Solved

Role Permission allowed an unauthorized action

  • 23 June 2022
  • 6 replies
  • 124 views

Userlevel 2
Badge +6

We have certain users who are wanting to be able to create reports for their clients being backed up inside of Commvault. We are wanting to only allow them to view their client(s), libraries, and jobs without the capability of adding/remove/editing/creating. The Only thing we we want them to add/edit are reports that they can create for their environment and that's it. 

Somehow back in May they were able to stop one of their jobs due to it causing a connection issue to the client causing a network traffic. this was an illegal operation which they performed, and my managment was not happy. I have attached their role profile. I am confused as to how they were able to perform this action based on the role settings. Any help as to get to the reult of what we are looking for is greatly appreciated. 

 

icon

Best answer by Mike Struening RETIRED 19 July 2022, 20:36

View original

6 replies

Userlevel 4
Badge +9

Hi @TP_Erickson,

Can you provide the associated entities view from the user group you are applied this role to?

Are there additional roles applied besides for this role?

In the associated entities view from the user group and the user level do you see any additional role or ‘custom role’ specified?

Is the user associated to multiple groups and may be inheriting permissions from an additional group?

Userlevel 2
Badge +6

Hi @TP_Erickson,

Can you provide the associated entities view from the user group you are applied this role to?

Are there additional roles applied besides for this role?

In the associated entities view from the user group and the user level do you see any additional role or ‘custom role’ specified?

Is the user associated to multiple groups and may be inheriting permissions from an additional group?

Here is the Associated Entities tab for the Group the accounts we want restricted. It seems that this is the only role assigned

 

Userlevel 4
Badge +9

@TP_Erickson,

From that view I wouldn’t expect the behavior you encountered. Can you please create a new support incident for us to investigate further and share that incident number here for tracking?

During case creation please also upload your Commserve logs, and Commserve database with latest database and include in the case details the role, group, user example and behavior that you observed,

Userlevel 2
Badge +6

Created Incident 220623-657, basilly word foro word copied my question here for the forums, and sent the attachments and pictures over as well. will keep this forum page posted. Thanks for the help so far. 

Userlevel 2
Badge +6

So turns out i had some manual associations also tacked unto the profiles of the individuals within that role that gave them master privilege's over jobs that they were able to see. We removed these manual entities, and the roles are working, except we now have a problem that we are awaiting results back from a Commvault rep, but want to throw this in here and see if you guys know what's causing it. 

 

I have attached a report that one of the members is 

he now can no longer see the Dara Sources, Databases and tables when creating a report for his tasks in the Commvault Reports on the Command Center (Attached screenshot). I used the test account to verify his claims and the role does not allow to see the Data sources, databases and tables. The role says he has access to all avenues of the reports, but this is not showing. I have attached a screen shot for further review.

Userlevel 7
Badge +23

Sharing case solution:

Solution:

11.24.32

Issue
--------
User account have unexpected permissions.
Troubleshooting/Findings
--------------------------
- User account is able to suspend and kill a job, the expectation is that they are not able to do this.
- Created a test user and assigned the user to the group
- The test user was unable to kill a job.
- Navigated to user > right click> properties.
- The user in question has master role associated to the client group which allows the user permissions to kill or suspend a job.
Reconvened on a remote session
-------------------------------
- User was unable to add dataset to a report when creating a report or editing a report.
- Navigated to the user account and enable the "Developer tools" permissions.
- Enabled "Dataset" "DataSource" "Reports" "Table"
- Enabled user to see all entities from the commcell level.
- User attempted to edit the report, user can now see the database and data source.

Reply