A role defines a set of authorizations and other information that reflects the capabilities of an organizational entity.
For example, you can create a role for QA testers, web administrators, or application developers. Each of these roles has a different set of permissions. When users are assigned to a role, they are granted the permissions defined for that role. Users can be assigned to multiple roles, but a user can only assume one role at a time.
Roles let you tailor permissions to the tasks a group usually performs. Even though a user may function in one context where he or she needs a full set of permissions, in other contexts that same user may not need such sweeping privileges. In such a situation, the user can easily switch roles, so he or she always operates with the appropriate level of authorization.
When defining authorizations for a role, you specify authorizations that apply throughout BMC Server Automation whenever that role performs a particular type of action. For example, if you grant a role the DeployJob.Read authorization, that role is always capable of reading Deploy Jobs — assuming the role is also granted permission to read an individual Deploy Job object. (For more information about the interactions between authorizations, see Authorization overview.)
When defining a role, you can specify an access control list (ACL) template that functions as an object permissions template. When a role creates an object, any permissions defined in the object permissions template are automatically applied to the object being created. For example, if the ACL template grants a role DeployJob.* (that is, full authority to do anything with Deploy Jobs), that role is granted DeployJob.* whenever the role creates a Deploy Job object. For more information about ACL templates, see Creating an ACL template.
When you add users to a role, delete users, or change settings on the Agent ACL panel of a role, you should run an ACL Push Job for all servers to which that role has been granted access. The ACL Push Job uses information from the role definition to translate the ACL for each server into a users configuration file on that server. For more information about pushing ACLs, see Controlling server access with agent ACLs.
Use the following procedure to create a role. Alternatively, you can copy and paste an existing role and then modify the properties of the copied role. See Modifying Roles for information about modifying an existing role.
To create a role
- In the RBAC Manager folder, select Roles.
- Create a new role by right-clicking and selecting New > Role from the pop-up menu. The Role Creation wizard appears.
- Provide information for different aspects of the role, as described in the following topics:
- Click Finish at any time to close the wizard and save your changes.