×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Server Automation 8.2 ... Configuring after installation Administering security Managing access Object-based permissions

Common issues while using permissions

BMC Server Automation provides a flexible system of access permissions. However, subtle dependencies exist between some permissions.

The following are common issues users encounter when assigning permissions to system objects:

  • Any authorization that allows you to take an action on an object must be accompanied by an authorization that lets you read that object. If you cannot read the object, you cannot see the object in BMC Server Automation. For example, to execute a job, you must also be able to read the job. Thus, when granting a permission such as DeployJob.Execute, you must also grant DeployJob.Read. The same sort of dependency exists when modifying the access control lists (ACLs) of an object — to modify the object you must be able to read the object. For example, when granting BLPackage.ModifyACL, you must also grant BLPackage.Read.
  • To deploy a BLPackage, you must have permissions for both the Deploy Job (DeployJob.Execute and DeployJob.Read) and the BLPackage (BLPackage.Read).
  • A role cannot execute a Batch Job containing Deploy Jobs unless the role has both Read and Execute authorizations on those underlying Deploy Jobs (DeployJob.Read and DeployJob.Execute).
  • To cancel any job, a role must be granted both Read and Cancel permissions for that type of job. For example, to cancel a Deploy Job, you must be granted DeployJob.Cancel and DeployJob.Read.
  • A role with Read authorization for a server can see all server activity, snapshot activity, and audit activity on that server. However, the role cannot open any jobs or view any snapshot or audit results on that server without Read authorization for those jobs.
  • A role with Read authorization for a server can see all components on the server, but the role cannot see properties of a component without Read authorization for components (Component.Read).
  • Browsing a server is controlled by the Server.Browse authorization. Browsing a component is controlled by the Component.Browse authorization.
  • Browsing the contents of a component requires a combination of permissions that vary depending on your context:

  • An uninstall is accomplished using Read and Create authorizations for the software being uninstalled and Read and Execute authorizations for the uninstall job. (Remember that an uninstall job is really a Deploy Job that uninstalls rather than installs a software package.) For example, to uninstall an RPM, you must have LinuxSoftware.Read and LinuxSoftware.Create authorizations for the RPM you want to uninstall. Also, you must have DeployJob.Read and DeployJob.Execute to run the Deploy Job that uninstalls the RPM.

Any authorization granted at the object level must also be granted at the role level. For example, to deploy a BLPackage, you must have DeployJob.Read, DeployJob.Execute, and BLPackage.Read at both the object level and the role level. For more information about the multiple levels of authorization needed to perform actions in BMC Server Automation, see Authorization overview.

Unknown macro: {multi-excerpt}

Was this page helpful? Yes No Submitting... Thank you
Last modified by Fran Coughlin on Jul 10, 2012
permissions mistakes system_objects access_control_lists acls issues concept

Comments

Log in or register to comment.

ACL Summary view filters
Creating roles
© Copyright 2017 BMC Software, Inc. © Copyright 2017 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.