How to check permissions applied on a computer

Document ID : KB000032504
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

Permissions on computers could be set at 3 level :

• Class "Computer" in a Security Profile.
• on a Asset Group
• Directly on the Computer


So it could be difficult to determine why a user has no permission on a computer.
There is no easy method in ITCM to get the list of permissions applied to a computer
But with a SQL Query we could get this permission list.

 

Instructions: 

1- With Microsoft SQL Server Manager Studio, create this function and procedure on the mdb database :

use mdb
GO
 
CREATE FUNCTION [dbo].[ITCM_GetRights](@ace int)
RETURNS VARCHAR(25) AS
BEGIN
   DECLARE @RIGHTS VARCHAR(25)
   IF @ace=0 RETURN 'No Access'
   IF @ace=255 RETURN 'Full Control (CVRWXDPO)'
   IF @ace=64 RETURN 'View (V)'
   IF @ace=65 RETURN 'Read (VR)'
   IF @ace=81 RETURN 'Manage (VRX)'
   IF @ace=87 RETURN 'Change (VRWXD)'
   SET @RIGHTS=''
   IF (@ace & 128)=128 SET @RIGHTS=@RIGHTS+'C'
   IF (@ace & 64)=64 SET @RIGHTS=@RIGHTS+'V'
   IF (@ace & 1)=1 SET @RIGHTS=@RIGHTS+'R'
   IF (@ace & 2)=2 SET @RIGHTS=@RIGHTS+'W'
   IF (@ace & 16)=16 SET @RIGHTS=@RIGHTS+'X'
   IF (@ace & 4)=4 SET @RIGHTS=@RIGHTS+'D'
   IF (@ace & 8)=8 SET @RIGHTS=@RIGHTS+'P'
   IF (@ace & 32)=32 SET @RIGHTS=@RIGHTS+'O'
   RETURN @RIGHTS
END
 
GO
 
CREATE PROCEDURE [dbo].[ITCM_GetRights_Computer](@ComputerName AS VARCHAR(200)) AS
BEGIN
   SELECT p.name 'Security Profile Name', a.agent_name 'Computer Name',o.ace,dbo.ITCM_GetRights(o.ace) AS 'Rights',
   CASE o.security_level
      WHEN 0 THEN 'Computer Class'
      WHEN 1 THEN 'Asset Group'
      WHEN 2 THEN 'Computer Object'
   END 'Security Level'
   FROM ca_security_profile p, ca_object_ace o, ca_agent a
   WHERE o.security_profile_uuid=p.security_profile_uuid AND o.object_def_uuid=a.object_uuid
   and a.agent_name like @ComputerName and a.agent_type=1
   ORDER BY p.name, a.agent_name
END
GO
 
query.jpg
 
 
2- Then procedure ITCM_GetRights_Computer procedure could be used to check the permissions applied on a computers
 
 
Example :
 
- Get Permissions for computer JY-PC2 :
exec ITCM_GetRights_Computer 'JY-PC2'
 
- Get Permissions for computers JY* :
exec ITCM_GetRights_Computer 'JY%'
 
 
result2.jpg