Update Agent
Config
See “Run script task page”
on page 477.
Forces the Symantec Management
Agent to update its current
configuration and policy.
Table 22-11
Sample server tasks
Sample task
name
Task type
Description
Enable Global
Symantec
Management
Agent Settings
See “Enable/Disable policy
task page” on page 478.
Lets you enable or disable the Global
Symantec Management Agent Settings
Policy.
Get NS Registered See “Call Web service on
Displays a list of the Notification Server
Services
server task page” on page 477. computer Registered services on a
Notification Server computer in the
Task Instance Details page.
Get Stock Quote
from Server
See “Call Web service on
Displays the current stock quote
server task page” on page 477. information on Notification Server. By
default it displays the Symantec stock
quote on the Task Instance Details
page.
Using tasks
Sample tasks, jobs, and scripts provided by Task Management
Table 22-11
Sample server tasks (continued)
Sample task
name
Task type
Description
Server Directory
See “Run script on server
task page” on page 478.
Displays all of the files and folders in
the root directory of the server that
runs Notification Server. You see the
directory that lists on the Task Instance
Details page.
SQL Query
Computer List
See “Run SQL query on
Uses a SQL query to create a list of
server task page” on page 479. computers. You can have the output
returned as a Computer List, Any
Object, email address List, or Text.
Select Primary
Machine for User
See “Run SQL query on
Selects the primary computer for a
server task page” on page 479. given user name. This task is used with
the Sample Target User Job.
Send E-mail
See “Send E-mail server task Lets the user send an email.
page” on page 480.
Purge the
'Computers'
Report
See “Purge report task page” Lets the user purge the data from the
on page 470.
Computers report.
Restart Server
Services
See “Restart server services Let the user restart all Notification
task page” on page 471.
Server services.
Update The 'All
Computers' Filter
See “Update filter
membership task page”
on page 473.
Table 22-12
Lets the user update the membership
of the All Computers filter.
Sample jobs
Sample job name Job type
Description
Sample Target
User Job
Runs a client-side task that is targeted
at a specific user rather than a specific
computer. As part of this job, it runs
the Select Primary Machine for User
and Echo user message tasks. You can
find the Echo user message tasks in the
Helper Tasks folder under Job Samples.
Server
467
468
Using tasks
Task Types
Table 22-13
Sample scripts
Sample script
name
Script type
Description
Disable
PowerShell
Signing Policy
See “Run script task page”
on page 477.
Enables you to run PowerShell scripts
that have not been digitally signed. It
requires PowerShell to be installed.
Enable PowerShell See “Run script task page”
Signing Policy
on page 477.
Disables the ability to run PowerShell
scripts that have not been digitally
signed. It requires PowerShell to be
installed.
Perl Script Sample See “Run script task page”
on page 477.
Runs a Perl script that displays Hello
World. It requires Perl Script to be
installed.
PowerShell Script See “Run script task page”
Sample
on page 477.
Runs a PowerShell script that displays
Hello World. It requires PowerShell to
be installed.
Python Script
Sample
Runs a Python script that displays Hello
World. It requires Python to be
installed.
See “Run script task page”
on page 477.
Task Types
Task types are provided for creating tasks. You create and deploy tasks to managed
computers using predefined task types. The type of task you choose depends on
what you want to accomplish. Many types of tasks are provided with Task
Management. Some Symantec solutions also provide task types and sample jobs,
and many Symantec solutions will provide task types and sample jobs in the future.
See “Creating a task” on page 446.
The following are the task types provided by the Symantec Management Platform:
■
See “Assign to organizational group task page” on page 469.
■
See “Delete item task page” on page 470.
■
See “Move item task page” on page 470.
■
See “Purge report task page” on page 470.
■
See “Restart server services task page” on page 471.
■
See “Run hierarchy node replication schedule task page” on page 471.
Using tasks
Task Types
■
See “Run report task page” on page 471.
■
See “Send basic inventory task page” on page 472.
■
See “Tickle client task page” on page 472.
■
See “Update client configuration task page” on page 472.
■
See “Update filter membership task page” on page 473.
■
See “Write entry to server log task page” on page 473.
■
See “File resource cleanup task page” on page 474.
■
See “Call Web service client task page” on page 474.
■
See “Control service state client task page” on page 474.
■
See “Defragment computer client task page” on page 475.
■
See “Get IP configuration client task page” on page 475.
■
See “Power control task page” on page 476.
■
See “Reset task agent page” on page 476.
■
See “Run script task page” on page 477.
■
See “Call Web service on server task page” on page 477.
■
See “Enable/Disable policy task page” on page 478.
■
See “Raise message task page” on page 478.
■
See “Run script on server task page” on page 478.
■
See “Run SQL query on server task page” on page 479.
■
See “Run Script on task server task page” on page 479.
■
See “Send E-mail server task page” on page 480.
■
See “UNIX/Linux/Mac service control task page” on page 480.
■
See “Tokens page” on page 481.
■
See “Client task schedule page” on page 482.
Assign to organizational group task page
This page lets you assign the specified resources to the specified organizational
group.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
469
470
Using tasks
Task Types
Table 22-14
Options on the Assign to organizational group task page
Option
Description
Group
The organizational group that the resource or resources is
assigned to.
Must only contain
If this option is checked, the organizational group must only
contain the specified resources.
Must at least contain
If this option is checked, the organizational group must at least
contain the specified resources.
Resources
The resources that are assigned to the organizational group.
Delete item task page
This page lets you delete specified items.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-15
Option on the delete item task page
Option
Description
Delete Items
The items that you want deleted.
Move item task page
This page lets you move specified items to a folder.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-16
Options on the move item task page
Option
Description
Move items
The items that you want moved.
Destination folder
The folder that you want to move the items to.
Purge report task page
This page lets you purge the data from a Notification Server report.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Using tasks
Task Types
Table 22-17
Options on the purge report task page
Option
Description
Purge report
The report that you want to purge data from.
Purge global snapshots If this option is checked, only the data from the global snapshots
only
of the report is purged.
Restart server services task page
This page lets you restart all of the Notification Server services.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Run hierarchy node replication schedule task page
This page lets you run the selected node replication schedule for the selected
hierarchy node.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-18
Options on the run hierarchy node replication schedule task page
Option
Description
Hierarchy Node
The hierarchy node whose schedule you want to replicate.
Complete replication
If this option is checked, a complete replication is performed.
Differential replication If this option is checked, only a differential replication is
performed.
Run report task page
This page lets you run a report.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-19
Options on the run report task page
Option
Description
Run report
The report you want to run.
Save report results as
The method that you want to use to save the report results.
471
472
Using tasks
Task Types
Send basic inventory task page
This page lets you tell the Symantec Management Agent on the client computer
to send its basic inventory to the Notification Server.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-20
Options on the send basic inventory task page
Option
Description
Send basic inventory
ASAP
Sends the basic inventory right away.
Send basic inventory
after a random period
Sends the basic inventory after some random period. You enter
the minimum and the maximum delay time.
Randomize next basic
inventory report time
Randomizes the next time the basic inventory is sent.
Tickle client task page
This page lets you trigger a wake on LAN, get client configuration, and send basic
inventory events.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-21
Options on the tickle client task page
Option
Description
Wake on LAN
Sends a wake on LAN event to the selected client computers. This
option wakes the client computer.
Get client configuration Sends a get client configuration event to the selected client
computers. The client computer then requests its client
configuration from Notification Server .
Send basic inventory
Sends a send basic inventory event to the selected client
computers. The client computer then sends its basic inventory
to Notification Server.
Computers
The computers to send the event or events to.
Update client configuration task page
This page lets you tell the Symantec Management Agent on the client computer
to update its configuration from Notification Server .
Using tasks
Task Types
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-22
Options on the update client configuration task page
Option
Description
Update client
configuration ASAP
Updates the client configuration right away.
Update client
configuration after a
random period
Updates the client configuration after some random period. You
enter the minimum delay time and maximum delay time.
Randomize next
configuration update
time
Randomizes the next time the client configuration update is
requested.
Update filter membership task page
This page lets you update the membership of Notification Server filters.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-23
Options on the update filter membership task page
Option
Description
Update filters
Notification Server filters whose membership you want to update.
Force filter update
Notification Server filter membership is forced to update.
Write entry to server log task page
This page lets you write an entry to the Notification Server log.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-24
Options on the write entry to server log task page
Option
Description
Error
The entry is tagged as an Error.
Warning
The entry is tagged as a Warning.
Information
The entry is tagged as informational only.
Message category
The category of the message entry.
473
474
Using tasks
Task Types
Table 22-24
Options on the write entry to server log task page (continued)
Option
Description
Message text
The text of the message entry.
File resource cleanup task page
This page lets you remove all unused file resources from the Configuration
Management Database (CMDB).
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Call Web service client task page
This page lets you call Web service methods from the Notification Server computer
and save the output.
This task also runs on UNIX, Linux, and Mac.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-25
Option on the Call Web service client task page
Option
Description
WSDL URL
The URL needed to access the wanted Web service. Web Services
Description Language (WSDL) is what is used to communicate
with the Web service.
Control service state client task page
This page lets you start, stop, restart, pause, resume, and get status on Windows
services. For example, you can stop and start World Wide Web Publishing on one
or more client computers. You can even stop or restart the Symantec Management
Agent. However, if you stop the Symantec Management Agent, you cannot use
this task to start it again. The Symantec Management Agent is required to be
running to run this task.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-26
Options on the Control Service State client task page
Option
Description
Service name
Displays the name of the service.
Using tasks
Task Types
Table 22-26
Options on the Control Service State client task page (continued)
Option
Description
Service status
Lets you change the current status of a service or get the current status
of the service.
Startup type
Lets you change the way the service is started.
Log on as
Lets you change the account that is needed for the service to run.
Defragment computer client task page
This page lets you remotely defragment a computer. This task uses the Windows
Defrag utility.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-27
Options on the Defragment computer client task page
Option
Description
Analyze Only
Analyzes the disk that is selected and lets you know how
defragmented it is.
Force a disk defragmentation Forces the drive to be defragmented whether or not it is
determined that it needs to be defragmented.
Verbose output
Provides very detailed information. This option is especially
helpful with the Analyze option.
Get IP configuration client task page
This page lets you get the IP configuration for a client computer.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-28
Options on the Get IP configuration client task page
Option
Description
Get IP Configuration
Information
Similar to an Ipconfig/all command.
Renew the IP Address
Similar to an Ipconfig /renew command.
475
476
Using tasks
Task Types
Table 22-28
Options on the Get IP configuration client task page (continued)
Option
Description
Purge the DNS Resolver
cache
Similar to an Ipconfig /flushdns command.
Get the DNS Resolver cache Similar to an Ipconfig /displaydns command.
Power control task page
This page lets you control power options for client computers.
This task also runs on UNIX, Linux, and Mac.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-29
Options on the Power control task page
Option
Description
Restart
Restarts the client computer.
Shut down
Shuts down the client computer.
Log off
Logs off the current user from the client
computer.
Wake up (send Wake-On-LAN)
Wakes up the client computer.
Force applications to close without
prompting
For a restart, turn off , or log off, forces all
open applications to close without prompting
the user.
Reset task agent page
This page lets you reset the task agent on client computers. It also lets you register
with a different task server that you have set up under Site Servers. This task is
related to the Reset Agent option in the Task Status on the Symantec Management
Agent.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Using tasks
Task Types
Table 22-30
Option on the Reset task agent page
Option
Description
Check NS for an updated site server list
Lets you re-evaluate the site server list on
the client computer.
Run script task page
This page lets you run scripts on client computers (DOS Command Script, VBScript,
and JavaScript).
This task also runs on UNIX, Linux, and Mac.
Note: When you run scripts on a UNIX, Linux, or Mac computer, the script always
runs using the POSIX (or C) locale. It does not run under the locale set on the
target computer.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-31
Options for the Run script task page
Option
Description
Script Type
Lets you select a script type and enter the script that you want
run on the client computer.
Insert token
Lets you select the token to insert in the script.
Insert
Lets you insert the selected token into your script.
Create/Edit
Lets you create a token.
See “Tokens page” on page 481.
Call Web service on server task page
This page lets you call Web service methods from remote computers and return
the output.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
477
478
Using tasks
Task Types
Table 22-32
Option on the Call Web service on server task page
Option
Description
WSDL URL
The URL needed to access the wanted Web service. Web Services
Description Language (WSDL) is what is used to communicate
with the Web service.
Enable/Disable policy task page
This page lets you enable or disable any policy.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-33
Options on the Enable/Disable policy task page
Option
Description
Change policy
The policy that you want to enable or disable
Enable
Enables the policy.
Disable
Disables the policy.
Raise message task page
This page lets you raise a message on the Notification Server computer.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
Table 22-34
Option on the Raise message task page.
Option
Description
Message
The message that you want to raise on the Notification Server
computer.
Run script on server task page
This page lets you run a script on Notification Server (DOS Command Script,
VBScript, and JavaScript).
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Using tasks
Task Types
Table 22-35
Option for the Run script on server task page
Option
Description
Script Type
Lets you select a script type and enter the script that you want run on
the Notification Server computer.
Run SQL query on server task page
This page lets you run an SQL statement against the Configuration Management
Database (CMDB).
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-36
Options on the Run SQL query on server task page
Option
Description
SQL Command
Lets you enter the SQL command you want
to query.
Save query output
Lets you select how you want to save the SQL
query output.
Use a transaction
Lets you select if you want to use a
transaction.
Run Script on task server task page
This page lets you run a script task on the Notification server computer.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-37
Options on the Run Script on task server task page
Option
Description
Script type
Lets you select the type of script to run.
Insert token
Lets you select the token to insert in the
script.
Insert
Lets you insert the selected token into your
script.
479
480
Using tasks
Task Types
Table 22-37
Options on the Run Script on task server task page (continued)
Option
Description
Create/Edit
Lets you create a token.
See “Tokens page” on page 481.
Send E-mail server task page
This page lets you send an email. For example, you can send a form email after a
certain task runs.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
The email text can be entered only when the task is created.
UNIX/Linux/Mac service control task page
This page lets you start, stop, restart, and get status of services on UNIX, Linux,
and Mac computers. For example, you can stop and start the SSH service on one
or more client computers.
See “Sample tasks, jobs, and scripts provided by Task Management” on page 463.
See “Task advanced options” on page 462.
Table 22-38
Options on the UNIX/Linux/Mac Service Control client task page
Option
Description
Service name
The name of the service or the string
uniquely identifying service. For example,
"sshd" for standard System V (init.d) services
or "svc:/network/login:rlogin" for Solaris
services.
Service status
Lets you change the current status of a
service or get the current status of the
service.
Service control systems
Lets you select service control systems on
the client computers that are accessed for
performing service actions. Some of them
allow advanced service customization.
Using tasks
Task Types
Table 22-39
Advanced option for System V services (init.d)
Option
Description
Run levels
The system run levels where the service is
started in.
Table 22-40
Advanced option for Internet services (inetd/xinetd)
Option
Description
Run as
The user and group name or ID for this
service to run under. These options are
different for inetd and xinetd services.
Table 22-41
Advanced options for Mac OS system wide daemons (launchd)
Option
Description
Startup type
Lets you change the service startup type,
which can be either Automatic or Disabled.
Run as
The user and group name or ID for this
service to run under.
Table 22-42
Advanced options for Service Management Facility services
(svc.startd)
Option
Description
Change service state to
Lets you change the service state to either
Enable or Disable.
Tokens page
This page lets you create tokens for use in a Script task. These tokens are the SQL
code that you want to reuse. You can easily place tokens in a Script task.
See “Run script task page” on page 477.
See “Run Script on task server task page” on page 479.
481
482
Using tasks
Task Types
Table 22-43
Options for the Tokens page
Option
Description
New token
Lets you create and add a new token to the list of tokens. When
you select the New token icon, a Token name and a SQL statement
field appears on the right.
Token name
Lets you enter a name for the token. This name can be any
descriptive name you want.
SQL statement
Lets you enter the SQL statement you want for the token. This
statement is the SQL statement that gets added when the token
gets added to the Script task.
Validate SQL
Lets you validate the token SQL statement.
