This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Permissions Issue for Partition Administrator

Partition administrator is not able to select domain functional account in connection tab while adding the new systems to TPAM.

if we login as Administrator we can scroll down domain functional account drop down and select the desired domain based account which is authorized for resetting the password in target system.

However Partition administrator cant select this. Please advise.

Appreciate your help on this. Thank you.

Parents
  • Remember that the partition is completely isolated so the partition administrator only sees what is in the partition that it is assigned to.

    If you have not assigned a specific domain system to the partition then the partition administrator will not be able to see it.

    TPAM partitions provide total isolation of all roles and functions to military/government standards. You almost need to think of each partition as a separate TPAM instance.

    Great for multi-tenanted operation.

     

    Tim

  • Hi Tim,

    Here the issue is with only selecting domain functional account in connection tab while adding new system in TPAM.

    Same partition administrator is able to import batch file for multiple systems with all the required configuration. But he not able to add single system manually with domain functional account in connection tab. 

    Partition administrator also tried to add the system with cli but getting the following error. Please advise. Thank you.

    ssh -i id_dsa sugamasuhasini@tpm-prod-sc9-c1.vmware.com AddSystem --SystemName portal-lt-app1 --NetworkAddress 10.128.11.93 --PlatformName Linux --ReleaseDuration 2880 --PasswordRule "Linux\ password\ Rule" --DomainFuncAccount "VMWAREM\\\svc.tpam" --Timeout 60 --NonPrivFuncFlag N --UseSslFlag N --AllowFuncReqFlag N --EscalationTime 0 --MaxReleaseDuration 2880 --PlatSpecificValue sudo --RequireTicketForRequest N --RequireTicketForISA N --RequireTicketForCLI N --RequireTicketForAPI N --AllowISADurationFlag N --UseSshFlag N --PSMDPAAffinity Any --PPMDPAAffinity Local --PasswordCheckProfile "STG\ Servers" --ProfileCertType N --RequireTicketForPSM N --PartitionName "Linux\ Partition"

    Error : 

    Invalid Domain Account Name specified for Domain Functional Account (VMWAREM\svc.tpam).

  • First let me make sure that I understand what you are doing here.

    You have a domain system that is defined in another partition which is providing the functional accounts you need for that partition without any issues. You can manually add systems to that partition and then select the domain functional account without a problem. These systems are member servers of the domain

    You have then created another partition and when you try to add a system to this you cannot select a functional account base on the domain system that is defined in another partition.

    If this is the case then this was a part of the original design spec and if you have found a way around it with a batch import then I would say that is possibly a bug.

    If I have your requirement correctly assessed the next thing I would try to give you what you need would be to add a new domain system to the partition you are having trouble with.

    I would give it a meaningful name so it is obvious it relates to just that partition and I would add the accounts you want to use to it. It will use exactly the same configuration as the main system in the other partition. JUST be VERY careful about which domain system you then use to manage domain accounts. You could end up with the domain accounts being managed in more than 1 place if you are not careful with this.

    Again when working with TPAM remember that as far as TPAM is concerned a Domain is just another system. 

    As I said the partition was defined to allow complete segregation of configuration. 

    In the government environment where it was deployed,  the paradmin and equivalent accounts were never used and were locked in a safe only to be used for specific configuration or emergency changes. Day to day work was carried out by the Partition admins. This included adding user systems accounts. Each partition had its own unique domain.

    If I have miss-understood what you are trying to do please let me know what your requirement is and what you are trying to achieve and I will see if I can help

    All the best

    Tim

Reply
  • First let me make sure that I understand what you are doing here.

    You have a domain system that is defined in another partition which is providing the functional accounts you need for that partition without any issues. You can manually add systems to that partition and then select the domain functional account without a problem. These systems are member servers of the domain

    You have then created another partition and when you try to add a system to this you cannot select a functional account base on the domain system that is defined in another partition.

    If this is the case then this was a part of the original design spec and if you have found a way around it with a batch import then I would say that is possibly a bug.

    If I have your requirement correctly assessed the next thing I would try to give you what you need would be to add a new domain system to the partition you are having trouble with.

    I would give it a meaningful name so it is obvious it relates to just that partition and I would add the accounts you want to use to it. It will use exactly the same configuration as the main system in the other partition. JUST be VERY careful about which domain system you then use to manage domain accounts. You could end up with the domain accounts being managed in more than 1 place if you are not careful with this.

    Again when working with TPAM remember that as far as TPAM is concerned a Domain is just another system. 

    As I said the partition was defined to allow complete segregation of configuration. 

    In the government environment where it was deployed,  the paradmin and equivalent accounts were never used and were locked in a safe only to be used for specific configuration or emergency changes. Day to day work was carried out by the Partition admins. This included adding user systems accounts. Each partition had its own unique domain.

    If I have miss-understood what you are trying to do please let me know what your requirement is and what you are trying to achieve and I will see if I can help

    All the best

    Tim

Children
  • Hi Tim,

    What you understood is absolutely correct. even if the partition administrator try to create new computer account which is not there in TPAM database. still he is not able to select the domain functional account in the connection tab. 

    If we login as normal administrator we are able to see all service accounts available in our domain to select in the same tab. 

    Is there any limitation that domain based functional accounts are not available for partition administrators. 

    Do we have any possibility to get this option work for partition administrator.

  • Have you tried adding a new AD system for your domain to the partition as I suggested? This would need a platform type of Windows AD and you will need to provide a different name for it.

    You could use the same functional account you previously defined but from a management point of view it may be better to reference the partition name in the functional account. 

    I would expect if you had a domain defined in the partition then when you add member servers you would be able to select the domain accounts from this system.

    Once you have a system defined in the partition then the partition admin should be able to manage it and use the resources.

    I cannot comment on what changes the Dev. team would accept but as I wrote the original spec for the partition feature that was submitted to Dev. on behalf of a government organisation what I can say is what you are asking for would break their isolation model.

    If you have already tried adding a new Windows AD system to the partition and this is not working then check you are running the latest code and then log a call with the support guys. They will always suggest upgrading to the latest code release first so you may as well do this before contacting them.

    Tim