Skip to main content
Matrix42 Self-Service Help Center

Resolve individual device permissions which might have been altered by an access request from another tenant

  1. Last updated
  2. Save as PDF

Overview

A problem has been reported where under certain circumstances an individual device permission from one tenant, could become visible to another tenant. Upon investigation, it was found that in some cases, when the same device is present on computers from different tenants, if an user from one tenant creates an access request for that device, and the administrator approves it, it might wrongfully alter the individual device permission for that device from another tenant. As a result, there was no permission to use this device on the first tenant, and the altered permission on the second tenant would be rendered useless, because the existing users from the second tenant attached to it would be removed. With version Endpoint Data Protection 25.0, this issue was corrected, but as this fix only applies to individual device permission from future access requests, you may want to check if you are affected and fix the incorrect permissions, if they exist, and you will find the SQL script to identify altered permissions in the article below.

SQL Script

You may want to check if you are affected and fix the incorrect individual device permissions, and you will find the SQL script below:

Script for detection

With the following SQL Script you can detect if your environment is affected and has altered individual device permissions:

SELECT PermissionId,
        PermissionDeviceName,
        PermissionTenantId,
        PermissionTenantName,
        SecEntityID,
        SecEntityName, 
        SecEntityTenantId,
        MANDANTS.NAME AS SecEntityTenantName
FROM (
SELECT DEVICE_CONTROL.NAME AS PermissionDeviceName,
        ACCESS_CONTROL.OBJECT_ID AS PermissionId,
        ACCESS_CONTROL.SE_ID AS SecEntityID,
        SECURITY_ENTITIES.NAME AS SecEntityName,
        SECURITY_ENTITIES.MANDANT_ID AS SecEntityTenantId,
        MANDANTS.NAME AS PermissionTenantName,
        DEVICE_CONTROL.MANDANT_ID AS PermissionTenantId
FROM ACCESS_CONTROL
JOIN DEVICE_CONTROL ON DEVICE_CONTROL.ID = ACCESS_CONTROL.OBJECT_ID
JOIN SECURITY_ENTITIES ON SECURITY_ENTITIES.ID = ACCESS_CONTROL.SE_ID
JOIN MANDANTS ON MANDANTS.ID = DEVICE_CONTROL.MANDANT_ID
) AS combined
JOIN MANDANTS on MANDANTS.ID = SecEntityTenantId
WHERE SecEntityTenantId != PermissionTenantId

Steps for correction

If the query above returns any results, you can use the Console to find and repair the affected device permissions. For example:
Screenshot 2025-03-20 at 18.34.27.png
In this case, there is a individual device permission for "NECVMWar VMware SATA CD01" on the tenant "TestB", but it is configured to apply to the user "UserOnTenantTestA" which is from tenant "TestA". In such a case, this permission will not produce any effect on either tenant. An administrator with rights to manage tenant "TestB" can now log into the Console and either edit this permission to apply to the intended users, computers or groups from tenant "TestB", or remove it entirely.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Access Control
    2. Database
    3. Permissions
    4. Troubleshooting