Support

adTempus may fail to enforce client security restrictions for non-Admin users

Article ID: K00000334
Last Updated: January 28, 2009

Applies To

adTempus 3

Symptoms

When non-Administrator users (users who are not members of the server's Administrators security group) connect to an adTempus server through the adTempus Console, adTempus may incorrectly treat them as Administrators. Because Administrators are automatically given full security access within adTempus, these non-Admin users receive security access that they should not have within the adTempus Console.

Resolution

To resolve this issue, install the latest adTempus Maintenance Update as discussed in the Status section below. The update must be installed on the adTempus server (where the adTempus service is running) and on any remote client computers where users are running the adTempus Console.

Refer to the Security Setup Issues section below for information on problems you may potentially encounter after applying this update.

Security Setup Issues

As a result of this issue, it is possible that non-Admin users of adTempus have been able to perform actions that they should not be able to perform based on the adTempus security settings. Once this update is applied, therefore, these users may find themselves unable to perform actions they are used to performing.

In this case it will be necessary for an Administrator to review the security settings for adTempus and determine which settings need to be adjusted. Refer to the Initial Permission Setup topic in the adTempus help for suggestions on basic security setup.

The following sections discuss specific problems you may encounter as a result of this update. Note that these issues only apply to non-Administrator users of adTempus. Administrators are not affected.

Users must have View permission on "Jobs" node in order to view any jobs

In a common scenario, groups of users only have permission to view and/or modify jobs in a specific job group. For example, you may have a group of reporting users who are able to view jobs in the "Reporting Jobs" group, but not any other job groups.

However, the users will not be able to see the "Reporting Jobs" group (or the jobs it contains) unless they also have View permission for the "Jobs" node (folder) in the Console. This is because the "Jobs" node is actually the "Root" job group, and has its own security settings. To view groups and jobs within a group, you must have View permission for that group. Therefore all users need View permission on the "Root" group ("Jobs" node) if they are to be able to view any jobs at a lower level.

To set the permissions for the Jobs node, select the Jobs node, then right-click and select the Edit Group command. You should then grant View permission to the "BUILTIN\Users" group. To preven the View permission from propagating down to lower jobs and groups, set the Apply Permissions To option to "This group only".

Status

This issue was corrected in adTempus 3.0.6, released on January 28, 2009. See article K00000333 for information about obtaining this update.