Client task schedule page
This page lets you schedule client tasks. When you schedule a task through the
normal user interface, a server-based schedule is created. This page lets you create
a client-based schedule. This task runs at the scheduled time even if the computer
is not connected to the server (offline). The schedule and all task data is sent to
the computer through the normal Symantec Management Agent policy update
mechanism.
Note: The Client task schedule page is only available if you upgrade from
version.7.1 SP1 or earlier.
See “Task Types” on page 468.
Table 22-44
Options for the Client task schedule page
Option
Description
Select a task
Lets you select the task to schedule.
Add schedule
Lets you add the schedule for the task to run.
Time zone
Lets you select the time zone on which to run the schedule.
Advanced
Lets you select which settings to perform the task run on.
Applied to
Lets you select the resource to which to apply the policy.
Save changes
Saves the changes you made.
Using tasks
Task Types
Table 22-44
Options for the Client task schedule page (continued)
Option
Description
Cancel
Cancels the operation.
483
484
Using tasks
Task Types
Chapter
23
Using Resource Manager
This chapter includes the following topics:
■
About resource management
■
Resource Manager tasks
■
Accessing Resource Manager
■
Viewing inventory data for a data class
■
Viewing event data for a data class
■
Item Property Summary Web part
■
Adding a resource to an organizational group
■
Resource Manager summary pages
■
Filter Summary page
■
Organizational Summary page
■
Policy Summary page
■
Processing Summary page
■
Resource Summary page
About resource management
You can manage the resources in the Configuration Management Database (CMDB)
using the Resource Manager. Resource Manager lets you view information and
perform numerous tasks on a resource. The information available and the tasks
you can perform depend on the type of resource that is selected.
486
Using Resource Manager
Resource Manager tasks
When you access Resource Manager, the Base Resource Portal Page is displayed
for all resources except computers and software packages. For a computer resource
or software package, the Resource Manager page displays. The page that displays
for non-computer resources contains the Item Property Summary Web part. This
Web part displays property information about the selected resource (such as GUID
and product name). For a computer resource, the page displays a summary page
for the computer resource. If you click Resource Manager Portal on the Home
menu, you can access the Item Property Summary Web part for a computer
resource.
See “Item Property Summary Web part” on page 490.
See “Resource Manager tasks” on page 486.
You can access Resource Manager in several ways. The different methods make
accessing Resource Manager easy, regardless of where you are in the Symantec
Management Console.
See “Accessing Resource Manager” on page 488.
Resource Manager tasks
Resource Manager lets you perform several tasks on a resource. These tasks are
available through the Resource Manager Tasks menu. The available tasks depend
on the type of resource that is selected.
See “About resource management” on page 485.
Table 23-1
Resource Manager tasks
Task
Description
Access the task
management
portal
If the task you want to perform is not listed in the left pane, you can
access the task management portal to find additional tasks.
Add a resource
to an
organizational
group
You can add the selected resource to an organizational group or move
it to a new organizational group.
Delete a
resource
You can delete the selected resource from the Configuration Management
Database (CMDB).
See “About the Jobs and Tasks Portal” on page 444.
If you select an organizational group within an organizational view to
which the resource is not already a member, the resource is added to
the organizational group. If you choose an organizational group within
an organizational view to which the resource is already a member, the
newly selected organizational group replaces the previous organizational
group.
Using Resource Manager
Resource Manager tasks
Table 23-1
Task
Resource Manager tasks (continued)
Description
Merge duplicate (Company resources only) If there are two entries for the same company,
company
you can use this feature to merge the entries together.
resources
Ping computers
You can use the Task menu Ping Computer option to ping the selected
computer.
Schedule task
You can use the Task menu Schedule Task option to schedule the
running of a job or task.
See “New schedule dialog box” on page 455.
View an
organizational
summary
You can view (Summaries > Organizational Summary) the
organizational groups to which the selected resource is a part.
View Calendar
You can use the View menu Calendar option to view Notification Server
schedule information in.
See “Viewing the Notification Server internal schedule calendar”
on page 128.
View events
You can view event data for a data class, including general information
about the data class and the status of the data class.
See “Viewing event data for a data class” on page 489.
View inventory
You can view inventory data for a data class, including general
information about the data class and the status of the data class.
See “Viewing inventory data for a data class ” on page 489.
View resource
associations
You can view the resources with which the selected resource is associated
in the left pane. If you select the associated resource in the left pane,
Resource Manager lets you manage that resource.
View resource
details
When Resource Manager opens, the right pane provides details about
the selected resource.
See “Item Property Summary Web part” on page 490.
View the
resource
associations
You can use the View menu Resource Association option to view
resource association information. The resource association page displays
information about the resource association type and the resource type
names that are associated with the selected resource.
See “Viewing and managing resource data with Notification Server
reports” on page 500.
487
488
Using Resource Manager
Accessing Resource Manager
Accessing Resource Manager
You can access Resource Manager in the following ways:
■
Using the Manage menu on the Symantec Management Console
■
Right-clicking a resource in a list or report
■
Double-clicking a resource in a list or report
■
Typing a URL in your Web browser
See “About resource management” on page 485.
To access Resource Manager from the Manage menu
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
In the Select Resource dialog box, select the resource you want to manage,
and then click OK.
Resource Manager page opens with summary information about the selected
resource.
See “Item Property Summary Web part” on page 490.
To access Resource Manager from a right-click menu
◆
In a list of resources or a report within the Symantec Management Console,
right-click the resource you want to manage and click Resource Manager.
In some lists, resources, or reports, the right-click option for Resource
Manager might not be available. In these cases, use one of the other methods
to access Resource Manager.
To access Resource Manager by double-clicking a resource
◆
In a list of resources or a report within the Symantec Management Console,
double-click the resource you want to manage.
Using Resource Manager
Viewing inventory data for a data class
To access Resource Manager from a URL
◆
In a browser window, type the following URL:
http://NS
Name/Altiris/Console/Dashboard/DashboardView.aspx?name=Target
Resource Name
NS Name is the name of the Notification Server computer. Target Resource
Name can be the resource name, the resource GUID, or the item GUID. If you
omit “?name=Target Resource Name”, Resource Manager opens with the
following error:
No resource GUID was supplied.
When using a case-sensitive database, ensure that the target resource name
matches the name and case of the resource in the Configuration Management
Database (CMDB).
Viewing inventory data for a data class
Using Resource Manager, you can view event data for a particular data class. The
inventory data that is displayed depends on the data class selected. In general,
you can view status and current data. When applicable, historical data is also
available.
See “Accessing Resource Manager” on page 488.
To view inventory data for a data class
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
In the Select Resource dialog box, select the resource you want to manage,
and then click OK.
3
In Resource Manager, on the View menu, click Inventory.
4
In the tree, select the data class on which you want to view inventory data.
5
In the right pane, select the tab that contains the information you want to
view.
Viewing event data for a data class
Using Resource Manager, you can view event data for a particular data class. The
event data that is displayed depends on the data class selected. In general, you
can view status and current data about the data class events.
489
490
Using Resource Manager
Item Property Summary Web part
To view event data for a data class
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
In the Select Resource dialog box, select the resource you want to manage,
and then click OK.
3
In Resource Manager, on the View menu, click Events.
See “Accessing Resource Manager” on page 488.
4
In the tree, select the data class on which you want to view event data.
5
In the right pane, select the tab that contains the information you want to
view.
Item Property Summary Web part
This Web part is displayed when you open Resource Manager. This Web part
provides property information about an item. By default, this Web part is used in
Resource Manager to provide property information about the selected resource.
The type of information you can view depends on the type of resource selected.
In general you can view the following information about an item:
■
Resource GUID
■
Resource name
■
Resource description
■
Resource product name
■
Physical tree path to the resource type
■
Resource creation and modification dates
■
Person who last modified the resource
Additional information might be available, depending on the type of resource
selected.
See “About resource management” on page 485.
See “Accessing Resource Manager” on page 488.
Adding a resource to an organizational group
The Add to organizational group dialog box lets you add the selected resource to
an organizational group. A resource may appear once only in each organizational
view.
Using Resource Manager
Resource Manager summary pages
To add a resource to an organizational group
1
In the Symantec Management Console, on the Manage menu, click Resource.
2
In the Select Resource dialog box, select the resource you want to manage,
and then click OK.
3
In the left pane of Resource Manager, click the Add to organizational group
link.
4
In the Add to organizational group dialog box, select the organizational
group to which you want to add the resource.
5
Click Ok.
See “About organizational views and groups” on page 371.
See “Resource Manager tasks” on page 486.
Resource Manager summary pages
The Resource Manager summary pages provide details about how a resource is
used and interacts with other resources. Each summary page can be accessed from
the Resource Manager Summaries menu.
The Summaries menu gives you access to the following default summary
information:
■
Filters that include the computer or the user resource
See “Filter Summary page” on page 492.
■
Organizational groups in which the resource is a member
See “Organizational Summary page” on page 492.
■
Policies that are related to the computer or the user resource
See “Policy Summary page” on page 492.
■
Processing routines that apply to the computer resource
See “Processing Summary page” on page 493.
■
General information about the resource
See “Resource Summary page” on page 495.
Some solutions may add additional summary pages for an existing resource type.
Solutions can also associate additional resource types with the existing summary
pages, or add new resource types to a summary page.
491
492
Using Resource Manager
Filter Summary page
Filter Summary page
This page is accessed from the Resource Manager Summaries menu, and displays
the filters that are associated with the selected resource.
For each filter, the following information is provided:
■
Filter name
■
The name of the solution or product that is associated with the filter
■
Filter creation date
■
Filter modification date
To find a filter more quickly in a large list of filters, use the Search box at the top
of the page.
See “Resource Manager summary pages ” on page 491.
Organizational Summary page
This page is accessed from the Resource Manager Summaries menu, and displays
the organizational groups that are associated with the selected resource.
For each organizational group, the following information is provided:
■
Organizational group path - the resource is a member of all organizational
groups in the path
■
The name of the solution or product that is associated with the organizational
group
■
Organizational group creation date
■
Organizational group modification date
To find an organizational group more quickly in a large list of groups, you can
use the search field on the page.
See “Resource Manager summary pages ” on page 491.
Policy Summary page
This page is accessed from the Resource Manager Summaries menu, and displays
all the policies that apply to the selected resource.
For each policy, the following information is provided:
■
Policy name
■
Whether the policy is enabled
Using Resource Manager
Processing Summary page
■
Target of the policy
■
The name of the solution or product that is associated with the policy
■
Policy creation date
■
Policy modification date
To find an organizational group more quickly in a large list of groups, you can
use the search field on the page.
See “Resource Manager summary pages ” on page 491.
Processing Summary page
This page is accessed from the Resource Manager Summaries menu, and displays
the detailed summary data that the Notification Server processes for a computer
resource.
The following processing information is grouped into the following categories:
■
Event history
See “Event History Web part” on page 493.
■
Client configuration events
See “Client Config Events Web part” on page 494.
■
Event history per policy
See “Event History per Policy Web part” on page 494.
■
Client configuration information per status code
See “Client Config Information (per status code) Web part” on page 495.
A Web part provides the information for each category.
See “Resource Manager summary pages ” on page 491.
Event History Web part
This Web part provides details about the events that have occurred that are related
to the resource. By default, this Web part is used in Resource Manager.
For a resource, the following information is provided:
■
Number of the events that have occurred
■
Time and date of the oldest event
■
Time and date of the most recent event
■
Maximum tick count
493
494
Using Resource Manager
Processing Summary page
■
Average tick count
■
Average number of events per minute
■
Average number of events per hour
■
Average number of events per day
■
Total number of the event errors that have occurred
■
Percent of the events that resulted in an error
■
Average number of events
See “Processing Summary page” on page 493.
Client Config Events Web part
This Web part provides details about the configuration events that have occurred
that are related to the resource. By default, this Web part is used in Resource
Manager.
For a resource, the following information is provided:
■
Count of the configuration events that have occurred
■
Time and date of the oldest configuration event
■
Time and date of the most recent configuration event
■
Maximum tick count
■
Average tick count
■
Maximum configuration event request size
■
Average configuration event request size
■
Maximum configuration event response size
■
Average configuration event response size
■
Total number of the configuration event errors that have occurred
■
Percent of the configuration events that resulted in an error
See “Processing Summary page” on page 493.
Event History per Policy Web part
This Web part displays the event history for a resource. A table lists the history
by policy. By default, this Web part is used in Resource Manager.
For each event associated with the resource that has occurred, the following
information is provided:
Using Resource Manager
Resource Summary page
■
Name of the policy
■
Solution or product that is associated with the policy
■
Number of times the policy has run.
■
Time and date of the oldest event
■
Time and date of the most recent event
■
Maximum tick count
■
Average tick count
■
Average number of events per minute
■
Average number of events per hour
■
Average number of events per day
■
Total number of the event errors that have occurred
■
Percent of the events that resulted in an error
■
Average event data
See “Processing Summary page” on page 493.
Client Config Information (per status code) Web part
This Web part displays the client configuration information for a resource. A table
lists the information by client code. By default, this Web part is used in Resource
Manager.
For each status code associated with the resource, the following information is
provided:
■
Status code number
■
Status constant
■
Status value
■
Number of times the status value occurred
See “Processing Summary page” on page 493.
Resource Summary page
This page is accessed from the Resource Manager Summaries menu, and contains
detailed information about the selected computer. This page is only available for
computer resources.
495
496
Using Resource Manager
Resource Summary page
This page is comprised of several Web parts that provide the information.
See “General Web part” on page 496.
See “Identification Web part” on page 496.
See “Symantec Management Agent Details Web part” on page 497.
See “Network Web part” on page 497.
See “Resource Manager summary pages ” on page 491.
General Web part
This Web part provides general information about the selected computer. By
default, this Web part is used in the Resource Summary page of Resource Manager.
For each status code associated with the resource, the following information is
provided:
■
Computer name
■
Domain of the computer
■
Notification Server computer name
■
Fully qualified computer name
■
Primary computer user
■
Current logged on user of the computer
■
Computer operating system
■
Computer operating system language
■
Computer time zone
See “Resource Summary page” on page 495.
Identification Web part
This Web part provides identification information about a computer. By default,
this Web part is used in the Resource Summary page of Resource Manager.
For each status code associated with the resource, the following information is
provided:
■
Internal serial number
■
Internal asset tag
■
Computer ID - this ID is a GUID value
See “Resource Summary page” on page 495.
Using Resource Manager
Resource Summary page
Symantec Management Agent Details Web part
This Web part provides the details that are related to communications between
the selected computer and Notification Server . By default, this Web part is used
in the Resource Summary page of Resource Manager.
For each status code associated with the resource, the following information is
provided:
■
When the computer was first discovered
■
Date and time of last configuration request from the computer
■
Last date and time inventory data was received from the computer
■
Last date and time event data was received from the computer
■
Percentage of LAN, WAN, and no connectivity of the computer
■
Agents/plu-ins installed on the computer
See “Resource Summary page” on page 495.
Network Web part
This Web part provides details about the network connectivity of a computer. By
default, this Web part is used in the Resource Summary page of Resource Manager.
For each status code associated with the resource, the following information is
provided:
■
Brand and model of the network card that is installed on the computer
■
MAC address of the network card on the computer
■
IP address (IPv4) of the network card of the computer
■
Subnet mask of the network card on the computer
■
IP address of default gateway of the network card on the computer
■
IP address of the DNS servers that are used by the network card on the
computer
■
IP addresses of the WINS servers that are used by the network card on the
computer
See “Resource Summary page” on page 495.
497
498
Using Resource Manager
Resource Summary page
Chapter
24
Using Notification Server
reports
This chapter includes the following topics:
■
About Notification Server reports
■
Viewing and managing resource data with Notification Server reports
■
Extracting Notification Server report results
■
Viewing Notification Server report results
■
Using Notification Server report results
■
Saving Notification Server report results as a snapshot
■
Saving Notification Server report results as a Web part
■
Creating a static filter from Notification Server report results
■
Saving Notification Server report results as a file
About Notification Server reports
You can view and manage your resource data through Notification Server reports.
These reports give you information about your managed and unmanaged
computers and your Notification Server configuration. Installed solutions also
provide the reports that give you information specific to that solution. For example,
you can use these reports to learn about which events and automation policies
Notification Server executes and how long they take.
