Here’s a new Knowledge Base article we published today. This one talks about an issue where a restricted user can attempt certain actions that they don't have permission to yet get a (false) message indicating it was successful.
When using System Center 2012 Operations Manager (OpsMgr) to manage System Center 2012 Data Protection Manager (DPM) servers and leveraging the role-based access control, it is possible that a restricted user can attempt certain actions that they don't have permission to and get a message indicating it was successful.
Checking the jobs view in DPM for the given protection group will show that the job is not actually initiated in DPM. Restrictions for the user will be followed.
This is most likely to happen only when dealing with a protection group. When the same action is attempted at the data source level, users will be presented with the expected message indicating the action is not allowed.
This is caused by unexpected return values from the agent task in OpsMgr.
The DPM team is aware of the condition and is working on a resolution that will be targeted for the next DPM QFE.
It is important to note that the action is not actually being performed. There is no unexpected elevation of privileges. The roles as defined in OpsMgr are being honored at all times.
Following are examples of the expected behavior and the erroneous message.
If a restricted user attempts to launch a consistency check for a data source from the OpsMgr console, initially a message will be displayed indicating the job is being sent.
Run Consistency Check on data source Status: Run Consistency check on data source
This will then be followed by an error indicating the user does not have permission.
Failed to start <task type> on data source You do not have permissions to perform this action. Your DPM administrator must give you permissions to any one of the following tasks - Run <task type> (ID: 33238)
If the same user attempts to initiate the consistency check, but this time at the protection group level, the experience changes and an erroneous message is displayed. First, an indication that job is being sent will be displayed.
Run Consistency Check on Protection Group Status: Run Consistency Check on Protection Group
At this point, OpsMgr reports that the job was successfully started.
Run Consistency Check on Protection Group Status: Successfully started consistency check on Protection Group
The above message is the erroneous message as the job will not be started on the DPM server.
For the most current version of this article please see the following:
2665983 : System Center 2012 Operations Manager incorrectly reports that a restricted System Center 2012 Data Protection Manager action completed successfully
J.C. Hornbeck | System Center & Security Knowledge Engineer
Get the latest System Center news on Facebook and Twitter:
App-V Team blog: http://blogs.technet.com/appv/ AVIcode Team blog: http://blogs.technet.com/b/avicode ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ OOB Support Team blog: http://blogs.technet.com/oob/ Opalis Team blog: http://blogs.technet.com/opalis Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/ SCMDM Support Team blog: http://blogs.technet.com/mdm/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
SCOM 2012 DPM 2012