×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 
BMC Automation Console 20.02 Getting started

User roles and permissions

BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) provide role-based access to the application. You access the Automation Console based on the role assigned to you in the endpoint manager, Server Automation. 

When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If you are assigned multiple roles in Server Automation, you can change the security group to view the application as per your defined role. For instructions about changing the security groups, see Logging in – Changing the security group.

Based on their roles, users can perform these tasks for an efficient and automated patch management process:

User role

Permissions required in TrueSight Server Automation

Tasks

Administrator

  • By default, the BLAdmins role in Server Automation has administrative permissions in the Automation Console. Users in the BLAdmins role have access to any entity (such as policies, operations, and catalogs) created by other administrative or non-administrative users.
  • The BLAdmin user in Server Automation has administrative permissions to Automation Console.
  • Configure a service account to enable data refresh between Automation Console and Server Automation
    and to obtain the change request status based on the data refresh cycle.
  • Manage security groups to provide role-based access to the application.
  • Define Service Level Agreements that determine the period within which missing patches and vulnerabilities must be remediated.
  • Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets.

Operator

(Non-administrative user)

  • If using Authorization Profiles in Server Automation, users with roles that have access to the Manage Patching Job profile, with Roles.Read authorization have non-administrative access to the Automation Console.
  • If not using Authorization Profiles, ensure that Server Automation roles have access to the following authorizations:
    • BatchJob
    • BLPackage
    • DeployJob
    • DepotGroup
    • JobFolder
    • JobGroup
    • NSHScript
    • PatchCatalog
    • PatchingJob
    • PatchSmartGroup
    • Server
    • ServerGroup
  • Provide permissions to the assets or catalogs to be used by the operator.
  • To ensure that operators have access to artifacts created in Server Automation, and administrators in the BLAdmins role have permissions to update or delete those artifacts created by operators, do this:
    • Create an access control list (ACL) policy and assign BLAdmins permission to the policy.
    • Create an ACL template using this policy.
    • Assign the ACL template to the non-administrative or operator role.
    For details, see ACL template - Template Access Control List in Server Automation documentation.
  • Create patch policies that run according to a schedule to identify missing patches on assets.
  • Import vulnerability scan files.
  • Monitor the list of missing patches and identified vulnerabilities.
  • Monitor assets with missing patches,vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.
  • Create operations for installing missing patches or remediating vulnerabilities on assets.
  • Monitor the Patch and Vulnerability dashboards to view the patch and vulnerability compliance on assets, and other metrics in your environment.
Was this page helpful? Yes No Submitting... Thank you
Last modified by Shweta Hardikar on Feb 18, 2020

Comments

Onboarding BMC Helix subscribers
License entitlements
© Copyright 2019-2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.