Reports can be secured so that only appropriate users can run a report. In addition,
reports are scoped so that they return only the data that the user who runs the
500
Using Notification Server reports
Viewing and managing resource data with Notification Server reports
report has permission to view. For example, if a manager runs a salary report,
they obtain only the salaries of their managed employees.
See “About resource security” on page 367.
Reports let you view information in various ways. You can see your information
in tables or graphically in charts. You can also drill down on specific items in a
report to obtain additional information.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
A wide range of reports are provided with Notification Server. You cannot modify
these default reports, but you can clone them and edit the clone to meet your
requirements. You can also create new custom reports.
See “About custom Notification Server reports” on page 510.
Viewing and managing resource data with Notification
Server reports
You can use reports to view and manage resource data. Reports retrieve data from
the CMDB.
See “About Notification Server reports” on page 499.
Table 24-1
Process for using Notification Server reports to view and manage
resource data
Step
Action
Description
Step 1
Extract the report results.
You need to select the report to use, and optionally set the user
parameters and select the snapshot to use.
See “Extracting Notification Server report results” on page 501.
Step 2
View the report results.
You can configure the report view to suit your requirements as
follows:
Select the grid view or chart view to use, if any extra views
have been set up for the report.
■ Group and order the columns in the grid view.
■
■
Display the results in a chart view, if chart views have been
set up for the report.
See “Viewing Notification Server report results” on page 502.
Using Notification Server reports
Extracting Notification Server report results
Table 24-1
Process for using Notification Server reports to view and manage
resource data (continued)
Step
Action
Description
Step 3
(Optional) Use the report results. You can use report results in any of the following ways:
Drill down into selected items for more detailed information.
Drilling down into an item opens the appropriate view, which
may be another report or the Resource Manager Console.
■ Perform actions on selected items.
■
■
Print the report results.
See “Using Notification Server report results” on page 504.
Step 4
(Optional) Save the report results. You can save the report results in the following formats:
File
Spreadsheet (.csv) file, HTML file, and XML file types are
supplied with Notification Server. Installed solutions may
provide options for additional file types.
See “Saving Notification Server report results as a file”
on page 507.
■ Static filter
See “Creating a static filter from Notification Server report
results” on page 506.
■ Snapshot
See “Saving Notification Server report results as a snapshot”
on page 505.
■ Web part
See “Saving Notification Server report results as a Web part”
on page 505.
■
Extracting Notification Server report results
A set of reports is supplied with Notification Server, and installed solutions may
add further reports.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
Some reports have the user parameters that you can set when you extract the
report results. User parameters are variables in the report query, and they make
reports more flexible and powerful. For example, the Computer list by System
Type and OS Name report has user parameters defined for both the system type
and OS name. When you extract report results, you can specify the system type
and OS name combination that you want to use by setting the appropriate
501
502
Using Notification Server reports
Viewing Notification Server report results
parameters. Without user parameters, each report would have fixed values defined
within the query. You would need to have a different report for each system type
and OS name combination. Alternatively, you would need to modify the report
query each time you wanted to extract results.
To minimize the load on Notification Server, large or frequently-used reports are
generally scheduled to run at appropriate intervals and are saved as snapshots.
Creating snapshots lets all other users view the report results in the latest snapshot
instead of each user running the report over again. The scheduled reports are
normally run with the Administrator scope to ensure that all available data is
included. When you view the report result set, the snapshot data is scoped
accordingly. When you view report results, you can choose a snapshot to use. If
you don't choose a snapshot, the results are extracted by running the report query
in the CMDB.
To extract Notification Server report results
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
(Optional) In the right pane, under Parameters, set the appropriate user
parameters.
See “About defining parameters and value providers for a custom report”
on page 542.
4
If you want to use a snapshot, in the View drop-down list, select the
appropriate snapshot.
The options are predefined as follows:
■
Current
■
Latest Snapshot
Any additional snapshots that you have created are listed. Each is labeled
with its creation date and time.
Viewing Notification Server report results
You can display the report results using the following views, if they have been
configured for the report:
Using Notification Server reports
Viewing Notification Server report results
Grid view
Grid views are tables, with each result item displayed on a separate
row. The available columns are defined in the report. You can
change the column order and group the results according to the
values in a particular column. For example, you may want to group
a list of computers by operating system type or subnet.
Chart view
Chart views are graphical formats such as bar charts, line charts,
pie charts, and area charts. Multiple chart views may be defined
in the report, but you can view only one at a time.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
Each chart or grid is a particular view into the report results, so a view may contain
a subset of the results. A report may have multiple views that are available to
customize the output for different users instead of different reports being created
for each user. For example, a report that lists managed computers may include
properties of each computer, such as operating system, processor type, and disk
size. The report may have a number of different views, with each view containing
a subset of the available properties for each computer. When you look at the
report, you can choose the view that contains the properties that interest you.
See “About custom report views” on page 559.
When you save a report, you save all of the results that are in your scope. You are
not restricted to the data that is displayed in the current view. When you print a
report, you print the current view.
To view Notification Server report results
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
In the right pane, in the View drop-down list, select the appropriate view.
Any grid views and chart views that have been created are listed.
4
(Optional) If you want to group the results, in the Group By drop-down list,
select the appropriate column.
5
(Optional) If you want to change the column order, click in a column header
and drag the column to the appropriate position.
503
504
Using Notification Server reports
Using Notification Server report results
Using Notification Server report results
You can drill down into the report results to obtain additional information. Drilling
down into an item opens the appropriate view, which may be another report or
the Resource Manager.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
You can perform actions on resources directly from the report results. For example,
you can run a report that lists all computers that meet specific criteria. You can
then perform an action on some or all computers. The available actions are those
that apply to the selected resource type and that you have permission to perform.
You can print selected rows of results or all the report results.
To drill down into report results
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
In the right pane, in the View drop-down list, select the appropriate view.
4
In the report results, click on the item for which you want additional
information.
Note that the drill-down action may vary: it might be a single click, or it might
be a double-click.
To perform actions on resources listed in report results
1
In the report results, select the resources on which you want to perform an
action.
2
Click Actions, and then select the appropriate option.
Note that this function is not always available.
To print report results
1
If necessary, in the report results, select the rows of report results that you
want to print.
2
Click Print.
3
In the Print dialog box, specify the following settings:
Parameters
If you want to include the user parameter settings in the printed
results, check Include Parameters.
Using Notification Server reports
Saving Notification Server report results as a snapshot
Data range
4
Choose one of the following options:
■
Print All - Includes all report results.
■
Print Selected Rows - Includes only the selected rows of report
results.
Click Print.
A preview of the report printout is shown in a new browser window, and
Windows Print dialog appears. The preview is the same as what you see when
you save the report as HTML.
5
In the Windows Print dialog, select the appropriate options, and then click
Print.
Saving Notification Server report results as a
snapshot
You can save the current report results as a snapshot. For example, you may want
to save a particular set of results and make them available to other users without
re-extracting them from the CMDB. When you save a report as a snapshot, it is
saved according to your scope. Only users who share the same security role can
view the snapshot.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
To save Notification Server report results as a snapshot
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
In the right pane, click Save As > Snapshot.
The next time you open the report, the new snapshot will be available on the
View drop-down list.
Saving Notification Server report results as a Web
part
You can save a report as a Web part that you can use in a portal page. The Web
part report is a copy of the report that is dynamic and fully functioning. The result
set that is displayed in the portal page is refreshed when you open the page, so it
505
506
Using Notification Server reports
Creating a static filter from Notification Server report results
is always up-to-date. The Web part report is independent of the original report,
so any changes that you make to one are not propagated to the other.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
See “About portal pages” on page 214.
See “Creating and modifying Web parts” on page 218.
To save Notification Server report results as a Web part
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
In the right pane, click Save As > Webpart.
4
(Optional) In the Save As Webpart dialog box, edit the name the new Web
part.
The default name should be suitable for most purposes.
5
(Optional) In the Choose a webpart size drop-down list, select the appropriate
size.
The default is Small.
6
Click Save.
The new Web part is saved in the Settings\Console Settings\Webparts folder.
Creating a static filter from Notification Server report
results
You can create a new static filter by saving the results of a report. You can include
all of the results, or you can select the results that you want to include.
See “About resource filters” on page 385.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
To create a static filter from Notification Server report results
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
(Optional) In the right pane, select the rows of report results that you want
to include in the filter.
Using Notification Server reports
Saving Notification Server report results as a file
4
Click Save As > Static Filter.
5
In the Save As Static Filter dialog box, specify the appropriate settings:
Name
The default is the report name. If you want to change
the name, type the appropriate filter name.
Choose a resource to base the This option applies to resource reports only.
filter on
In the drop-down list, select the appropriate option.
Data range
6
Choose one of the following options:
■
Save All - Includes all report results in the filter.
■
Save Selected Rows - Includes only the selected
rows of report results in the filter.
Click Save.
The new filter is stored in the Filters tree, in the Report Based Filters folder.
Saving Notification Server report results as a file
You can save the report results as a file. You can save all of the results, or you can
select the results that you want to include. Options for Spreadsheet (.csv) file,
HTML file, and XML file types are supplied with Notification Server. Installed
solutions may provide options for additional file types.
See “Viewing and managing resource data with Notification Server reports”
on page 500.
To save Notification Server report results as a file
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to use.
3
(Optional) In the right pane, select the rows of report results that you want
to include in the file.
4
Click Save As, and then click the appropriate file type.
5
In the Save As dialog box, specify the following settings:
Parameters
If you want to include the user parameter settings in the file,
check Include Parameters.
507
508
Using Notification Server reports
Saving Notification Server report results as a file
Data range
Choose one of the following options:
■
Save All - Includes all report results in the filter
■
Save Selected Rows - Includes only the selected rows of report
results in the filter.
6
Click Save.
7
In the Save Report dialog box, select the folder in which to save the file, and
then click Save.
Chapter
25
Creating custom
Notification Server reports
This chapter includes the following topics:
■
About custom Notification Server reports
■
About defining report queries
■
Converting a resource query to an SQL query for a custom report
■
Building a resource query for a custom report or filter
■
About setting up resource query fields for a custom report or filter
■
About setting up filter expressions to refine the query results
■
About using parameters in custom report and filter queries
■
Viewing the resolved query of a custom report or filter
■
Viewing the query results of a custom report
■
Defining an SQL query for a custom report
■
Writing an SQL query for a custom report or filter
■
About configuring the scoping fields in a custom report snapshot
■
Configuring the scoping fields in a custom report snapshot
■
About defining parameters and value providers for a custom report
■
About custom report views
■
Setting up drilldown actions for a custom report
510
Creating custom Notification Server reports
About custom Notification Server reports
■
Specifying the properties of a custom report
About custom Notification Server reports
Notification Server reports let you view and manage your resource data. These
reports give you information about your managed and unmanaged computers,
and your Notification Server configuration. A wide range of reports are provided
with the Symantec Management Platform. You can also create your own custom
reports to suit the needs of your organization.
See “Components of a custom Notification Server report” on page 510.
See “Creating and modifying custom Notification Server reports” on page 512.
Notification Server reports retrieve data from the CMDB.
The report data can be used in the following ways:
■
The data source for an automation policy
■
A Web part that displays current data on a portal page
■
A resource report that lets the user drill down on a particular resource to view
full details in the Resource Manager
■
A trend report that shows data changes over time
■
Multiple drilldown reports (for example, hierarchy reports) that let the user
drill down on high-level data to view more detailed low-level data.
Components of a custom Notification Server report
Notification Server reports are constructed from a standard set of components.
See “About custom Notification Server reports” on page 510.
Table 25-1
The components of a custom Notification Server report
Component
Description
Data source
The data source is the component that provides the report data.
Custom reports and dynamic filters use the SQL queries that run on
the CMDB to extract the appropriate data. Solutions may provide the
reports that use other data sources, such as spreadsheets or CSV files.
Custom reports and dynamic filters use an SQL query as the data
source. You can define the query by writing the SQL from scratch, or
by using the Query Builder.
See “About defining report queries” on page 516.
Creating custom Notification Server reports
About custom Notification Server reports
Table 25-1
The components of a custom Notification Server report (continued)
Component
Description
Views
A report view is a particular way that the report data is displayed. A
view typically contains a subset of the report data. The data is
presented in a way that is appropriate to a particular user role. You
can choose the data columns to include in the view, and specify which
is to be used as the primary axis.
The available types of views are:
Grid view
View the report data in tabular format, with each item displayed
on a separate row.
■ Chart view
View the report data in graphical format, such as bar charts, line
charts, pie charts, and area charts.
■ Templated text
■
Setting up a number of different views for a report lets you customize
the report data for different users. You can use a single report for all
users, rather than creating multiple reports to meet the requirements
of different users.
See “About custom report views” on page 559.
Parameters
Parameters are variables in the report query that the user can set
when they run the report.
Using parameters can make reports more flexible and powerful. For
example, the Computer list by System Type and OS Name report has
the parameters that are defined for the system type and OS name.
When you run this report, you can specify the system type and OS
name combination that you want to use by setting the appropriate
parameters. Without parameters, each report would have fixed values
defined within the query.
See “About using parameters in custom report and filter queries”
on page 532.
511
512
Creating custom Notification Server reports
About custom Notification Server reports
Table 25-1
The components of a custom Notification Server report (continued)
Component
Description
Drilldowns
A report drilldown is an action that is performed when the user clicks
on an item in the report results. You can add drilldowns to a report
to enable the user to obtain additional information through the report
results.
For each drilldown, you can specify the view on which the drilldown
is available and how the user triggers the drilldown. You can also
specify the action that is performed and the parameters to use in the
action. You can set up multiple drilldowns for a report to perform
different actions on different types of resources.
See “Setting up drilldown actions for a custom report” on page 571.
Creating and modifying custom Notification Server reports
A wide range of reports are provided with Notification Server. You cannot change
these default reports. You can clone them to create an editable copy of a report,
and then modify the copy to meet your requirements. You can also create and
modify your own custom reports.
See “About custom Notification Server reports” on page 510.
To create or modify a custom report, you need to define the components of the
report in the Custom Report Edit page.
See “Components of a custom Notification Server report” on page 510.
See “Custom Report Edit page” on page 514.
Note: Some automation policies use a report as a data source, and may depend
upon some particular results or parameters. When you modify a report, you need
ensure that the changes do not affect any automation policies.
See “Specifying the automation policy data source” on page 432.
Creating custom Notification Server reports
About custom Notification Server reports
Table 25-2
Process for creating and modifying custom Notification Server
reports
Step
Action
Description
Step 1
Create a new report, or select an
existing report to modify.
Create a new report from scratch, or by cloning a default
report that is supplied with Notification Server. You can
modify any custom report that you have created, but cannot
modify the default reports.
See “Creating a new custom Notification Server report”
on page 515.
See “Modifying an existing custom Notification Server
report” on page 516.
Step 2
Create the report query.
You can write the query SQL yourself or use the Query
Builder to build the report query. The Query Builder is a
user-friendly tool that lets you select the tables and fields
that you want to use. The Query Builder helps you define
the query to suit your requirements.
See “About defining report queries” on page 516.
Step 3
Specify the value providers for
parameters.
If the report query includes parameters, you can define the
corresponding value providers. The value provider lets the
user set the appropriate value for the query parameter when
they run the report.
See “About defining parameters and value providers for a
custom report” on page 542.
Step 4
Create the report views.
A report view typically contains a subset of the report
results. The results are presented in a way that is
appropriate to a particular user role. Setting up a number
of different views for a report lets you customize the report
results for different users.
See “About custom report views” on page 559.
Step 5
Create the drill-downs.
A report drilldown is an action that is performed when the
user clicks on an item in the report results. You can
configure drilldowns for a report to enable the user to obtain
additional information through the report results.
See “Setting up drilldown actions for a custom report”
on page 571.
513
514
Creating custom Notification Server reports
About custom Notification Server reports
Table 25-2
Process for creating and modifying custom Notification Server
reports (continued)
Step
Action
Description
Step 6
Specify the report properties.
You can choose whether or not the report results are
restricted to the scope of the user who runs the report. You
can also choose to run the report only as a snapshot. To
minimize the load on Notification Server, you may want to
run large or frequently-used reports as snapshots.
See “Specifying the properties of a custom report”
on page 574.
