Limiting access through components
While the configuring of roles, object permissions, and agent ACLs provide a BMC Server Automation administrator many ways to limit access to a server, there are times when these tools do not provide the right amount of flexibility for granting server access. Using components, an administrator can grant end users access to specific server objects, while maintaining agent-side Administrator or root mapping. The following steps describe how to grant access to a server through the use of a component template.
Before you begin
Create a component template that includes the parts to which you want to limit access. Using that component template, create components for each server where you want to provide limited access.
Granting access to a server through the use of a Component Template
Below is an example component template with several parts defined. Note the objects listed in the Browse tab, as these will be the objects shown when someone browses any components for this component template. Refine the list as necessary.
Includes or excludes do not take effect when the end user is using the live browse section of any components created by this template.
- For each component, grant <ROLE> Component.Read and <ROLE> Component.Browse permissions where <ROLE> is the role that should have limited server access through the component. Similarly, grant permission for any other actions that you would like the role to perform using the component.
- For each server where you have created a component, add <ROLE> Server.Read permissions to ensure that ACLs are created on the target server to allow browse access. Ensure that the role only has Read access and not Browse access.
- Push ACLs to the servers where the new component has been discovered.
- Log in as a user who is a member of the role with limited access.
- Using the Components or Component Templates folder, locate and browse the component with limited access.
Note that when you browse the server where you limited browse access, you can only see the components.
Also note that this user can now perform only certain actions against this server, and can only see certain portions of the file system and a limited number of server objects.