The integration of IT Analytics with the Altiris has improved significantly on the 7.5 platform, and I expect that moving to 7.6 will show more boons once I get the time to test it.
One of the struggles we have had with IT Analytics integration is with security. You see, it's quite easy to be misled that all is well when provisioning your security groups in the console, when in fact it might not be. In our case we need a manual touch to refresh the IT Analytics Report Security every time we on-board a new user.
If anyone spots me doing something wrong here... let me know! The issue I see lays in the significant difference between configuring cube security versus report security.. and perhaps some bad assumptions that I as an Altiris Admin originally made when seeing this up.
Configuring Cube Security
I think the task of vonfiguring cube security is quite nice and the provisioning interface is quite sophisticated,
Image may be NSFW.
Clik here to view.
So here we had just put in our AD groups into the "IT Analytics Users" group and set the schedule to syncronise this with SQL's analysis services. This means that when we onboard a new user, they are automatically synced here by virtue of them being in the "IT Analytics Users" group (which contains a nested group of our AD Altiris roles).
So that's nice. I like it. But the end result of all this is to allow our staff access to all those wonderful ITA reports right? The security here however is handled very differently.
Configuring Reports Security
If we look at the reporting object this is what we see,
Image may be NSFW.
Clik here to view.
Note the absense of any scheduling here, or indeed even roles.
Now, it's important also to note that all the users you see here in the "Role Members" area were not added individually -they were added by clicking the big blue plus sign and selecting the "IT Analytics Users" group from the picker. But what has happened is that group object wasn't added in this process; rather users within the group were ennumerated and were then added individually.
Once those changes are saved, all these individual users will be sync'd down to SQL's reporting services.
And this is where our problem lies. Everytime we onboard a user, we have to add to the process for someone to navigate to the report security section in IT Analytics, and re-add the "IT Analytics Users" group. This refreshes the membership on the SQL Reporting server and then all is once again well.
But Sometimes....
Only sometimes everything isn't OK -security can actually break entirely with all users getting the error,
An error has occurred during report processing. (rsProcessingAborted)
Cannot impersonate user for data source 'ITAnalytics'. (rsErrorImpersonatingUser)
Log on failed. Ensure the user name and password are correct. (rsLogonFailed)
Luckily we saw this error when we leveled up to service pack 1 so were familiar with the solution. This can be swiftly solved by re-entering in the our Altiris Service account credentials on the SQL reporting server as per TECH 213502,
https://support.symantec.com/en_US/article.TECH213502.html
In short, suboptimal, but manageable with a sigh.... ;-)