Step 7
Save the report.
Save the changes to the new report or modified report.
See “Creating a new custom Notification Server report”
on page 515.
See “Modifying an existing custom Notification Server
report” on page 516.
Custom Report Edit page
The Custom Report Edit page lets you define and edit the components and
properties of Notification Server custom report that you create or modify.
See “Components of a custom Notification Server report” on page 510.
See “Creating and modifying custom Notification Server reports” on page 512.
See “Creating a new custom Notification Server report” on page 515.
See “Modifying an existing custom Notification Server report” on page 516.
Table 25-3
Tabs on the Custom Report Edit page
Tab
Description
Data Source
Lets you define report query.
See “About defining report queries” on page 516.
Views
Lets you define report views.
See “About custom report views” on page 559.
Report Parameters
Lets you define report parameters and value providers.
See “About defining parameters and value providers for a
custom report” on page 542.
Creating custom Notification Server reports
About custom Notification Server reports
Table 25-3
Tabs on the Custom Report Edit page (continued)
Tab
Description
Drilldowns
Lets you set up the drilldown actions for a report.
See “Setting up drilldown actions for a custom report”
on page 571.
Advanced
Lets you specify the properties of a report.
See “Specifying the properties of a custom report”
on page 574.
Creating a new custom Notification Server report
You can create your own custom reports and configure them to suit your
requirements. You can create a new report from scratch, or by cloning a default
report that is supplied with Notification Server.
See “Creating and modifying custom Notification Server reports” on page 512.
To create a new custom Notification Server report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, right-click the folder in which you want to add the new report,
and then click New > Report.
3
Click one of the following:
Computer Report
The report query is a resource query, and the base
template selects all computers. You can refine the
query to select the computers that you want.
User Report
The report query is a resource query, and the base
template selects all users. You can refine the query to
select the users that you want.
Resource Report
The report query is a resource query, and the base
template selects all resources (including all computers
and all users). You can refine the query to select the
resources that you want.
SQL Report
The report query is an SQL query. You can write your
own SQL query to extract the data that you want from
the CMDB. No template is applied and there are no
restrictions on what you can write.
515
516
Creating custom Notification Server reports
About defining report queries
4
(Optional) In the right pane, specify the report name and description.
5
In the Custom Report Edit page, specify the report components and report
properties on the appropriate tabs.
See “Custom Report Edit page” on page 514.
6
To save the changes without leaving the edit mode, click Apply.
7
To preview the changes without leaving the edit mode, click Preview.
The report results page is shown in a new browser window.
8
To save the changes and leave edit mode, click Save Changes.
Modifying an existing custom Notification Server report
You can modify your own custom reports at any time. You cannot modify any of
the default reports that are supplied with Notification Server. If you want to
modify a default report, you can clone the report to create a copy of it, and then
edit the copy.
See “Creating and modifying custom Notification Server reports” on page 512.
To modify an existing custom Notification Server report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click the report that you want to modify.
3
In the right pane, in the upper right corner, click Edit.
4
(Optional) Modify the report name and description.
5
In the Custom Report Edit page, make your changes to the report components
and report properties on the appropriate tabs.
See “Custom Report Edit page” on page 514.
6
To save the changes without leaving the edit mode, click Apply.
7
To preview the changes without leaving the edit mode, click Preview.
The report results page is shown in a new browser window.
8
To save the changes and leave the edit mode, click Save Changes.
About defining report queries
A report query is an SQL query that runs on the CMDB to extract the appropriate
data. You can define a query by writing the SQL from scratch, or by using the
Query Builder.
Creating custom Notification Server reports
About defining report queries
See “Creating and modifying custom Notification Server reports” on page 512.
The two ways that you can define report queries are as follows:
Resource query
Lets you use the Query Builder and a base template that selects
all resources (including all computers and all users). You can refine
the query to select the resources that you want to include in the
report or filter.
The Query Builder is an easy-to-use tool that lets you build your
query by adding building blocks to a standard template. The
corresponding SQL query is generated automatically in the
background, and is used to extract the appropriate data from the
CMDB. You do not need to understand or write any SQL code.
See “Defining a resource query for a custom report” on page 517.
SQL query
Lets you write an SQL query to define the resources that you want
to include in the report or filter.
You can write the SQL code from scratch. Alternatively, you can
copy the SQL from another filter or report and modify it to suit
your requirements. For example, you can create a resource query
using the Query Builder, and then copy the generated SQL from
the Resolved Query tab. You can also use the Query Builder to
define the structure of your query, convert it to SQL, and then
modify the SQL directly to create the query.
See “Defining an SQL query for a custom report” on page 537.
The Query Builder manages scopes automatically. However, if you define an SQL
query, you need to add scoping manually throughout the SQL code.
Defining a resource query for a custom report
When you create or modify your own custom Notification Server report, you can
define a report query. For a computer report, user report, or resource report you
need to define a resource query.
See “Creating a new custom Notification Server report” on page 515.
See “Modifying an existing custom Notification Server report” on page 516.
See “About defining report queries” on page 516.
A resource query is based on the tables that are available in the CMDB. The Query
Builder is a user-friendly tool that provides a standard template and lets you select
the tables and fields that you want to use. It helps you to define the query to suit
your requirements. You do not need any SQL knowledge to define a resource
517
518
Creating custom Notification Server reports
About defining report queries
query. The resource query is converted to SQL automatically, and the SQL is run
on the CMDB to extract the appropriate resources.
When you create a new computer report, user report, or resource report, a resource
query template is added to the report automatically. When you create a new filter,
the same resource query template is added to the filter when you choose the Query
Builder query mode. The base query in the template selects all computers, users,
or resources, corresponding to the report type. You need to modify the base query
to select the appropriate resources.
To define a resource query for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
Do one of following:
3
■
To define a resource query for a new report that you create, in the left
pane, right-click the folder in which you want to add the new report. Then
click New and click Computer Report, User Report, or Resource Report.
■
To redefine a resource query for an existing report, in the left pane, click
the computer report, user report, or resource report that you want to
modify. Then in the right pane, in the upper right corner, click Edit.
In the right pane, on the Data Source tab, specify the query details on the
appropriate tabs.
See “Custom Report Edit page: Data Source tab” on page 518.
4
Click Apply.
Custom Report Edit page: Data Source tab
The Data Source tab is situated in the Custom Report Edit page. The Data Source
tab lets you specify the query details for a Notification Server custom report that
you create or modify. The view of the Data Source tab depends on the type of the
report query that you define, and can contain the following tabs:
For a resource query
See Table 25-4
For an SQL query
See Table 25-5
See “Custom Report Edit page” on page 514.
See “About defining report queries” on page 516.
See “Defining a resource query for a custom report” on page 517.
See “Defining an SQL query for a custom report” on page 537.
Creating custom Notification Server reports
About defining report queries
If you are editing a resource query, the Data Source tab contains the Convert this
query to SQL Query button that lets you convert a resource query to an equivalent
SQL query. When you convert a resource query to an SQL query, the view of the
tabs on the Data Source tab changes automatically.
See “Converting a resource query to an SQL query for a custom report” on page 521.
Table 25-4
Tabs on the Data Source tab for a resource query
Tab
Description
Query
Lets you build a resource query and define the resource
query syntax.
See “Building a resource query for a custom report or filter”
on page 521.
Fields
Lets you define source fields to use in the query.
You can select the database table (Source) and column (Field)
that you want to extract from the CMDB. You can specify
whether or not each source field it is shown in the report
results. You can also set the source field's column order and
row grouping in the report results grid.
See “About setting up resource query fields for a custom
report or filter” on page 525.
Query Parameters
Lets you specify the parameters that are used in the query.
These are internal parameters for SQL use.
See “About using parameters in custom report and filter
queries” on page 532.
Filter Expressions
Lets you set up the conditional statements that are used to
further refine the results of the query. Each statement or
grouped statement can be considered a filter. You need to
create the statements that you want to use and group them
accordingly.
See “About setting up filter expressions to refine the query
results” on page 529.
Resolved Query
Lets you view the SQL code that is run on the CMDB to
extract the report results. This code includes the default
test values for any parameters that the user specifies.
See “Viewing the resolved query of a custom report or filter”
on page 535.
519
520
Creating custom Notification Server reports
About defining report queries
Table 25-4
Tabs on the Data Source tab for a resource query (continued)
Tab
Description
Results
Lets you view the results of the query.
See “Viewing the query results of a custom report”
on page 536.
Table 25-5
Tabs on the Data Source tab for an SQL query
Tab
Description
Parameterized Query
Lets you write the SQL code for the query. This code may
include some parameters that take user-specified values
when the query is run on the CMDB.
See “Writing an SQL query for a custom report or filter”
on page 538.
Query Parameters
Lets you specify the parameters that are used in the query.
These are internal parameters for SQL use.
See “About using parameters in custom report and filter
queries” on page 532.
Data Snapshots
Specifies the scoping GUID fields that are used for scoping
the data that is loaded from a report snapshot. The data is
displayed as the results of the report and is scoped according
to the user's security permissions.
See “About configuring the scoping fields in a custom report
snapshot” on page 539.
Resolved Query
Lets you view the SQL code that is run on the CMDB to
extract the report results. This code includes the default
test values for any parameters that the user may set..
See “Viewing the resolved query of a custom report or filter”
on page 535.
Results
Lets you view the results of the query.
See “Viewing the query results of a custom report”
on page 536.
Creating custom Notification Server reports
Converting a resource query to an SQL query for a custom report
Converting a resource query to an SQL query for a
custom report
When you have defined a resource query for your own custom report, you can
then convert a resource query to the equivalent SQL query. For example, you can
use the Query Builder to define the structure of your query, convert it to SQL, and
then modify the SQL directly. This process can be quicker and more efficient than
writing the entire query in SQL from scratch.
See “About defining report queries” on page 516.
See “Defining a resource query for a custom report” on page 517.
See “Defining an SQL query for a custom report” on page 537.
Note: Converting a resource query to an SQL query is a one-way operation. You
cannot convert the resulting SQL query back to a resource query.
To convert a resource query to an SQL query for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, click the report that contains the resource query that you
want to convert to an SQL query.
3
In the left pane, in the upper right corner, click Edit.
4
On the Data Source tab, click Convert this query to SQL Query.
The resource query is converted to the equivalent SQL query. The tabs on
the Data Source tab change accordingly.
5
To save the changes without leaving the edit mode, click Apply.
6
To save the changes and leave the edit mode, click Save Changes.
Building a resource query for a custom report or filter
When you define a resource query for a custom report or filter, you need to build
a resource query on the Query tab.
See “Defining a resource query for a custom report” on page 517.
See “Defining a resource query for a filter” on page 390.
The Query tab lets you build a resource query. The standard template includes a
base query that selects all resources. You can use the Query Builder to refine the
521
522
Creating custom Notification Server reports
Building a resource query for a custom report or filter
base query using the building blocks provided. You do not need to understand or
write any SQL code.
The left panel of the Query Builder shows the structure of the query. The right
panel lets you add and modify items in the query structure. The Query Builder
lets you build the query from the resource structure (the resource classes, types,
and associations) that is defined in the CMDB. The resource query is converted
into SQL code in the background. You can view the SQL code in the Resolved
Query tab.
To build a resource query for a custom report or filter
1
In the Reports or Filter page, on the Query tab, in the left panel, select the
Base Query.
In the Report page the Query tab is on the Data Source tab.
2
(Optional) If you want to change the base resource type, in the right panel,
in the Base Resource Type drop-down list, select the appropriate resource
type.
If you created the report as a Computer Report or User Report, the base
resource type is automatically set to computer or user.
3
(Optional) If you want to change the default settings, specify the following:
Distinct
Returns only the unique rows when there is more than one
row for a particular resource.
Top Rows
Specifies how many table rows are returned. You can specify
the number of rows, or a percentage of the table.
The default value is ALL, which returns the entire table.
Note: This setting is relevant only to report queries. It is not
used in filter queries. A filter query always returns the entire
table regardless of the setting that you specify here.
4
In the left panel, select the base resource type.
5
(Optional) In the right panel, specify the following:
Alias
The resource type alias. The alias lets you substitute a
different name for the table name. For example, when the
same table is used multiple times in joins.
Scoped
Specifies whether or not the query results are scoped
according to the role of the user that runs the query.
See “About resource security” on page 367.
Creating custom Notification Server reports
Building a resource query for a custom report or filter
6
Use the Query Builder to build the query to extract the resources that you
want. You can do the following:
Add Fields and Data Class
Attributes
Lets you add fields to the query. You can select fields
from the data class (such as Resource.Name or
Resource.CreatedDate). Alternatively, you can select
fields from other tables (for example, the Domain field
from the Inv_AeX_AC_Identification table).
The Fields tab shows the fields that are defined in the
query result set, and lets you configure their
appearance in the result grid.
See “Adding fields and data class attributes to a
resource query for a custom report” on page 526.
Add Resource Type
Associations
Lets you add resource associations to the query. These
are predefined associations between two types of
Notification Server resources (such as the Computer
User association that links a computer to a user).
You can view the list of available predefined resource
type associations under the Settings folder in the left
pane. For example, click Settings > Notification Server
> Resource and Data Class Settings > Resource
Associations.
See “Adding resource type associations to a resource
query for a custom report” on page 524.
Add Joins
Lets you add joins to the query. A join combines records
from two different CMDB tables.
See “Adding joins to a resource query for a custom
report” on page 524.
Add Parameters
Opens the Query Parameters tab, which lets you specify
the parameters that you want to use in the resource
query. A parameter is a variable that is included in the
query.
See “About using parameters in custom report and
filter queries” on page 532.
Add Filter Expressions
Opens the Filter Expressions tab.
See “About setting up filter expressions to refine the
query results” on page 529.
7
Click Apply.
523
524
Creating custom Notification Server reports
Building a resource query for a custom report or filter
Adding resource type associations to a resource query for a custom
report
When you build a resource query for a new custom report or filter, you can add
resource type associations to a resource query. When you modify a resource query
for an existing custom report or filter, you can add resource type associations to
a resource query.
See “Building a resource query for a custom report or filter” on page 521.
See “Defining a resource query for a custom report” on page 517.
To add resource type associations to a resource query for a custom report
1
In the Reports page, on the Data Source tab, on the Query tab, in the left
panel, select the item to which you want to add the resource type association.
2
Click Actions > Add Resource Type Associations.
3
In the Resource Type Associations window, select the appropriate item.
4
Click OK to confirm the selection.
The selected resource type association is added to the query.
5
Click Apply.
Adding joins to a resource query for a custom report
When you build a resource query for a new custom report or filter, you can add
joins to a resource query. When you modify a resource query for an existing custom
report or filter, you can add joins to a resource query.
See “Building a resource query for a custom report or filter” on page 521.
To add a join to a resource query for a custom report
1
In the Reports page, on the Data Source tab, on the Query tab, in the left
panel, select the item to which you want to add the join.
2
Click Actions > Add Join.
Creating custom Notification Server reports
About setting up resource query fields for a custom report or filter
3
In the Joins window, in the Joins drop-down list, select the join type:
Cross
Returns the cartesian product of the sets of records from the
two joined tables.
FullOuter
Combines the results of both left and right outer joins. The
joined table contains all records from both tables, and fills
in NULL values for any missing matches on either side.
Inner
Requires that each record in the two joined tables has a
matching record.
LeftOuter
A join between two tables (A and B) such that the joined table
always contains all records of the "left" table (A), even if the
join-condition does not find any matching record in the
"right" table (B).
RightOuter
The reverse of the left outer join. Every record from the
"right" table (B) appears in the joined table at least once.
4
In the next drop-down list, select the database table that you want to use.
5
In the On drop-down list, select the column that you want to join.
6
On the Result (indicated by the = sign) drop-down list, select the appropriate
item.
7
Click OK to confirm the selection.
The specified join is added to the query.
8
Click Apply.
About setting up resource query fields for a custom
report or filter
When you define a resource query for a new custom report, or modify a resource
query for an existing custom report, you can specify the source fields that the
resource query extracts. The Fields tab lets you specify the source fields that the
resource query extracts. You can select the database table (Source) and column
(Field) that you want to extract from the CMDB. You can specify whether or not
each source field is shown in the report results. You can also set the source field's
column order and row grouping in the report results grid.
