8 Replies Latest reply on Mar 29, 2012 9:49 AM by technobabble

    Issues with RBA in 9.0 SP3


      I am having some issues with Role Based Access on our LANDesk 9.0 SP3 test environment.


      Any users that are part of LANDesk Administratrators group can log in fine however users that are ONLY members of LANDesk Script Writers group are unable to log into the console.


      I get the following error:



      In order for them to be able to log in, they must ALSO be part of LANDesk Management Suite group.


      LANDesk Script Writers contains AD security groups that have access to log into the core.  If I add the users either directly to the Management Suite group or add their AD security group then they can log in.


      Is this correct behavior?  According to the documentation, the user only needs to be a member of one of these groups.



      Any ideas?

        • 1. Re: Issues with RBA in 9.0 SP3
          LANDeskWizrd SSMMVPGroup

          Which documentation are you looking at? The documentation LANDesk provides is not always up to date unfortunately.


          When you look at your users list in LANDesk, do you have a role/scope assigned to either LANDesk Management Suite or LANDesk Script Writers? I believe you need to have a role defined for any group that needs access to the console.


          This is a portion of a document that might help. The document can be found here http://community.landesk.com/support/docs/DOC-23415 if you haven't already read that one.


          "In 9.0 SP2, the Local Users and Group is key component to using LANDesk. Unlike previous version of LANDesk, the LANDesk Administrators, LANDesk Management Suite, and LANDesk Script Writers groups are only used to give users rights to the LANDesk directory structure. These groups do not add the users to the User Management console as they did in past versions, in fact the users do not need to be in these groups to add a user to the User Management console, but the user will not be able to log in to the console until they are added to a group."

          • 2. Re: Issues with RBA in 9.0 SP3

            There are no roles assigned to either LANDesk Management Suite or LANDesk Script Writer however inside these groups there are AD security groups with users that have Roles assigned.


            For example, in the "LANDesk Script Writers" group, we have an AD Security Group called "LANDesk GroupAdmin Role" which is assigned a role in LANDesk.  This group has a defined role and scope.



            • 3. Re: Issues with RBA in 9.0 SP3

              This user in question (my test user)  is a member of an AD security group inside "LANDesk Script Writers" and was assigned a Role and a Scope called TFTS Group Admin.


              I can't log into the Console with this user without also adding this user to the Management Suite group



              • 4. Re: Issues with RBA in 9.0 SP3
                LANDeskWizrd SSMMVPGroup

                Yeah I use the same type of setup. I place groups inside the local LANDesk groups and assigne the roles to those that I add.


                Looking at the screenshot, I only see LANDesk Script Writers. Did you add groups with roles to the LANDesk Management Suite as well?

                • 5. Re: Issues with RBA in 9.0 SP3
                  LANDeskWizrd SSMMVPGroup

                  Hmm, that does seem strange. Is there any reason you need to use LANDesk Script Writers? I have always just used LANDesk Management Suite when it came to giving console access to users.

                  • 6. Re: Issues with RBA in 9.0 SP3

                    check this document  DOC-8201






                    • 7. Re: Issues with RBA in 9.0 SP3

                      Thanks.  DOC-8201 solved my problem.

                      • 8. Re: Issues with RBA in 9.0 SP3
                        technobabble Apprentice

                        There are 2 bugs that I reported related to scopes based on an LDAP queries after installing LDMS 9 SP3.


                        • A scope based on an LDAP query will become corrupt and unusable after you edit it. The workaround is to edit the scope's row in the dbo.Scope table under the BNF column in the database directly. Care should be taken as to syntax when editing the scope directly in the LANDesk databse.


                        • When attempting to create a new scope based on an LDAP query and selecting "Edit and then "Browse Directories" to specify the criteria, there is no "Save" button but the the scope is created as an LDMS query when selecting the "Close" button.


                        LANDesk has this in their queue to get fixed but I have received not received an information as to when a fix for this will be avaiable.



                        Sample of corrupt scope before editing:



                        Sample of corrupt scope after editing: