In this post I will show you how to deploy the Opalis Integration Server Client to your Windows 7 workstation. Then how you can controll what the Windows 7 workstation user can see and do in Opalis.
In this example I am running a new installed Windows 7 Enterprise 64-bit with the Windows firewall enable. The Windows 7 box is member of the same domain as Opalis. I will give the “Server Team” permissions to work with policies under their own folder, nothing else. In Active Directory I have created a security group named GRP-OPALIS-ServerTeam. My test user, Otto, is not local administrator of the Windows 7 box and User Control Settings (UAC) is running with default settings.
By default the Opalis Integration Server system is configured to allow only members of the local Administrators group on the Management Server computer to view, modify and manage Folders, Policies, Computer Groups, Variables, Counters and Schedules however these permissions can be changed on a per object basis or inherited from a parent object using Access Control Lists (ACL) much like Windows NTFS permissions. Read more at Technet
We will start with deploying the Opalis Integration Server Client to the client machine. The Windows 7 machine is named W702. We can do a push installation of the client with Opalis Deployment Manager (for manually installation please see KB2022962). Start Deployment Manager on your Opalis management server, then in the navigation pane, right-click Client and select “Deploy new client”.
Follow the “Welcome to the Client Deployment Wizard”. Opalis Integration Server Client is installed via SMB/CIFS. TCP ports 135, 139, 445 and RPC dynamic port must be accessible on the target computer from the Opalis Management Server. We can configure RPC dynamic port allocation, see KB154596, but in most scenarios it is easier to create a firewall rule to allow all traffic between Opalis management server and the client, during the installation. The installation runs under the account that is running the deployment manager, that account needs to have local administration permissions on the target machine.
If Otto Eriksson, member of the GRP-OPALIS-ServerTeam group, logon to the Windows 7 machine now and start the Opalis Client he will first see a error about Opalis cant connect to a Opalis server on the local machine. But after that, if he goes to Actions > Connect and input the correct Opalis server name, he will see
The cause of this is missing DCOM permissions on the Opalis Integration Server Management Server computer. What we need to do is documented in KB2022966. In this scenario I use the GRP-OPALIS-ServerTeam when I modified the permissions. But we could of course use one general group for all Opalis client users.
If we now try to connect we will see new error. The cause of this is because we have not granted the user access to the policy structure, more info in KB2023582.
Start the Opalis Integration Server Client with a Opalis administration account. Start by give the “server team” permissions according to KB2023582, read permissions on the default Policies folder. We could of course use a general Opalis Users security group here too. Then create a folder for our “Server Team”.
If we right-click the new Server Team folder and select permissions from the menu, we can modify the permissions of this folder. In this example I will add a group named “GRP-OPALIS-ServerTeam” and give it full permissions to this object and all child objects. This is a security group in Active Directory that contains all users of the Server Team.
If we now start the Opalis Server Client in the Windows 7 box it will show us the policy structure and members of the server team can create policies under the “Server Team” folder.
But if they try to do something else, like delete another folder or create a global setting they will get a “Access id denied” error. If we need to give the group more permissions to for example some other object, we can right-click it, go into permissions and do the same as we did with the Server Team folder.
If you add a user to multiple security groups the user will get access to everything that each group have access to. Just like if you are working with NTFS permissions on a file server.
My collegue Jeffrey Fanjoy said a intresting point around folders, permissions and teams/silos in Opalis.
Another element to add is that often the biggest gain achieved through Opalis is the ability to automate processes across these silos so it may not be in the best interests of the organization to try and silo the use of the product through folders but take a step back and look at the business process being serviced by the various IT services and then leverage Opalis to automate the required IT processes to facilitate effective cross-silo service delivery. Then everybody can pat themselves on the back for how well they work together!
Update: If you are running Windows XP and want to connect to Opalis running on Server 2008 R2 you might need the 969442 hotfix too. Else you can get a error saying “A security package specific error occurred”.
Please note that this is provided “as is” with no warranties at all.