User roles and permissions

BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) provide role-based access to the application. You access the Automation Console based on the role assigned to you in the endpoint manager, Server Automation. 

When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If you are assigned multiple roles in Server Automation, you can change the security group to view the application as per your defined role. For instructions about changing the security groups, see Logging in – Changing the security group.

Based on their roles, users can perform these tasks for an efficient and automated patch management process:

User role

Permissions required in TrueSight Server Automation



  • By default, the BLAdmins role in Server Automation has administrative permissions in the Automation Console. Users in the BLAdmins role have access to any entity (such as policies, operations, and catalogs) created by other administrative or non-administrative users.
  • The BLAdmin user in Server Automation has administrative permissions to Automation Console.
  • Configure a service account to enable data refresh between Automation Console and Server Automation
    and to obtain the change request status based on the data refresh cycle.
  • Manage security groups to provide role-based access to the application.
  • Define Service Level Agreements that determine the period within which missing patches and vulnerabilities must be remediated.
  • Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets.


(Non-administrative user)

  • If using Authorization Profiles in Server Automation, users with roles that have access to the Manage Patching Job profile, with Roles.Read authorization have non-administrative access to the Automation Console.
  • If not using Authorization Profiles, ensure that Server Automation roles have access to the following authorizations:
    • BatchJob
    • BLPackage
    • DeployJob
    • DepotGroup
    • JobFolder
    • JobGroup
    • NSHScript
    • PatchCatalog
    • PatchingJob
    • PatchSmartGroup
    • Server
    • ServerGroup
  • Provide permissions to the assets or catalogs to be used by the operator.
  • To ensure that operators have access to artifacts created in Server Automation, and administrators in the BLAdmins role have permissions to update or delete those artifacts created by operators, do this:
    • Create an access control list (ACL) policy and assign BLAdmins permission to the policy.
    • Create an ACL template using this policy.
    • Assign the ACL template to the non-administrative or operator role.
    For details, see ACL template - Template Access Control List in Server Automation documentation.
  • Create patch policies that run according to a schedule to identify missing patches on assets.
  • Import vulnerability scan files.
  • Monitor the list of missing patches and identified vulnerabilities.
  • Monitor assets with missing patches,vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.
  • Create operations for installing missing patches or remediating vulnerabilities on assets.
  • Monitor the Patch and Vulnerability dashboards to view the patch and vulnerability compliance on assets, and other metrics in your environment.
Was this page helpful? Yes No Submitting... Thank you