When trying to run CADSMCMD commands as a user who is not an Administrator on the Domain Manager, it fails. What permissions need to be granted in the user in ITCM Security Profiles to allow that user to run the CADSMCMD commands?

Document ID : KB000050340
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When trying to run CADSMCMD commands as a user who is not an ITCM Administrator and/or does not have Full Control on all objects in their ITCM Security profile, the command fails with the error below:

Connecting to manager "<default manager>" as user "<default user>" ...
SDCMD<CMD000109>: Session establishment failed CLI_CO_DOMAIN_NAME.

The user may have the appropriate permissions to perform the same action from the DSM Explorer, but the CADSMCMD still fails.

For Example, to add a computer to a group in the DSM Explorer the following permissions are needed. However, using the CADSMCMD command to move a computer to a group with these same permissions will fail with the error above.

Figure 1

Below is the sample command for this use case and the resulting error message:

C:\Users\test>cadsmcmd compgroup action=add name=GroupName computer=ComputerName
CA IT Client Manager r12
ITCM Command Line Version 12.5.0.2307
Copyright (c) 2010 CA. All rights reserved.

Trace mode: Off

Connecting to manager "<default manager>" as user "<default user>" ...
SDCMD<CMD000109>: Session establishment failed CLI_CO_DOMAIN_NAME.

What other Object Level Permissions are needed for the user's Security Profile?

Solution:

The key object where permissions are needed to use the CADSMCMD command line utility, besides the permissions needed to perform the same action in the DSM Explorer, is the "Database Credentials" Object.

You will need at least "Manage" permissions on the "Database Credentials" object for the user's Security Profile, along with what ever other permissions are need to perform that same action from the DSM Explorer. Most of these permissions are documented in the "CA IT Client Manager: Object Level Security Best Practices" Greenbook which is available as an attachment to this technical document.

For example, in the use case above to add a computer to a group using the CADSM Command you would need the same permissions as shown above, plus the added "Database Credentials" permission show below.

Figure 2

The successful command output will look like the following once the permissions are set correctly.

C:\Users\test>cadsmcmd compgroup action=add name=GroupName computer=ComputerName
CA IT Client Manager r12
ITCM Command Line Version 12.5.0.2307
Copyright (c) 2010 CA. All rights reserved.

Trace mode: Off

Connecting to manager "<default manager>" as user "<default user>" ...OK.
Manager: DomainManagerName
Domain: DomainName
Domain type: Domain
Supporting: CO CCNF USD OSIM AM

%CAOP_E_504, Console daemon on node DomainManagerName not receiving. Friday, May 06, 20
11 10:23:02 AM

SDCMD<A000000>: OK

File Attachments:
TEC546743.zip