17 พฤษภาคม 2555 12:54
We have a few custom queries that the User Support team find beneficial and want them to run themselves, rather than bugging us all the time.
I've set them up with a console with access to Administer, create and modify queries and given them three queries that we use (having found online) as a starting point.
However, while they can edit the queries when they run two of them they are advised "You do not have security rights to perform this operation"
If they run a query on a service name it works OK.
The queries that do not work are for a file on the PC and for a display name in Add/Remove programs.
These both work for us full admin types.
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where SMS_R_System.ResourceId in (select distinct SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID from SMS_G_System_ADD_REMOVE_PROGRAMS where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName is like 'Microsoft%office%')
- ย้ายโดย Moiz Rassiwala[MSFT]Microsoft 17 พฤษภาคม 2555 15:14 (From:Configuration Manager 2007 General)
17 พฤษภาคม 2555 13:06
Here's my guess. Since you are granting rights explicitly to queries, my guess is that you have also granted rights explicitly to collections, per instance. i.e., YOU have rights to see all collections, but the user support team only has rights to see workstation collections.
When running a query within the console, you do not have to Limit to a collection (you can leave that unfilled), but for them, with their limited rights, the console isn't smart enough to figure out which collection they have rights to--without being told. Have them select a collection to limit to, prior to running the query.
Oh, and this is way, way off topic: but in your sample you have "select distinct" in the subselect query. Sure, it works. but it's a subselect. You are making your server work harder for no good reason. Yank the distinct when it's in a subselect. Oh, and I can't resist... one more thing. for that specific example, I don't see a reason to have a subselect at all. Feels totally pointless to me.
Edit: completely clueless to me why this topic was moved into the SDK section. This has nothing to do with SDK?
Standardize. Simplify. Automate.
- แก้ไขโดย Sherry KissingerMVP 17 พฤษภาคม 2555 17:27 confused
18 พฤษภาคม 2555 7:09
Sherry, I've given them 'read' on all collections, from the top level and confirmed that the collection they're targeting, "all windows workstation or Professional systems", has that same 'read' permission.
As it works on Service but not File or Add/Remove, I'm wondering if there's an object somewhere that they need permissions to. I tried giving them 'Administer' on the collection, but it didn't work.
I'll have a look into your suggestions on the query - I just copied and pasted from a google search and modify the last select criteria, but I'll look into it a bit more. Thanks!
18 พฤษภาคม 2555 7:10
Added 'Read Resource' to their collection permissions.
Now it works!
Thanks for the guidance.
- ทำเครื่องหมายเป็นคำตอบโดย Dan Rickard 18 พฤษภาคม 2555 7:10