Walkthrough: Restricting permissions for a Compliance officer

This topic walks you through the process of setting up a Compliance officer, who is in charge of performing compliance analyses, and limiting permissions so that this user cannot perform other types of actions in BMC BladeLogic Server Automation (BSA). Although this process is not essential for compliance analysis, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a Compliance officer with a limited set of permissions, a superuser such as the BLAdmins role must perform compliance analysis.

This topic includes the following sections:

Introduction

This topic is intended for system administrators who manage data center authorizations. The goal of this topic is to grant the minimum set of permissions to the role and user who performs compliance analysis.

What are roles and users?

BSA manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

What does this walkthrough show?

This walkthrough shows how to:

  • Create an authorization profile, which is a collection of authorizations to perform certain tasks — in this case to perform compliance analysis.
  • Create a role for a Compliance officer.
  • Create a Compliance user who is assigned to the Compliance officer role and thus is granted the permissions available to the Compliance officer.

What do I need to do before I get started?

For this walkthrough, you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)

How to restrict permissions for a Compliance officer

 StepExample screen
1

Create an authorization profile for compliance analysis. An authorization profile is a collection of all authorizations needed to perform all compliance analysis tasks.

  1. Log on to BSA as the RBAC administrator (typically RBACAdmin or a user with equivalent permissions).
  2. Expand the RBAC Manager folder.
  3. Right-click Authorization Profiles and select New > Authorization Profile.
    The Authorization Profile Creation wizard opens. 
  4. For Name, enter a name, such as Manage Compliance Job.
  5. In the list of authorizations, move the following authorizations to the list at right:

    Note

    The recommended list of required authorizations for a Compliance officer are broader than those recommended for a simple Compliance user running a basic Compliance Job (as listed in Creating Compliance Jobs).

    • AuditJob.*
    • BLPackage.*
    • Component.*
    • ComponentGroup.*
    • ComponentTemplate.*
    • ComponentTemplateFolder.*
    • ConfigFile.* or at least ConfigFile.Read
    • ConfigurationObjectClass.* or at least ConfigurationObjectClass.Read
    • DepotFolder.*
    • DepotGroup.*
    • DiscoveryJob.*
    • ExtendedObject.* or at least ExtendedObject.Read
    • JobFolder.*
    • JobGroup.*
    • PropertyClass.*
    • PropertyInstance.*
    • Server.*
      Or, if you prefer a less extensive set of Server authorizations:
      Server.Audit, Server.Browse, Server.Deploy, Server.Discover, Server.ModifyProperties, Server.Read, Server.Snapshot
    • ServerGroup.*
    • (If planning to run remediation) DeployJob.Create, DeployJob.Execute, DeployJob.Modify, DeployJob.ModifySchedule, DeployJob.Read
  6. Click Finish.

2

Still logged on as the RBAC administrator, create a role for Compliance management. Assign the authorization profile you just created to the role.

  1. In the RBAC Manager folder, right-click Roles and select New > Role.
    The Role Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceRole.
  3. Make sure the Profile tab is selected at bottom. Then, in the list of authorization profiles, select Manage Compliance Job and move it to the right.
  4. Click Finish.
3

Still logged on as the RBAC administrator, create a Compliance user. Assign this user to the role you just created.

  1. In the RBAC Manager folder, right-click Users and select New > User.
    The User Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceUser.
  3. For SRP Authentication Options, enter a password and then confirm the password by typing it again.
    This option is only necessary if your organization uses SRP authentication, the default approach for BSA. 
  4. Click Next.
  5. In the list of roles, select ComplianceUser and move it to the right.
  6. Click Finish.

4

Grant the new role (that you created in step 2) permissions to read various global configuration files, global extended objects, and server objects that your component templates will test for compliance. (For example, many rules in the Compliance Content component templates check the compliance of global configuration files and global extended objects.)

  1. Select Configuration > Config Object Dictionary View.

  2. In the Configuration Object Dictionary, browse through the list of configuration files and identify those that are involved in compliance analyses.

  3. For each relevant entry in the list of configuration files, click the entry and then click the Permissions tab on the right.

  4. If the ConfigFile.Read authorization is not already granted to Everyone, grant it either to Everyone or to the role that you created for the Compliance officer.
    1. Click Add Entry .
    2. In the Add New Entry dialog box, select either Everyone or the Compliance officer's role (in this case, ComplianceRole).
    3. Use the arrow button to select the ConfigFile.Read authorization.
    4. Click OK.
  5. Repeat steps 3–4 for any other relevant configuration files.
    Alternatively, to perform this task on multiple configuration files (all at once), select all the configuration files whose permissions you want to update, right-click, and select Update Permissions. Then continue with the sub-steps in step 4 above, or as described in Updating permissions for one or more system objects.
  6. Repeat steps 2–5 for relevant extended objects, granting them the ExtendedObject.Read authorization.
  7. Repeat steps 2–5 for relevant server objects, granting them the ConfigurationObjectClass.Read authorization.

Wrapping it up

Congratulations. You have set up a role for Compliance officers and created a Compliance user.

Where to go from here

Was this page helpful? Yes No Submitting... Thank you

Comments