Walkthrough: Creating an ACL based time window to restrict users from running jobs

This walkthrough is mainly target for security administrators and patch administrators. In this walkthrough we are going to demonstrate how you can use the ACL policy time window to allow patching users to run deploy jobs only on weekends. Allowing patching users to run deploy jobs only on weekends can help prevent your servers from being over utilized.

What is an ACL policy time window?

While creating an ACL policy, you can create a time window, during which a role is assigned one or more additional authorizations. The role is assigned the additional authorizations only during that time window. For example, in the context of Patching, you might want to allow Patching users to run catalog update jobs or analysis jobs at any time, but restrict them to executing remediation jobs only on weekends.

The ACL policy time window is a complex feature and requires background knowledge of users, roles, authorizations and BSA objects. For information about these concepts, see Managing access.

Before you begin

To simplify the task of assigning ACL policies to a large number of servers, you can prepare server groups or server smart groups based on criteria that are relevant to your business needs.

Refer to the following pages for information about creating server groups or server smart groups:

  • Server groups: For information about creating a static group of servers, see Assigning servers to server groups.

  • Server smart groups: For a step-by-step example on creating a dynamic group of servers, see Walkthrough: Dynamically organizing assets with smart groups.

    Note

    A server smart group is a dynamic collection of servers that might change with time. However, while enabling maintenance windows on a server smart group, only the servers that are part of the server smart group at that particular time are enabled for the maintenance window feature.

How to use ACL policy time window to allow a specific set of users to run deploy jobs?

Steps Example screen (click to enlarge)
Log on to the Console using your RBAC Admin credentials.

Perform the following steps:

  1. In the RBAC Manager folder, right-click ACL Policy.
  2. Create a new ACL policy by selecting New > ACL Policy from the pop-up menu.

The Create New ACL Policy wizard appears.

Use the General panel to provide a name and an optional description for the access control list (ACL) policy.

Click Next.

Assign the ACL permissions that you want the role to perform at all times. The role will be assigned these permissions even outside the ACL policy time window.

Perform the following steps:

  1. Click the  icon. The Add New Entry window opens.
  2. From Role, select the Patching User role to which you want to grant permissions
  3. Ensure that the Profiles tab is selected and use the buttons to move the required patch analysis-related authorizations to the box on the right.
  4. Click OK.

Adding a time window to the ACL policy, enables you to specify time intervals during which a role is assigned one or more additional authorizations. The role is assigned the additional authorizations only during that time window.

Click to add a ACL policy time window. The Time Window dialog box appears. In this walkthrough we have defined the time windows to be run weekly, for a period of 24 hours, every Saturday and Sunday.

  Click here to expand instructions on defining the time window...
  1. Enter the name you want to assign to the access control list (ACL) policy time window. In this walkthrough, we have used the name Weekend time window for patching for the ACL policy time window .
  2. Enter optional descriptive text.
  3. (optional) Select the start and end dates within which you want your time window to be enabled.
    Note: The end date is not inclusive. If you define a ACL-based time window for a target server, the system does not grant access to that target server on the end date, even if the ACL-based window begins on an earlier date and extends into the end date.
  4. Select the start time and the duration (in hours) for the time window.
  5. .Select how often the ACL-based window is open. Select one of the following options:
    • Once (specify the date)
    • Daily
    • Weekly (specify which days of the week)
    • Monthly (specify which days of the months) - for example, entering 1,15,30 sets the window for the first, fifteenth, and thirtieth of the month
  6. Select your time zone from the drop-down list.

Click the Permissions tab.

From the Permissions tab, assign the Patching User role with the required System or Profile authorizations, that will be applicable during the time window.

  1. Click the  icon. The Add New Entry window opens.
  2. From Role, select the Patching User role to which you want to grant permissions
  3. Ensure that the Profiles tab is selected and use the buttons to move the Manage Patching Job Authorization profile to the box on the right.
  4. Click OK.

Click Finish to create the ACL policy.

Ensure that the Patching User role is assigned to all users who must honor the ACL policy and time window.

  Click here to see steps on checking whether the role is assigned to your user
  1. Expand Users, right-click the user, and click Open.

  2. Click the Role Selection tab.

    Ensure that the Patching User role appears on the box in the right. If it does not appear in the box on the right, use the  button to move the Patching User role to the box on the right.

After creating the ACL policy and the time window, update permissions of the all the BSA objects that are used in the patching operation such as, Patching jobs, job folders, servers, and so on.

For example, see the steps below for updating permissions on a patching job. 

  Click here to expand steps on updating the ACL policy for a patching job.
  1. In the Jobs folder, navigate to the Patching jobs that you want the ACL policy to apply to.
  2. Right-click the Patching job and select Update Permissions. The Update Permissions dialog box opens.

  3. In the ACL Policies section, click to assign an ACL policy.
  4. Select the ACL policy that you created and in this walkthrough.
  5. Click OK.
  6. Click OK to update the permissions for the patching job.
  7. You will receive a confirmation message as shown in the following screenshot.

The users who are assigned with the Patching User role can now run patch analysis jobs at any time, but are restricted to executing the remediation or deploy jobs only on weekends.  

Was this page helpful? Yes No Submitting... Thank you

Comments