See “Defining a resource query for a custom report” on page 517.
525
526
Creating custom Notification Server reports
About setting up resource query fields for a custom report or filter
Note: This tab is used for report queries only. It is not relevant to filter queries.
See “Adding fields and data class attributes to a resource query for a custom
report” on page 526.
See “Modifying source fields in a resource query for a custom report” on page 527.
See “Edit Source Fields dialog box” on page 527.
Adding fields and data class attributes to a resource query for a custom
report
You can add fields and data class attributes to a resource query for a custom
report. Fields are columns from tables in the CMDB (for example, the Domain
column from the Inv_AeX_AC_Identification table). Data classes are particular
data classes of the resource type that you selected (for example, Computer.Name).
See “About setting up resource query fields for a custom report or filter”
on page 525.
To add fields and data class attributes to a resource query for a custom report
1
2
On the Data Source tab, do one of the following:
■
On the Query tab, click Actions > Add Fields and Data Class Attributes.
■
On the Fields tab, click Add.
In the Add Fields and Data Class Attributes window, select the appropriate
items:
To select a single item
In the drop-down list, select the appropriate item.
To select multiple items
1
Check Select Multiple Fields.
2
For each item that you want to add, in the
drop-down list, select the appropriate item and
then click Add.
The selected item is added to the display panel.
3
Click OK to confirm the selection.
The selected items are added to the list of source fields in the Fields tab.
4
Click Apply.
Creating custom Notification Server reports
About setting up resource query fields for a custom report or filter
Modifying source fields in a resource query for a custom report
You can modify source fields in a resource query for a custom report at any time.
See “About setting up resource query fields for a custom report or filter”
on page 525.
To modify a source field in a resource query for a custom report
1
On the Data Source tab, on the Fields tab, select the source field that you
want to modify, and then click the Edit symbol.
2
In the Edit Source Fields dialog box, make the necessary changes to the
source field settings.
See “Edit Source Fields dialog box” on page 527.
3
If you want to view or edit another source field in the list, click the Up Arrow
symbol or Down Arrow symbol to display the details of the appropriate source
field.
4
If you want to discard the changes and revert to the original settings, click
Cancel.
5
Click OK to save the changes and close the Edit Source Fields dialog box.
6
Click Apply.
Edit Source Fields dialog box
The Edit Source Fields dialog box lets you modify the settings for each source
field that is included in your resource query.
See “About setting up resource query fields for a custom report or filter”
on page 525.
Table 25-6
Settings in the Edit Source Fields dialog box
Setting
Description
Alias
The field alias. You may want to specify a field alias to make the
raw SQL (displayed in the Resolved Query tab) more readable and
easier to understand.
Select
Specifies whether or not the field is included in the query results.
By default, all fields are selected.
527
528
Creating custom Notification Server reports
About setting up resource query fields for a custom report or filter
Table 25-6
Settings in the Edit Source Fields dialog box (continued)
Setting
Description
Visible
Specifies whether or not the field is displayed in the report results
that are visible to the user. By default, all fields are visible.
You can use this option to hide particular fields from the user. For
example, you may want the query to extract some information,
such as a computer GUID, that is not meaningful to the user but
is useful for other purposes. The data is still extracted as part of
the query results, and automation policies might use it.
Column Order
Specifies the column order in the report results grid. The columns
are numbered from left to right.
Sort Direction
Specifies the sort direction in the report results grid:
Sort Order
■
Default
■
Ascending
■
Descending
Specifies the sort order of this column in the report results grid.
The sort order is used with the sort direction specified.
When you specify source fields for a resource query in a report
or filter, the sort order is adjusted when you change the sort
direction. If you change the sort order of a field to the same as
another, the field that you changed is placed in the specified order.
The other fields are rearranged accordingly.
To remove sorting, reset the sort order to N/A. The sort direction
is automatically reset Default, and the sort order of the other fields
is adjusted to fill any gaps.
Aggregate
Group Order
Specifies how to aggregate the values in this column in the report
results grid:
■
None
■
Sum
■
SumDistinct
■
Average
■
AverageDistinct
■
Count
■
CountDistinct
■
Maximum
■
Minimum.
Specifies the sort order of the aggregated rows.
Creating custom Notification Server reports
About setting up filter expressions to refine the query results
Table 25-6
Settings in the Edit Source Fields dialog box (continued)
Setting
Description
Scoping
Specifies whether or not the field is to be scoped in the query
results. By default, all fields are not scoped.
If the field is not scoped, the query extracts all the relevant items.
If the field is scoped, the query extracts only the items to which
the user that runs the query has permission to read.
Note: The query results that the user views as report results or
filter membership are always scoped according to the user role.
Scoping is applied automatically when the query results are
presented to the user. Changing the setting here has no effect on
what the user can view.
About setting up filter expressions to refine the query
results
When you define a query for a new custom report or filter, or modify a query for
an existing custom report or filter, you can set up filter expressions to refine the
query results. The Filter Expressions tab lets you specify rules to refine the query
results. The rules are the conditional statements that filter the raw results of the
query to select the resources that you want.
See “Defining a resource query for a custom report” on page 517.
See “Adding a condition to the filter for a custom report” on page 529.
See “Organizing the filter conditions for a custom report” on page 530.
See “Switching to Advanced Mode for a custom report” on page 531.
Adding a condition to the filter for a custom report
To set up filter expressions for a custom report or filter query, you build the filter
by adding the appropriate conditions.
See “About setting up filter expressions to refine the query results” on page 529.
To add a condition to the filter for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
529
530
Creating custom Notification Server reports
About setting up filter expressions to refine the query results
4
On the Data Source tab, on the Filter Expressions tab, select the condition
line to which you want to add the new condition.
5
Click Add Condition and then select the appropriate operator:
OR
AND
A new condition line is added to the filter. The specified operator defines its
relationship with the selected condition line.
6
In the new condition line, specify the appropriate settings:
If
The item to match.
You can select the item from the drop-down list, or click ... and
select it from the Select a field window.
Operator
The operator to use.
The following operators are available:
■
Equals
■
GreaterThan
■
GreaterThanOrEqual
■
Is
■
LessThan
■
LessThanOrEqual
■
Like
■
LikeMid
■
NotEqualTo
■
NotGreaterThan
■
NotLessThan.
The drop-down list contains only the options that are relevant
to the selected item.
Condition to
match
7
From the drop-down list, select the item to match.
Click Apply.
Organizing the filter conditions for a custom report
When you build a filter for a custom report or filter query, you can group and
order the filter conditions to suit your requirements.
Creating custom Notification Server reports
About setting up filter expressions to refine the query results
See “About setting up filter expressions to refine the query results” on page 529.
To organize the filter conditions for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Filter Expressions tab, select the condition
line that you want to organize.
5
Click the appropriate option:
Create Nested Group
Create a nested group of conditions.
Remove Nested Group
Remove the selected nested group.
Up
Move the condition up one line.
Down
Move the condition down one line.
Delete
Delete the condition.
Switching to Advanced Mode for a custom report
When appropriate, you can switch to advanced mode to complete the filter of a
custom report or filter query.
See “About setting up filter expressions to refine the query results” on page 529.
To switch to Advanced Mode for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Filter Expressions tab, click Switch to
Advanced Mode.
531
532
Creating custom Notification Server reports
About using parameters in custom report and filter queries
About using parameters in custom report and filter
queries
When you define a query for a new custom report or filter, or modify a query for
an existing custom report or filter, you can use query parameters. The Query
Parameters tab lets you specify the parameters that you want to use in the report
query or filter query. A parameter is a variable that is included in the query. Filter
and report query parameter values may be system-defined or extracted from
another report. For report queries only, a user may set the appropriate parameter
values in the Report page. When the query runs, the specified parameter values
are used in the SQL code.
See “Defining a resource query for a custom report” on page 517.
See “Defining an SQL query for a custom report” on page 537.
See “Defining a resource query for a filter” on page 390.
See “Defining an SQL query for a filter” on page 391.
Using parameters in queries lets you create a flexible query. You can use such a
query to extract different results by inserting the appropriate parameter values.
For example, you can create a query that includes parameters for computer system
type and OS name. You can run this query on any valid system type/OS name
combination to extract the results that you want. As an alternative to using
parameters in the query, you can hard code the parameter values in the query.
You would then modify the query each time you wanted to use a different system
type/OS name combination. You can also create multiple queries with a different
system type/OS name combination defined in each query.
When you create a parameter in the Query Parameters tab, the appropriate
parameter declaration is added automatically to a resource query. However, if
you write an SQL query, you need to add the appropriate parameter declaration
to the query code manually.
When you include a parameter in a report query, you can set up the value provider
for the parameter. You can specify the value provider type and the valid values
for the parameter. The value provider typically lets the user set the appropriate
parameter value when they run the report. You set the value provider for a
parameter on the Report Parameters tab.
See “About defining parameters and value providers for a custom report”
on page 542.
See “Creating a new parameter for a custom report or filter query” on page 533.
See “Adding an advanced type parameter to a custom report or filter query”
on page 533.
Creating custom Notification Server reports
About using parameters in custom report and filter queries
See “Adding an existing parameter to a custom report or filter query” on page 534.
See “Modifying parameters for a custom report or filter query” on page 535.
Creating a new parameter for a custom report or filter query
You can create new query parameters for a custom report or filter at any time. If
you modify a resource query, the appropriate parameter declaration is added to
the query code automatically. If you modify an SQL query, you need to add the
appropriate parameter declaration to the query code manually.
See “About using parameters in custom report and filter queries” on page 532.
To create a new parameter for a custom report or filter query
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
In the Data Source tab, in the Query Parameters tab, click Add > New
Parameter.
5
In the Parameter Editing \ Creation Dialog dialog box, specify the appropriate
parameter settings.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
6
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box.
7
Click Apply.
Adding an advanced type parameter to a custom report or filter query
You can add an advanced type parameter to a custom report query or filter query
at any time.
See “About using parameters in custom report and filter queries” on page 532.
To add an advanced type parameter to a custom report or filter query
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
533
534
Creating custom Notification Server reports
About using parameters in custom report and filter queries
4
On the Data Source tab, on the Query Parameters tab, click Add > Advanced
Types and then click one of the following:
Scope By Organizational Group
Parameter
Adds Scope By Organizational Group
Parameter.
Scoping Parameter
Adds Scoping Parameter.
Localization Key Parameter
Adds Localization Key Parameter.
The advanced type parameter is added to the list.
5
If you want to modify the new advanced type parameter, select the parameter
and then click the Edit symbol.
6
In the Parameter Editing \ Creation Dialog dialog box, in the Parameter
panel, make the necessary changes to the parameter settings.
See “Modifying custom report parameters” on page 545.
7
Click Apply.
Adding an existing parameter to a custom report or filter query
If a parameter has already been defined in the Report Parameters tab, you can
add it to the custom report query or filter query. If you modify a resource query,
the appropriate parameter declaration is added to the query code automatically.
If you modify an SQL query, you need to add the appropriate parameter declaration
to the query code manually.
See “Creating a new parameter for a custom report” on page 544.
See “About using parameters in custom report and filter queries” on page 532.
To add an existing parameter to a custom report or filter query
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Query Parameters tab, click Add, and then
click the appropriate query parameter.
The list contains all the parameters that have been defined in the Report
Parameters tab, but not yet added to the query.
5
If you want to modify the new parameter, select the parameter and then click
the Edit symbol.
Creating custom Notification Server reports
Viewing the resolved query of a custom report or filter
6
In the Parameter Editing \ Creation Dialog dialog box, in the Parameter
panel, make the necessary changes to the parameter settings.
See “Modifying custom report parameters” on page 545.
7
Click Apply.
Modifying parameters for a custom report or filter query
You can modify query parameters in a custom report or in a filter at any time.
See “About using parameters in custom report and filter queries” on page 532.
To modify a parameter for a custom report or filter query
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Query Parameters tab, select the parameter
that you want to modify, and then click the Edit symbol.
5
In the Parameter Editing \ Creation Dialog dialog box, make the necessary
changes to the parameter settings.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
6
If you want to view or edit another parameter in the list, click the Up Arrow
symbol or Down Arrow symbol to display the details of the parameter.
7
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box.
8
Click Apply.
Viewing the resolved query of a custom report or filter
You can view the resolved query of a custom report or filter that you create or
modify. The Resolved Query tab displays the SQL code that is run on the CMDB.
Any parameters that you have specified are set to the appropriate testing values.
See “Defining a resource query for a custom report” on page 517.
See “Defining an SQL query for a custom report” on page 537.
If you view a resource query, you can set the query mode from the Resource Query
Mode drop-down list. The default mode, Normal, is the query that you have
specified in the Query Builder. The other modes add additional SQL to the query
to manage snapshot data.
535
536
Creating custom Notification Server reports
Viewing the query results of a custom report
To view the resolved query of a custom report or filter
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to view.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Resolved Query tab, view the resolved query.
5
(Optional) If you are viewing the resolved query that was generated from a
resource query, you can change the query mode. In the Resource Query Mode
drop-down list, select the appropriate option:
Normal
Shows the default resolved query. The default resolved
query is generated from the resource query that you
specified in the Query Builder, with no further
additions.
Create Snapshot Data Table Adds the SQL code to the query that creates a snapshot
data table for the query results. The modified query is
shown.
Save Snapshot Data
Adds the SQL code to the query that saves the query
results in a snapshot data table. The modified query is
shown.
Load Snapshot Data
Adds the SQL code to the query that extracts the query
results from a snapshot data table instead of the CMDB.
The modified query is shown.
6
Click Refresh to update the results.
7
Click Apply.
Viewing the query results of a custom report
You can view the results of a custom report query on the Results tab. When you
open the Results tab, the query automatically runs on the CMDB and the current
results are displayed. This capability lets you verify changes to the query and test
different settings for query parameters.
See “Defining a resource query for a custom report” on page 517.
See “Defining an SQL query for a custom report” on page 537.
Creating custom Notification Server reports
Defining an SQL query for a custom report
To view the query results of a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to view.
3
On the Report Name page, click Edit.
4
In the Data Source tab, on the Results tab, view the query results.
5
Click Apply.
Defining an SQL query for a custom report
When you create or modify your own custom Notification Server report, you can
define a report query. For a computer report, user report, or resource report you
need to define a resource query for the report. For an SQL report, you need to
define an SQL query.
See “Creating a new custom Notification Server report” on page 515.
See “Modifying an existing custom Notification Server report” on page 516.
You can write an SQL query to define the resources that you want to include in
the report or filter. You can write the SQL code from scratch. Alternatively, you
can copy the SQL from another filter or report and modify it to suit your
requirements. For example, you can create a resource query using the Query
Builder, and then copy the generated SQL from the Resolved Query tab. You can
also use the Query Builder to define the structure of your query, convert it to SQL,
and then modify the SQL directly.
See “About defining report queries” on page 516.
See “Converting a resource query to an SQL query for a custom report” on page 521.
When you create a new SQL report, an SQL query template is added to the report
automatically. When you create a new filter, the same SQL query template is added
to the filter when you choose the Raw SQL query mode. The base SQL query selects
all available resources. You need to modify the base query to select the appropriate
resources.
You need the Edit SQL privilege to create or modify SQL queries, and you should
have a good understanding of the CMDB table structure. If you want any scoping
that is applied to the query results, you need to include the appropriate SQL code
in the query.
537
538
Creating custom Notification Server reports
Writing an SQL query for a custom report or filter
To define an SQL query for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
Do one of following:
3
■
To define an SQL query for a new report that you create, in the left pane,
right-click the folder in which you want to add the new report. Then click
New and click SQL Report.
■
To redefine an SQL query for an existing report, in the left pane, click the
SQL report, that you want to modify. Then in the right pane, in the upper
right corner, click Edit.
In the right pane, on the Data Source tab, specify the query details in the
appropriate tabs.
See “Custom Report Edit page: Data Source tab” on page 518.
4
Click Save Changes.
Writing an SQL query for a custom report or filter
When you define an SQL query for a new custom report or filter, you can write
an SQL query to run on the CMD. When you modify an SQL query for an existing
custom report or filter, you can write an SQL query to run on the CMD. The
Parameterized Query tab lets you write the SQL query that you want to run on
the CMDB. This tab is primarily a free-form text box that lets you write the SQL
code, or paste it from the clipboard. The Object Explorer panel lets you select
source fields from the CMDB and inject them into the query. Injecting source
fields simplifies the writing of the query.
