You can turn security on for individual OS 2200 consoles. This is based on Windows user groups defined on the Operations Sentinel server. These user groups are not preinstalled. If you do not create these groups, all users have full access to every OS 2200 console.
There are two user groups for each console:
System.Partition.Console.VIEWFULL
Members of this group can open OS 2200 Console View and interact with the OS 2200 console identified by the group name.
System.Partition.Console.VIEWREAD
Members of this group can open OS 2200 Console View, but have read-only access to the OS 2200 console identified by the group name.
where:
System is the name of the ClearPath Enterprise System.
Partition is the name of the OS 2200 partition.
Console is the name of the OS 2200 console.
Notes:
A period must separate each name.
These groups must match on all Operations Sentinel servers that can host the OS 2200 console.
Troubleshooting
There is a possibility of users belonging to the “SPO Users” group getting a “User access denied” error when trying to access a remote OS 2200 Console View from an Operation Sentinel work station. The reason for this error is that some of the Microsoft Windows Operating System versions do not allow remote calls to the Security Accounts Manager (SAM) by default.
The following Windows OS versions do not allow remote calls to the Security Accounts Manager (SAM) unless the Local Security Policy of the system is configured:
Windows 8.1 with KB 4102219 installed
Windows 10, version 1507 with KB 4012606 installed
Windows 10, version 1511 with KB 4103198 installed
Windows 10, version 1607 and later
Windows Server 2012 with KB 4012220 installed
Windows Server 2012 R2 with KB 4012219 installed
Windows Server 2016
Windows Server 2019
Perform the following steps to configure the Local Security Policy of Operations Sentinel Server machine where the OS 2200 Consoles are hosted:
Open Local Security Policy, accessible from the Administrative Tools folder in the Control Panel.
From the Tree view, expand Local Policies and select Security Options.
Select Network access: Restrict clients allowed to make remote calls to SAM.
Right-click and select Properties to edit the security settings of the policy.
Click Edit Security… and add “SPO Users” group.
Click OK, then click Apply.
Changes are successfully applied to the Security Setting of the policy.
Open command prompt, and enter the following command:
gpupdate /force
Notes:
All the changes made will only take effect when the gpupdate /force command is run from the command prompt.
The Group Policy setting is only available on systems running Windows Server 2016 or Windows 10, version 1607 and later.
On systems that run earlier versions of Windows, you need to edit the registry setting directly or use the Group Policy Preferences.
Refer to the Microsoft documentation for more information on “Network access: Restrict clients allowed to make remote calls to SAM” security policy.