Walkthrough: Restricting permissions for a patching administrator
This topic walks you through the process of setting up a patching administrator and limiting permissions so that administrator cannot perform other types of actions in BMC Server Automation. Although this process is not essential for patch management, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a patching administrator with a limited set of permissions, a superuser such as the BLAdmins role must perform patch management.
This topic includes the following sections:
This topic is intended for system administrators who manage data center authorizations and access to physical assets such as servers. The goal of this topic is to grant the minimum set of permissions to the role and user who perform patch management, as well as granting the minimum level of access to any servers where you will be setting up patching infrastructure.
What are roles and users?
BMC Server Automation (BSA) manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.
What does this walkthrough show?
This walkthrough shows how to:
- Create an authorization profile, which is a collection of authorizations to perform certain tasks–in this case to perform patch management.
- Create a role for a patching administrator
- Create a patching user who is assigned to the patching administrator role and thus is granted the permissions available to the patching administrator.
- Grant the patching administrator access to the server that is used as a patch repository. This requires you to set permissions for server within the BSA console and also to push an access control list (ACL) to the server. The ACL controls access at the server level.
What do I need to do before I get started?
- For this walkthrough, you need you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)
- Later in the walkthrough you have to log in as BLAdmin, the superuser, or a user with equivalent permissions.
- You must also know which server you want to use as a patch repository so you can restrict access to it.
How to restrict permissions for a patching administrator
Create an authorization profile for patching. An authorization profile is a collection of all authorizations needed to perform all patching tasks.
Still logged on as the RBAC administrator, create a role for patch administration. Assign the authorization profile you just created to the role.
Still logged on as the RBAC administrator, create a patching user. Assign this user to the role you just created.
Wrapping it up
Congratulations. You have set up a role for patching administrators, created a patching user, and granted that user access to the patch repository server.
Where to go from here
Now that you have restricted access to the patching administrator, you can now set up patch catalogs. See Walkthrough: Setting up and managing a patch catalog for Windows and Walkthrough: Setting up and managing a patch catalog for Linux.