See “Defining an SQL query for a custom report” on page 537.
You need the Edit SQL privilege to create or modify SQL queries, and you should
have a good understanding of the CMDB table structure. If you want to apply
scoping to the query results, you need to include the appropriate SQL code in the
query.
Creating custom Notification Server reports
About configuring the scoping fields in a custom report snapshot
To write an SQL query for a custom report or filter
1
On the Data Source tab, on the Parameterized Query tab, in the large text
box, type the SQL query text.
You can type the SQL from scratch, or paste it from the clipboard.
2
(Optional) In the Object Explorer panel, select a database table or field to use
in the query, and inject it into the SQL code.
See “To inject a source field into an SQL query for a custom report or filter”
on page 539.
3
Click Apply.
To inject a source field into an SQL query for a custom report or filter
1
In the Object Explorer panel, in the Object drop-down list, select the database
table that you want to use.
2
(Optional) In the Field drop-down list, select the table column that you want
to use.
3
(Optional) In the Alias boxes, type the appropriate alias names.
4
Click in the SQL code at the location at which you want to inject the specified
object or field.
5
In the Object or Field line, click Add.
About configuring the scoping fields in a custom
report snapshot
This information is relevant to report queries only. The Data Snapshots tab does
not appear in filter queries.
You can specify the scoping fields in an SQL query to ensure that the report
snapshots that you capture can be scoped correctly when other users access them.
Scoping fields are the GUID fields that are used for scoping the data that is
extracted from a report snapshot. When a user accesses a report snapshot, the
data is loaded from the snapshot according to the security permissions of the
user. If a field is not scoped, all of the relevant items are loaded. If a field is scoped,
only the items that the user who views the data has permission to read are loaded.
See “Defining an SQL query for a custom report” on page 537.
See “Configuring the scoping fields in a custom report snapshot” on page 540.
The scoping fields that you configure on the Data Snapshots tab apply only to
extracting data from report snapshots. They do not affect the SQL query that
extracts data from the CMDB to save as the report snapshot. To scope an SQL
539
540
Creating custom Notification Server reports
Configuring the scoping fields in a custom report snapshot
query, you need to include the appropriate SQL code to extract results according
to the security permissions of the user who runs the query.
Note: If an SQL query is scoped, any report snapshots are saved with the scope of
the user who ran the query. If a snapshot is intended to be shared, ensure that it
contains all of the data that may be relevant to other users. You can make sure
that you have all of the data by running the report query as a user who has access
to all resources; for example, a member of the Symantec Administrator role. You
can also use a scheduled Run Report Task to create the appropriate snapshot: by
default the task runs in the Administrator context, so captures the snapshot with
a global scope.
By default a new SQL report has [_ItemGuid] configured as a scoping GUID field.
This field is used to scope the results with a join onto a scoping function as follows:
INNER JOIN [fnGetTrusteeScopedResources](@v1_TrusteeScope) AS [fnGTSR]
ON ([vri2_Resource].[Guid] = [fnGTSR_3].[ResourceGuid])
Where [vri2_Resource].[Guid] is the full name of the field with the alias of
[_ItemGuid].
Configuring the scoping fields in a custom report
snapshot
You can specify the scoping fields in an SQL query to ensure that the report
snapshots that you capture can be scoped correctly when other users access them.
See “About configuring the scoping fields in a custom report snapshot” on page 539.
The Scoping Fields panel shows all of the GUID fields that are included in the
SQL query. You need to specify the GUID fields that are used for scoping. If you
create a complex SQL query that has multiple joins onto resources, and multiple
applications of the scoping function, you should add all of the appropriate scoping
GUIDs to the Scoping Guid Fields list.
The Data Snapshots Query panel lets you view the SQL code that is generated
when the snapshot needs to be saved or loaded. Before you save the report query,
you can verify that the SQL code to load snapshot data applies scoping correctly
to the saved results.
Creating custom Notification Server reports
Configuring the scoping fields in a custom report snapshot
To configure the scoping fields in a custom report snapshot
1
In the Symantec Management Console, in the Reports menu, click All Reports.
2
In the left pane, select the report that you want to edit.
3
On the Report Name page, click Edit.
4
On the Data Source tab, on the Data Snapshots tab, in the Scoping Fields
panel, select the appropriate scoping fields.
5
To select a scoping field
In the Available Guid Fields list, click the field that
you want to select, and then click Scope.
To deselect a scoping field
In the Scoping Guid Fields list, click the field that you
want to deselect, and then click Unscope.
To verify that the generated SQL is correct, in the Data Snapshot Query
panel, in the Data Snapshot Query Mode box, click the appropriate query
mode:
Create Snapshot Data Table Displays the SQL code that creates the snapshot data
table structure. This structure does not depend on the
scoping configuration.
Save Snapshot Data
Displays the SQL code that saves data for all fields into
the snapshot data table. The scoping configuration
does not affect this data.
Load Snapshot Data
Displays the SQL code that loads data from the
snapshot data table and scopes it according to the
user's security permissions. The SQL uses the
configured scoping fields and the user's TrusteeScope
memberships to extract the appropriate data. This data
is then presented to the user as the report results.
The specified scoping fields scope this data.
6
If necessary, click Refresh to update the displayed SQL code.
The Data Snapshot Query panel is automatically refreshed each time that
you modify the scoping fields or change the selection in the Data Snapshot
Query Mode box. However, there may be occasions when the automatic
refresh does not work correctly and you need to refresh the panel manually.
7
When you have verified that scoping is correctly configured for report
snapshots, click Apply.
541
542
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
About defining parameters and value providers for a
custom report
If the query of the custom report that you create or modify includes parameters,
you can define the appropriate value providers. The value provider of a parameter
lets the user set the appropriate value for the parameter when they run the report.
Including user-definable parameters in a report query lets you create a single
flexible report that can extract different result sets by changing the parameter
values. The alternative would be to hard code the parameter values in the query.
You would then need to modify the query each time you wanted to use a different
parameter value. You can also create multiple reports with a different value defined
in each query.
See “Creating and modifying custom Notification Server reports” on page 512.
The value provider specifies how the parameter value is set when the user runs
the report. In many cases the value provider is a UI component that accepts a
value or setting from the user. For example, you can define the value provider of
a parameter as a drop-down list with a set of valid values that the user can choose
from. Alternatively, you can define the value provider as a text field that accepts
a string of characters that the user types. In some cases, a parameter does not
require a value provider. The parameter value is set automatically with no user
action required.
See “Adding a parameter to a custom report” on page 542.
See “Adding an advanced type parameter to a custom report” on page 543.
See “Creating a new parameter for a custom report” on page 544.
See “Modifying custom report parameters” on page 545.
Adding a parameter to a custom report
If a parameter of a custom report has been defined in the report query, you can
add it to the report. Adding a parameter to the report lets you define a value
provider for the parameter. The value provider lets the user set the appropriate
parameter value when they run the report.
See “About using parameters in custom report and filter queries” on page 532.
See “About defining parameters and value providers for a custom report”
on page 542.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
To add a parameter to a custom report
1
In the Symantec Management Console, on tn the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
4
On the Report Parameters tab, click Add, and then click the appropriate
query parameter.
The drop-down list contains all of the parameters that have been defined in
the report query but have not yet been added to the report.
5
If you want to modify the new parameter, select the parameter and then click
the Edit symbol.
6
In the Parameter Editing \ Creation Dialog dialog box, in the Parameter
panel, make the necessary changes to the parameter settings.
See “Modifying custom report parameters” on page 545.
7
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box..
8
Click Save Changes.
Adding an advanced type parameter to a custom report
You can add an advanced type report parameter to a custom report at any time.
See “About defining parameters and value providers for a custom report”
on page 542.
To add an advanced type parameter to a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
543
544
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
4
On the Report Parameters tab, click Add > Advanced Types and then click
one of the following:
Scope By Organizational Group
Parameter
Scope By Organizational Group Parameter.
Scoping Parameter
Scoping Parameter.
Localization Key Parameter
Localization Key Parameter.
The new advanced type parameter is added to the list.
5
If you want to modify the new advanced type parameter, select the parameter
and then click the Edit symbol.
6
In the Parameter Editing \ Creation Dialog dialog window, in the Parameter
panel, make the necessary changes to the parameter settings.
See “Modifying custom report parameters” on page 545.
7
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box..
8
Click Save Changes.
Creating a new parameter for a custom report
The Report Parameters tab lets you create new parameters for a custom report.
The new report parameters are not declared in the query until you explicitly add
them to the query on the Query Parameters tab.
See “Adding an existing parameter to a custom report or filter query” on page 534.
See “About defining parameters and value providers for a custom report”
on page 542.
You can define the value provider for a new report parameter when you create
the parameter. If you define a value provider UI component, it is shown in the
Parameters panel on the Report page. The UI component appears fully functional,
but has no effect on the report query until you have added the parameter to the
query.
To create a new parameter for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
4
On the Report Parameters tab, click Add > New Parameter.
5
In the Parameter Editing \ Creation Dialog dialog box, in the Parameter
panel, specify the appropriate parameter settings.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
6
In the Value Provider panel, in the Name drop-down list, select the type of
value provider that you want to use.
The options that are available depend on the parameter type setting that you
made in the Parameter panel. Only the relevant options are displayed.
See “About the parameter value provider type settings for a custom report”
on page 551.
7
Under Configuration, specify the appropriate value provider settings.
8
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box.
9
Click Save Changes.
Modifying custom report parameters
You can modify parameters in a custom report at any time.
See “About defining parameters and value providers for a custom report”
on page 542.
To modify a custom report parameter
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
4
On the Report Parameters tab, select the parameter that you want to modify,
and then click the Edit symbol.
5
On the Parameter Editing \ Creation Dialog dialog box, in the Parameter
panel, make the necessary changes to the parameter settings.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
545
546
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
6
In the Value Provider panel, in the Name drop-down list, select the type of
value provider that you want to use.
The options that are available depend on the parameter type setting that you
made in the Parameter panel. Only the relevant options are displayed.
See “About the parameter value provider type settings for a custom report”
on page 551.
7
Under Configuration, specify the appropriate value provider settings.
8
If you want to view or edit another parameter in the list, click the Up Arrow
symbol or Down Arrow symbol to display the details of the appropriate
parameter.
9
Click OK to save the changes and close the Parameter Editing \ Creation
Dialog dialog box.
10 Click Save Changes.
About the Parameter Editing \ Creation Dialog dialog box
The Parameter Editing \ Creation Dialog dialog box lets you specify the parameter
settings for each custom report parameter. The Parameter panel contains the
general parameter settings. The Value Provider panel contains the settings that
are specific to the value provider type that you have selected.
See “About defining parameters and value providers for a custom report”
on page 542.
Table 25-7
Settings on the Parameter Editing \ Creation Dialog dialog box
Setting
Description
Name
The parameter name.
Parameter Required
Specifies whether or not the parameter is required in the
report.
Description
The parameter description.
This description is used to identify the parameter on the
Add New Parameter drop-down list.
Type
The parameter type.
The drop-down list contains all of the available parameter
types.
See “About the parameter type for a custom report”
on page 547.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Settings on the Parameter Editing \ Creation Dialog dialog box
(continued)
Table 25-7
Setting
Description
Display/Eval Order
The order in which the parameter is displayed on the Report
page, and the order in which the parameter is evaluated in
the report query.
The drop-down list lets you set the order value between 1
and 19.
Default Value
The default value for the parameter. If the user does not
specify a value for the parameter when they generate the
report, this value is used in the query.
Test Value
The test value for the parameter. This value is used when
you test the query.
Value Provider
Specifies the value provider for the parameter. The value
provider settings specify the type of UI control that is
presented to the user. For each UI control you can set the
relevant settings, such as the UI control width, label text,
and tool tip text.
The available value provider types depend on the type of
parameter that is selected.
See “About the parameter value provider type settings for
a custom report” on page 551.
About the parameter type for a custom report
The available parameter types for custom reports are as follows:
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
547
548
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-8
Parameter types for a custom report
Type
Description
Relevant Value Providers
Basic Boolean Parameter
Lets the user choose between two
alternatives, such as True or False, or
On or Off.
See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Image Toggle Value
Edit Control settings” on page 557.
See “Parameter value provider for a
custom report: Radio Button Value
Edit Control settings” on page 558.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
Basic Datetime Parameter
Lets the user specify a particular date
and time.
See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Date Time Value Edit
Control settings” on page 554.
See “Parameter value provider for a
custom report: Dropdown List Value
Edit Control settings” on page 555.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
Basic Double Parameter
Lets the user specify a double-byte
value.
See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Dropdown List Value
Edit Control settings” on page 555.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-8
Parameter types for a custom report (continued)
Type
Description
Relevant Value Providers
Basic GUID Parameter
Lets the user specify the ID of an item. See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Dropdown List Value
Edit Control settings” on page 555.
See “Parameter value provider for a
custom report: Filter Chooser
Parameter Control settings”
on page 556.
See “Parameter value provider for a
custom report: Generic Picker
Parameter Control settings”
on page 556.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
See “Parameter value provider for a
custom report: Resource Group Value
Edit Control settings” on page 559.
549
550
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-8
Parameter types for a custom report (continued)
Type
Description
Relevant Value Providers
Basic Int16 Parameter
Lets the user specify a 16-bit integer.
See “Parameter value provider for a
custom report: Symantec Management
Agent Build Version Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Dropdown List Value
Edit Control settings” on page 555.
See “Parameter value provider for a
custom report: Package Server Build
Version Parameter Value Edit Control
settings” on page 558.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
See “Parameter value provider for a
custom report: Timed Refresh Control
settings” on page 559.
Basic Int32 Parameter
Lets the user specify a 32-bit integer.
Same as for Basic Int16 Parameter
Basic Int64 Parameter
Lets the user specify a 64-bit integer.
Same as for Basic Int16 Parameter
Basic String Parameter
Lets the user specify a string of text
characters.
See “Parameter value provider for a
custom report: Basic Parameter Value
Edit Control settings” on page 553.
See “Parameter value provider for a
custom report: Dropdown List Value
Edit Control settings” on page 555.
See “Parameter value provider for a
custom report: Registry Parameter
Value Edit Control settings”
on page 559.
Data Selection Parameter
Specifies a data selection value.
None. The user cannot set a value for
this type of parameter.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-8
Parameter types for a custom report (continued)
Type
Description
Relevant Value Providers
Scope Trustee List Parameter
Specifies a Scope Trustee List value.
None. The user cannot set a value for
this type of parameter.
Static GUID List Parameter
Specifies a GUID list value.
None. The user cannot set a value for
this type of parameter.
Static String List Parameter
Specifies a string list value.
None. The user cannot set a value for
this type of parameter.
About the parameter value provider type settings for a custom report
If the query of a custom report includes parameters, you can define the type of
the parameter value provider. To define the type of the parameter value provider
you need to select the appropriate type from the available types. The available
value provider types depend on the type of parameter that is selected. The value
provider is the UI component or method that lets the user set the parameter value,
or that enables the system to obtain the appropriate value. For example, a
drop-down list UI component lets the user choose the appropriate parameter
value from a list of valid values.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the parameter type for a custom report” on page 547.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-9
Type
Parameter value provider types for a custom report
Description
Symantec Management Agent Build Symantec Management Agent Build Version
Version Parameter Value Edit
Parameter Value Edit Control.
Control
See “Parameter value provider for a custom report:
Symantec Management Agent Build Version
Parameter Value Edit Control settings” on page 553.
Basic Parameter Value Edit Control Basic Parameter Value Edit Control.
See “Parameter value provider for a custom report:
Basic Parameter Value Edit Control settings”
on page 553.
551
552
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-9
Parameter value provider types for a custom report (continued)
Type
Description
Date Time Value Edit Control
A UI component that lets the user choose a date and
time.
See “Parameter value provider for a custom report:
Date Time Value Edit Control settings” on page 554.
Dropdown List Value Edit Control
A UI component that lets the user choose a value from
a list of valid values.
See “Parameter value provider for a custom report:
Dropdown List Value Edit Control settings”
on page 555.
