RES Automation Manager security Modules

AM-sec_modules-01

When configuring a security role in RES Automation Manager (RES AM) it is posible to deny access to the content of the modules.

When editing the permisions of the Module node in a RES AM security Role, a select box is shown. With the option “Limit task details when read access permissions are set” selected, a user who is configured with this security role can not view the content of the tasks of the modules.

AM-sec_checkrights_notok_01

Option “Limit task details when read access permissions are set” selected.

AM-sec_checkrights_ok_01

Option “Limit task details when read access permissions are set” not selected. Setting and Script tab are accessible.

 

 

Show Specific control panel items issue RES WM

In a locked down Windows environment, it is a best practice to hide specific control panel items for those functions that can’t or shouldn’t be performed by an end user.

With a RES WM “User registry” object, you can use “control.admx” to load the policy template to configure these settings.policy_01

In the “List of allowed control panel items” the Canonical name of the Control panel items should be entered.

So far so good. But it wasn’t working in my environment…

With this configuration active in RES Workspace Manager  2014, still all control panel items were shown.

When looking in the registry of a logged in user, these registry key’s were present:

registry_01

The registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl” is set by the policy.

As stated in this MS Technet article, “The Hide specified control panel applets policy takes precedence over the Show only specified control panel applets policy.”

The entries in the “DisallowCpl” hyve are:

registry_02

 

What about the “…\DisallowCpl”? Where does it come from?

The “villan” here, appears to be the setting “Disable Add/Remove programs” at Composition -> Desktop -> Lockdown and behaviour:

reswm_lockdown_01a

This setting will result in the “Disallow” hive.

Logging in, with this setting unchecked, only the specified items in the control panel were visible. Everything is working as expected…