Filter Chooser Parameter Control
Filter Chooser Parameter Control.
See “Parameter value provider for a custom report:
Filter Chooser Parameter Control settings” on page 556.
Generic Picker Parameter Control Generic Picker Parameter Control.
See “Parameter value provider for a custom report:
Generic Picker Parameter Control settings”
on page 556.
Image Toggle Value Edit Control
Image Toggle Value Edit Control.
See “Parameter value provider for a custom report:
Image Toggle Value Edit Control settings” on page 557.
Package Server Build Version
Parameter Value Edit Control
Package Server Build Version Parameter Value Edit
Control.
See “Parameter value provider for a custom report:
Package Server Build Version Parameter Value Edit
Control settings” on page 558.
Radio Button Value Edit Control
Radio Button Value Edit Control.
See “Parameter value provider for a custom report:
Radio Button Value Edit Control settings” on page 558.
Registry Parameter Value Edit
Control
Registry Parameter Value Edit Control.
See “Parameter value provider for a custom report:
Registry Parameter Value Edit Control settings”
on page 559.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-9
Parameter value provider types for a custom report (continued)
Type
Description
Resource Group Value Edit Control Resource Group Value Edit Control.
See “Parameter value provider for a custom report:
Resource Group Value Edit Control settings”
on page 559.
Timed Refresh Control
Timed Refresh Control.
See “Parameter value provider for a custom report:
Timed Refresh Control settings” on page 559.
Parameter value provider for a custom report: Symantec
Management Agent Build Version Parameter Value Edit Control
settings
The Symantec Management Agent Build Version Parameter Value Edit Control
is a type of parameter value provider for a custom report. You can define the
settings on the Symantec Management Agent Build Version Parameter Value Edit
Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-10
Symantec Management Agent Build Version Parameter Value Edit
Control settings
Setting
Description
Registry Path
The registry path that contains the Symantec Management
Agent Build Version.
\eXpress\NS Client Package\version
Parameter value provider for a custom report: Basic Parameter
Value Edit Control settings
The Basic Parameter Value Edit Control is a type of parameter value provider for
a custom report. You can define the settings on the Basic Parameter Value Edit
Control.
See “About defining parameters and value providers for a custom report”
on page 542.
553
554
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-11
Basic Parameter Value Edit Control settings
Setting
Description
Width
Specifies the width of the control.
Multiline
Specifies whether or not the control has multiple lines.
Number of Rows
Specifies the number of rows.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Label Text
The text that is shown in the Reports page.
If this field is empty, the parameter description is used.
Tooltip
The tool tip text.
Parameter value provider for a custom report: Date Time Value
Edit Control settings
The Date Time Value Edit Control is a type of parameter value provider for a
custom report. You can define the settings on the Date Time Value Edit Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-12
Date Time Value Edit Control settings
Setting
Description
Show Date Control
Specifies whether or not the date control is shown.
Show Time Control
Specifies whether or not the time control is shown.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Label Text
The text that is shown in the Reports page.
If this field is empty, the parameter description is used.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Parameter value provider for a custom report: Dropdown List
Value Edit Control settings
The Dropdown List Value Edit Control is a type of parameter value provider for
a custom report. You can define the settings on the Dropdown List Value Edit
Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-13
Dropdown List Value Edit Control settings
Setting
Description
Width
Specifies the width of the control.
Tooltip
The tool tip text.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Label Text
The text that is shown in the Reports page.
If this field is empty, the parameter description is used.
Static List Items
Display - Specifies the text that the user sees on the list.
Value - Specifies the actual query value (which may be in a
form that is not very user-friendly).
For each item, set the appropriate values in the two text
boxes, and then click Add to add the item to the list.
To remove an item, select it and then click Remove.
Table 25-14
Manually Add/Edit Dropdown Values panel settings
Setting
Description
Display
Specifies an option that displays in the drop-down list
control.
Value
Specifies the parameter value that corresponds to the option
in the Display box.
Add
Adds the Display - Value pair to the list of options in the
drop-down list control.
Delete
Removes the selected Display - Value pair from the list of
options in the drop-down list control.
555
556
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-15
Add Dropdown Values From A Report panel settings
Setting
Description
Select Report
Lets you select the report to use.
Report Field to Display
Specify the report field to use as a display value.
Report Field to Use as Value Specify the report field to use as a parameter value.
Parameter value provider for a custom report: Filter Chooser
Parameter Control settings
The Filter Chooser Parameter Control is a type of parameter value provider for a
custom report. You can define the settings on the Filter Chooser Parameter Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-16
Filter Chooser Parameter Control settings
Setting
Description
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Show selector control in the Specifies whether or not to show the selector control in the
parameter pane
Reports page.
Make summary text show
selector
Specifies whether or not the summary text shows the
selector control.
Allow multiple items to be
selected
Specifies whether or not the user can select multiple items
with the selector control.
Parameter value provider for a custom report: Generic Picker
Parameter Control settings
The Generic Picker Parameter Control is a type of parameter value provider for
a custom report. You can define the settings on the Generic Picker Parameter
Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Table 25-17
Generic Picker Parameter Control settings
Setting
Description
Provider Name
Specifies the provider name.
Class GUID Filter
Specifies the class GUID filter.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Show selector control in the Specifies whether or not to show the selector control in the
parameter pane
Reports page.
Make summary text show
selector
Specifies whether or not the summary text shows the
selector control.
Allow multiple items to be
selected
Specifies whether or not the user can select multiple items
with the selector control.
Parameter value provider for a custom report: Image Toggle
Value Edit Control settings
The Image Toggle Value Edit Control is a type of parameter value provider for a
custom report. You can define the settings on the Image Toggle Value Edit Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-18
Image Toggle Value Edit Control settings
Setting
Description
True Image URL
Specifies the URL to the image that is shown when the
control is set to True.
False Image URL
Specifies the URL to the image that is shown when the
control is set to False.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Label Text
The text that is shown in the Reports page.
If this field is empty, the parameter description is used.
557
558
Creating custom Notification Server reports
About defining parameters and value providers for a custom report
Parameter value provider for a custom report: Package Server
Build Version Parameter Value Edit Control settings
The Package Server Build Version Parameter Value Edit Control is a type of
parameter value provider for a custom report. You can define the settings on the
Package Server Build Version Parameter Value Edit Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-19
Package Server Build Version Parameter Value Edit Control settings
Setting
Description
Registry Path
Specifies the registry path that contains the Package Server
Build Version.
\eXpress\NS PkgSvrAgent Package\version
Parameter value provider for a custom report: Radio Button
Value Edit Control settings
The Radio Button Value Edit Control is a type of parameter value provider for a
custom report. You can define the settings on the Radio Button Value Edit Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-20
Radio Button Value Edit Control settings
Setting
Description
Group ID
Specifies the group ID.
Label Visible
Specifies whether or not the control label is shown in the
Reports page.
Label Text
The text that is shown in the Reports page.
If this field is empty, the parameter description is used.
Tooltip
Specifies the tool tip text.
Creating custom Notification Server reports
About custom report views
Parameter value provider for a custom report: Registry
Parameter Value Edit Control settings
The Registry Parameter Value Edit Control is a type of parameter value provider
for a custom report. You can define the settings on the Registry Parameter Value
Edit Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Table 25-21
Registry Parameter Value Edit Control settings
Setting
Description
Registry Path
Specifies a registry path.
Parameter value provider for a custom report: Resource Group
Value Edit Control settings
The Resource Group Value Edit Control is a type of parameter value provider for
a custom report. You can define the settings on the Resource Group Value Edit
Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
Parameter value provider for a custom report: Timed Refresh
Control settings
The Timed Refresh Control is a type of parameter value provider for a custom
report. You can define the settings on the Timed Refresh Control.
See “About defining parameters and value providers for a custom report”
on page 542.
See “About the Parameter Editing \ Creation Dialog dialog box” on page 546.
About custom report views
When you create or modify your own custom Notification Server report, you can
define a report view. A report view is a particular way that the report results are
displayed. Setting up a number of different views for a report lets you customize
the report results for different users.
559
560
Creating custom Notification Server reports
About custom report views
See “Creating and modifying custom Notification Server reports” on page 512.
You can set up two types of report views in your report:
Chart view
View the report results in graphical format, such as bar charts, line
charts, pie charts, and area charts.
See “Creating or modifying a chart view for a custom report”
on page 560.
Grid view
View the report results in tabular format, with each result item
displayed on a separate row.
The available columns are defined in the report. You can set the default
column order and group the results according to the values in a
particular column. For example, you may want to group a list of
computers by operating system type or subnet. The user can rearrange
the column order and grouping to suit their preferences.
See “Creating or modifying a grid view for a custom report” on page 566.
You can set up any number of different views in a report. Each view represents a
way of looking at the report results. A view typically contains a subset of the report
results and presents them in a way that is appropriate to a particular user role.
You can choose the data columns to include in the view, and specify which is to
be used as the primary axis. Setting up a number of different views for a report
lets you customize the report results for different users. You can use a single
report for all users, rather than creating multiple reports to meet the requirements
of different users.
The available views are listed on the View drop-down list in the report results
page. When the user refreshes the report, they can choose the view that they want
to use to display the results.
When you save a report in another format, the full result set is saved. The current
view may be a subset of the result set. The current view has no effect on what is
saved. If you want to print a particular view, you can print it directly from the
console browser.
Note: A third-party tool set provides the functionality that is used in chart views.
For full descriptions of charting components, refer to the documentation that
Dundas Data Visualization, Inc. (Dundas.com) provides.
Creating or modifying a chart view for a custom report
When you create or modify your own custom Notification Server report, you can
define a report view. A chart view is a way that you can view the results of a report.
Creating custom Notification Server reports
About custom report views
You can create and modify the chart views that you want to include in your report.
A number of chart types are available, such as Bubble, Column, Doughnut, Pie,
and Point.
See “About custom report views” on page 559.
Note: A third-party tool set provides the functionality that is used in chart views.
For full descriptions of charting components, refer to the documentation that
Dundas Data Visualization, Inc. (Dundas.com) provides.
To create or modify a chart view for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Views tab, do one of the following:
■
To create a new chart view, click Add.
■
To modify an existing chart view, in the View drop-down list, select the
view that you want to modify.
5
(Optional) In the Name box, type the chart view name.
6
In the Type drop-down list, select Chart.
7
In the Chart Type drop-down list, select the type of chart that you want to
use.
8
In the Chart Style drop-down list, select the style that you want to use for
rendering the chart.
A chart style is a predefined set of the colors that can be used for rendering
the chart.
9
In the Size boxes, specify the height and width of the chart in pixels.
561
562
Creating custom Notification Server reports
About custom report views
10 In the Chart Labels drop-down list, select the appropriate option:
All
Shows both the actual data values and the percentages.
Values
Shows the actual data values, such as the number of items of
each type.
Percentage
Shows the data as percentages, such as the percentage of items
of each type.
X Axis Only
Shows the data values for the X axis only. The Y axis is not
labeled.
None
No labels are shown.
11 Set up the chart view by specifying the appropriate settings in the following
tabs:
Title
Lets you specify the chart title text, and the location at which it
appears.
See “Chart title” on page 563.
Legend
Lets you specify the chart legend text, and the location at which
it appears.
See “Chart legend” on page 563.
3D
Lets you set up 3D zooming. 3D zooming lets you enlarge selected
areas of the chart to the full window size.
See “Chart 3D zoom settings” on page 564.
X Axis
Lets you choose the result column to use as the X axis in the
chart, specify the title text, and configure the appearance of the
X axis.
See “Chart X axis settings” on page 565.
Y Axis
Lets you choose the result columns to use as the Y axis in the
chart, specify the title text, and configure the appearance of the
Y axis.
See “Chart Y axis settings” on page 565.
12 To preview the chart using the current settings, click Preview.
13 To save the current settings, click Save Changes.
Creating custom Notification Server reports
About custom report views
Chart title
You can define the title for a chart view of the custom report that you create or
modify. The Title tab lets you specify the chart title text, and the location at which
it appears.
See “Creating or modifying a chart view for a custom report” on page 560.
Table 25-22
Title tab fields
Field
Description
Title
The main chart title.
If you want to create a multi-line title, use \n characters to insert line
breaks at the appropriate places.
No default is set, so the default chart title is an empty string.
Tool Tip
The text that appears in the tool tip that pops up when the user hovers
over the chart title.
No default is set.
Aligned
Location and alignment of text relative to the chart for the system
language (written format). Near is left for English but would be right
for Hebrew or Arabic.
The options are:
■
Near
■
Center
■
Far
The default is Center.
Docking
The location of the title on the chart page. The options are:
■
Top
■
Right
■
Bottom
■
Left
The default is Top.
Chart legend
You can define the legend for a chart view of the custom report that you create
or that you modify. The Legend tab lets you specify the chart legend text, and the
location at which it appears. The legend is the optional descriptive text that is
shown with the chart.
563
564
Creating custom Notification Server reports
About custom report views
See “Creating or modifying a chart view for a custom report” on page 560.
Table 25-23
Legend tab fields
Field
Description
Show Legend
Check this option to show the legend.
In Plot Area
Check this option to show the legend within the plot area. If this option
is unchecked, the legend appears outside the plot area.
Title
The legend text.
No default is set, so the default legend is an empty string.
Style
The Legend style.
The options are:
Aligned
Docking
■
Column
■
Row
■
Table
The alignment of the legend text relative to the chart. The options
are:
■
Near
■
Center
■
Far
The location of the legend on the chart page. The options are:
■
Top
■
Right
■
Bottom
■
Left
Chart 3D zoom settings
You can define the 3D settings for a chart view of the custom report that you
create or modify. Setting up 3D zooming enables you to enlarge selected areas of
the chart to the full window size. For example, you may want to drill into a large
report that covers a long time period: you can view a particular short period by
selecting the relevant portion. You can set either or both axes as expandable.
See “Creating or modifying a chart view for a custom report” on page 560.
Creating custom Notification Server reports
About custom report views
Table 25-24
3D tab fields
Field
Description
Enable 3D
Check this option to enable 3D zooming.
Zoom: X Axis and Y Axis
Check these options to enable zooming on the X axis and Y
axis respectively.
Rotation: Horizontal and
Vertical
The rotation angle about the X axis and Y axis respectively.
Chart X axis settings
You can define X axis settings for a chart view of the custom report that you create
or modify. The X Axis tab lets you choose the result column to use as the X axis
in the chart. The tab also lets you specify the title text and set up the appearance
of the X axis.
See “Creating or modifying a chart view for a custom report” on page 560.
Table 25-25
X Axis tab fields
Field
Description
Main Column
The data column to plot along the X axis.
Select the appropriate option from the drop-down list. The options
are the result columns that are specified in the report.
Title
The X axis title text.
Interval
The X axis interval.
The default is 1.
Visible
Check this option to display the X axis.
Major Grids
Check this option to display the X axis major grid lines.
Reversed
Check this option to render the X axis in reverse order.
Chart Y axis settings
You can define Y axis settings for a chart view of the custom report that you create
or modify. The Y Axis tab lets you choose the result column (or columns) to use
as the Y axis in the chart. The tab also lets you specify the title text, and set up
the appearance of the Y axis.
See “Creating or modifying a chart view for a custom report” on page 560.
565
566
Creating custom Notification Server reports
About custom report views
For some chart types, you can stack multiple values (multiple result columns) in
the same chart. These appear as multiple lines in a line chart, or a stack of different
colors in a bar, each color-coded and labeled.
Table 25-26
Y Axis tab fields
Field
Description
Main Column
The data column to plot on the Y axis.
Select the appropriate option from the drop-down list. The options
are the result columns that were specified in the report.
Title
The Y axis title text.
Stacked Columns
The list of columns that are available to be added to the chart.
Select the columns that you want to add.
This option applies only to stacked chart types, such as
StackedColumn, StackedBar, and StackedArea.
Interval
The Y axis interval.
The default is 1.
Visible
Check this option to display the Y axis.
By default, this option is disabled, so the Y axis is not visible.
Major Grids
Check this option to display the Y axis major grid lines.
By default, this option is disabled, so the Y axis major grid lines
are not visible.
Reversed
Check this option to render the Y axis in reverse order.
By default, this option is disabled.
Creating or modifying a grid view for a custom report
When you create or modify your own custom Notification Server report, you can
create and modify the grid views that you want in your reports. For each grid
view, you can select the result columns to include and specify how the results are
formatted.
See “About custom report views” on page 559.
To create or modify a grid view for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
Creating custom Notification Server reports
About custom report views
3
On the Report Name page, in the upper right corner, click Edit.
4
On the Views tab, do one of the following:
To create a new grid view
Click Add.
To modify an existing grid
view
In the View drop-down list, select the view that you
want to modify.
5
(Optional) In the Name box, type the view name.
6
In the Type drop-down list, select Grid.
7
Specify the appropriate settings in the following tabs:
Hidden Columns
See “Specifying the data columns to include in a grid view of
a custom report” on page 567.
Advanced Formatting See “Setting up advanced formatting for a grid view of a
custom report” on page 568.
8
To preview the grid using the current settings, click Preview.
9
To save the current settings, click Save Changes.
Specifying the data columns to include in a grid view of a
custom report
You can specify the data columns to include in the grid view of the custom report
that you create or modify. By default, the grid view includes all columns in the
query results. You can hide any data columns that you do not want to display to
the user.
See “Creating or modifying a grid view for a custom report” on page 566.
To specify the data columns to include in a grid view of a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
567
568
Creating custom Notification Server reports
About custom report views
4
On the Views tab, do one of the following:
To create a new grid view
Click Add.
To modify an existing grid
view
In the View drop-down list, select the view that you
want to modify.
5
(Optional) In the Name box, type the view name.
6
In the Type drop-down list, select Grid.
7
On the Views tab, on the Hidden Columns tab, allocate the appropriate
columns to the Available Columns list by doing the following:
To include a data column in
the grid view
In the Hidden Columns list, select the data column
that you want to include in the grid view, and then click
Include.
To exclude a data column
from the grid view
In the Available Columns list, select the data column
that you want to exclude from the grid view, and then
click Exclude.
8
Click Apply.
9
Click Save Changes.
Setting up advanced formatting for a grid view of a custom
report
You can set up advanced formatting for the grid view of the custom report that
you create or modify. The Advanced Formatting tab lets you set up a formatting
template that applies HTML tagging to appropriate cells or rows in the report
results. For example, in a computer disk space report you might want to highlight
all the computers that have less than a specified minimum free space remaining.
You can create a template that formats the relevant rows with a bright yellow
background and uses bold text in the Free Space cell.
The process for setting up advanced formatting includes creating formatting rules
for the appropriate result columns. For each formatting rule you need to specify
the HTML tagging that the rule applies to the results. If the formatting rule is
conditional on some data values, you need to specify the appropriate conditions.
For example, in a computer disk space report, you may want to apply the
formatting rule only to computers that have less than a specified minimum free
space remaining. The rule would be conditional on the Free Space value being less
than a specified amount.
Creating custom Notification Server reports
About custom report views
See “Creating or modifying a grid view for a custom report” on page 566.
To set up advanced formatting for a grid view of a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, in the upper right corner, click Edit.
4
On the Views tab, in the Advanced Formatting tab, do one of the following:
To create a new rule
In the Rule Order panel, click Add.
To modify an existing rule
In the Rule Order panel, select the rule.
5
In the Rule Name box, type the rule name.
6
In the Format Type drop-down list, select the appropriate type.
HTML Template is currently the only option.
7
In the Applies To drop-down list, select the appropriate option:
Entire Row
The HTML formatting in the template applies to the entire
grid row.
Data column
The HTML formatting in the template applies to the selected
column only.
Each data column in the report results is listed. If the report
results include items, the ItemGUID column is also available.
This column is hidden from all views, but is included in the
query results.
8
If you want to set conditions on the formatting rule, check Conditional.
When Conditional is checked, the Condition panel is shown. The Condition
panel lets you set conditions for the formatting rule.
See “Setting conditions for a formatting rule” on page 570.
9
In the Format panel, set up the appropriate formatting template fields.
See “Adding a formatting template field” on page 570.
10 Click Apply.
11 Click Save Changes.
569
570
Creating custom Notification Server reports
About custom report views
Setting conditions for a formatting rule
You can set up conditional statements within formatting rules to make the rules
apply only to particular data values. For example, you may want to highlight
certain data values in the grid, or identify any missing data values.
See “Setting up advanced formatting for a grid view of a custom report” on page 568.
To add a new condition to a formatting rule
1
In the Condition panel, click Add.
2
Specify the following settings:
Column
Specifies the column to which the condition applies. Each data
column in the report results is listed.
Check
Specifies the conditional operator.
Value
Specifies the value or values that the operator uses to check the
condition.
Value 2
3
Click Insert.
Adding a formatting template field
You can set up the HTML tagging for each template field.
See “Setting up advanced formatting for a grid view of a custom report” on page 568.
To add a formatting template field
1
In the Format panel, under Template Fields, click Add.
2
Specify the following settings:
Source Value
Specifies the source of the data that is shown in the formatted
cell. The default is Applied Value, which is the data that is
already in the cell. However, you can replace that with any
other data from the same row, by selecting the appropriate
column. Each data column in the report results is listed.
Creating custom Notification Server reports
Setting up drilldown actions for a custom report
Source Type
Specifies the source value type to display.
The options are:
3
■
Raw Data Value - the value in the report results.
■
Previous Rule Value - the value that resulted from
applying the previous rule.
Click Insert.
The Cell Template pane shows the formatting template and is updated as you
add and modify rules and conditions.
Setting up drilldown actions for a custom report
When you create or modify your own custom Notification Server report, you can
set up a report drilldown. A report drilldown is an action that is performed when
the user clicks on an item in the report results. You may want to configure
drilldowns for a report to enable the user to obtain additional information through
the report results. Drilling down into an item opens the appropriate view, which
may be another report or a URL (such as the Resource Manager Console).
See “Creating and modifying custom Notification Server reports” on page 512.
You can set up multiple drilldowns for a report to perform different actions on
different types of resources.
For each drilldown, you can specify the view on which the drilldown is available,
and how the user triggers the drilldown. You can also specify the action that is
performed and the parameters that are used in the action.
You can create multiple drill-down reports, which are groups of the reports that
are linked in a hierarchical structure. This structure can enable the report user
to select an item in a report result-set and run further reports on it. Drill-down
reports can present expanded information for a smaller set of resources, or can
provide different information on the resource by reporting on different fields.
To set up drilldown actions for a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
571
572
Creating custom Notification Server reports
Setting up drilldown actions for a custom report
4
On the Drilldowns tab, do one of the following:
To add a new drilldown
Click Add.
To modify an existing
drilldown
In the Drilldown drop-down list, select the drilldown
that you want to modify.
5
In the Name box, type an appropriate name for the drilldown.
6
In the Action Wireup panel, specify the appropriate settings.
See “Specifying the drilldown action wireup for a custom report” on page 572.
7
In the Passing Parameters panel, specify the appropriate parameters.
See “Adding parameters to a drilldown action for a custom report” on page 573.
8
Click Save Changes.
Specifying the drilldown action wireup for a custom report
When you set up the drilldown for your custom report, you need to specify the
type of item to which the drilldown applies. You also need to specify the user event
that triggers the drilldown and the action that is performed. You can specify the
view on which the drilldown is available. You may want to set up different actions
for different views, according to the needs of the users.
See “Setting up drilldown actions for a custom report” on page 571.
To specify the drilldown action wireup for a custom report
1
In the Action Wireup panel, in the Available On drop-down list, select the
appropriate report view.
See “About custom report views” on page 559.
2
In the Event drop-down list, specify the user event that is required to perform
the drilldown:
Click
Double-click
Right-click
Creating custom Notification Server reports
Setting up drilldown actions for a custom report
3
In the Performs drop-down list, select the action that the drilldown performs:
Drilldown to Report
Runs a report that provides further information on the
selected item.
Show context menu
Opens the context menu for the selected item.
Open a URL in a new window Opens a specified URL in a new window.
Open a URL in a new window Opens an item such as a report that exists on a remote
for the remote NS
Notification Server. The specified report opens in a
new window.
You may want to use this option to drill down on
resources on a particular Notification Server.
4
In the Action Configuration panel, do the appropriate one of the following:
Drilldown to Report
In the Report Item drop-down list, select the report
that you want the drilldown action to run.
Show context menu
Not applicable.
Open a URL in a new window 1
2
Open a URL in a new window 1
for the remote NS
2
5
In the Open URL box, type the URL of the item
that you want the drilldown action to open.
Click Set.
In the Remote Report Item GUID box, type the
GUID of the remote report that you want the
drilldown action to open.
Click Set.
Click Apply.
Adding parameters to a drilldown action for a custom report
When you set up the drilldown for your own custom report, you can set up the
parameters that pass values to the drilldown action.
See “Setting up drilldown actions for a custom report” on page 571.
You need to match properties or values from the selected item to the parameters
in the drilldown action. This process ensures that the appropriate action is
performed. For example, if you want the drilldown action to open the Resource
Manager, you can pass the appropriate resource GUID as a parameter. If you want
573
574
Creating custom Notification Server reports
Specifying the properties of a custom report
the drilldown action to run a report, you can pass the appropriate values for the
report query.
To add a parameter to a drilldown action for a custom report
1
In the Passing Parameters panel, do one of the following:
To add a new parameter
Click Add.
To edit an existing parameter Select the parameter that you want to modify and then
click Edit.
2
Specify the following details for the parameter:
Source
The source of the parameter value:
■
Named Parameter
■
First Selected Value
■
Selected Row
■
Entire Selection
Field Info
The name of the source field.
Target Parameter
The parameter name.
Target Parameter Type
The parameter type.
The drop-down list contains all of the available
parameter types.
See “About the parameter type for a custom report”
on page 547.
3
Click Apply.
Specifying the properties of a custom report
When you create or modify your own custom Notification Server report, you can
restrict the report results to the scope of the user who runs the report. By default,
running a report extracts the full (unscoped) set of results from the CMDB. The
report results may then be scoped to ensure that the user sees only the appropriate
data. However, you can apply scoping to the report so that only the appropriate
data is extracted from the CMDB.
See “Creating and modifying custom Notification Server reports” on page 512.
Creating custom Notification Server reports
Specifying the properties of a custom report
You can also choose to run the report only as a snapshot. To minimize the load
on Notification Server, you may want to run large or frequently-used reports as
snapshots. When a user runs the report, the results are obtained from the latest
snapshot, rather than by running the report query on the CMDB. When you set a
report to run only as a snapshot, you can optionally specify the maximum age of
the snapshot. When the snapshot reaches this age, the report query is run on the
CMDB to extract the latest result set and update the snapshot.
To specify the properties of a custom report
1
In the Symantec Management Console, on the Reports menu, click All
Reports.
2
In the left pane, select the report that you want to modify.
3
On the Report Name page, click Edit.
4
On the Advanced tab, do any of the following:
To promote scoping information to Check Promote scoping information to the data
the data source
source.
To run the report only as a
snapshot
5
Click Save Changes.
1
Check Always run report as a snapshot.
2
In the Automatically refresh snapshot
when older than box, specify the age at
which to update the snapshot with the
latest report results.
575
576
Creating custom Notification Server reports
Specifying the properties of a custom report
Chapter
26
Viewing resource
information
This chapter includes the following topics:
■
About resources
■
Viewing resource data class information
■
Viewing resource association type information
■
Viewing resource type information
About resources
Resources are the items with which Notification Server works and stores data
about, such as assets, invoices, purchase orders, projects, contracts, and users.
Data about a resource is added to the Configuration Management Database (CMDB)
using a template that is called a resource type. Each resource in the CMDB has a
resource type that specifies the information that is recorded about the resource.
For example, the resource name, description, model, asset tag number, owner,
department, and so on.
The more resources you work with, the more you need to group resources together
for management purposes. You can use organizational views, organizational
groups, and resource filters to help group your resources.
See “Viewing resource data class information” on page 578.
See “Viewing resource association type information” on page 578.
See “Viewing resource type information” on page 578.
578
Viewing resource information
Viewing resource data class information
Viewing resource data class information
You can view resource data class information. A resource data class defines one
or more fields, and the properties of the fields, that a resource of that class may
have.
See “About resources” on page 577.
To view resource data class information
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Resource and
Data Class Settings > Data Classes folder, and then select the appropriate
data class.
Viewing resource association type information
You can view resource association type information. A resource association is a
link between two resources, such as between a user and a computer. The user of
a computer has an association with that computer, and vice versa.
See “About resources” on page 577.
To view resource association type information
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Resource and
Data Class Settings > Resource Associations folder, and then select the
appropriate resource association type.
Viewing resource type information
You can view resource type information, such as the base resource type and
resource associations that apply to the resource type. You can also view the data
classes that are included in the resource type.
See “About resources” on page 577.
Viewing resource information
Viewing resource type information
To view resource type information
1
In the Symantec Management Console, in the Settings menu, click All
Settings.
2
In the left pane, expand the Settings > Notification Server > Resource and
Data Class Settings > Resource Types folder, and then select the appropriate
resource type.
3
On the Resource Type Information page, on the Configuration tab, view the
following resource type information:
Resource type details
Resource type name, description, and the base resource
type.
Association Types
Resource Associations that apply to the resource type.
By default, only those that are applied directly are
displayed.
To show all resource associations, check Show
inherited association types.
Data Classes
The data classes that are included in the resource type.
By default, all data classes are displayed.
To change the view:
1
Click one of the following:
Editable - show the data classes that you can edit.
All - show all data classes.
This selection operates on the available data
classes.
2
(Optional) To hide inherited data classes, uncheck
Show inherited data classes.
Any changes that you make are not preserved when you leave the Resource
Type Information page. The default settings are restored the next time that
you open the page.
579
580
Viewing resource information
Viewing resource type information
Section
5
Managing the Software
Catalog and Software Library
■
Chapter 27. Introducing Software Management Framework
■
Chapter 28. Setting up Software Management Framework
■
Chapter 29. Configuring the Software Library
■
Chapter 30. Viewing Software
■
Chapter 31. Populating the Software Catalog
■
Chapter 32. Creating software resources
■
Chapter 33. Populating the Software Library
■
Chapter 34. Creating command lines for software resources
■
Chapter 35. Creating inventory rules
■
Chapter 36. Importing data from a data provider
■
Chapter 37. Rolling out solution plug-ins
582
Chapter
27
Introducing Software
Management Framework
This chapter includes the following topics:
■
About Software Management Framework
■
About the Software Catalog
■
Benefits of the Software Catalog
■
About the Software Library
■
Benefits of the Software Library
■
About the separation of software-related user roles
■
Components of Software Management Framework
■
What you can do with Software Management Framework
About Software Management Framework
Software Management Framework is part of the Symantec Management Platform.
It provides the Definitive Software Library and configuration management
capabilities of a Configuration Management Database (CMDB).
Software Management Framework facilitates integration between the solutions
in Symantec Management Platform by providing a common way to store, identify,
and detect software. It provides the structure in which to define the software and
it provides the tools with which to manage the software definitions.
Software Management Framework introduces a change in the way that software
is identified. All software is defined in a single location and in a consistent manner.
The software definitions are referred to as software resources. The software-related
584
Introducing Software Management Framework
About Software Management Framework
functions in Symantec Management Platform can use these software resources,
which ensures that they all identify the same software in the same way.
The use of software resources helps you gain efficiencies in the performance of
your daily software management tasks. You no longer need to perform many of
your software tasks manually. Instead, you do some of the work initially by defining
the information that helps to automate those tasks. Then you can let Software
Management Framework and the solutions help manage your software so that
you can spend more time on other issues.
Examples of how the software resource data can help you perform software tasks
are as follows:
■
You can define any other software that a specific software resource depends
on. When you deliver that software resource, the dependency software is
automatically included in the delivery. You do not have to remember to deliver
the dependency software separately.
■
The software resource’s unique identifier provides a consistent way to detect
the software on the client computers. Before the software delivery process
downloads the software to a computer, it can determine whether that software
is already installed. The delivery process can also check the computer
periodically to verify that the software is still installed and to reinstall the
software if necessary. This automated verification and remediation can
substantially reduce your need to respond to help desk calls for missing or
broken software.
(Windows only) You can define a detection rule that contains additional
information about the software and makes the detection process even more
accurate.