Role - General

The General panel lets you provide a name and description for the role, choose an object permissions template, and assign system authorizations, command authorizations, and authorization profiles to the role.

You can grant varying levels of system authorizations to a role. For example, Server.* authorizes a user to perform all possible actions relating to servers. AuditJob.* authorizes a user to perform all possible actions relating to Audit Jobs. You can also choose to authorize more specific classes of actions. For example, AuditJob.Read lets a user view Audit Jobs. For a full listing of all possible system authorizations, see System authorizations.

Similarly, you can grant authorizations to perform specific Network Shell and nexec commands. If you do not authorize specific commands, a role faces no restrictions when using commands. In other words, a user who assumes that role can perform any command. If you do assign commands to a role, users who assume that role are restricted to those commands.

In addition to granting individual authorizations for system authorizations and commands, you can assign one or more authorization profiles to a role. An authorization profile is a collection of system and command authorizations. For more information about creating authorization profiles, see Creating an authorization profile.

Note

If you change authorizations for a role while a user is active, the console may give the appearance of that user being incorrectly authorized or not authorized for certain actions. The console does not correctly display all changed user options until the user exits and logs on again. Although the console may give the appearance of incorrectly displaying some options, the correct authorizations are always in effect at the Application Server. Thus the user can never perform an action for which he or she is not authorized.

Field definitions

Field

Description

Name

Identifying name.

Note

Try to avoid the inclusion of space characters in role names. If you must include a space character in the role name, associate a Windows automation principal with this role through the Agent ACL panel of this wizard. Using an automation principal for Windows user mapping ensures that this role will be able to access target Windows servers. 

Description

Optional descriptive text.

Object Permissions Template

Click Browse to select an access control list (ACL) template to use to define permissions that are automatically granted to objects created by this role.
If you do not specify an object permissions template, the role is granted full permission to any object that the role creates. For example, when creating a BLPackage, the role is granted BLPackage.*. For more information about defining an ACL template, see Creating an ACL template.

Available Authorizations >

Profiles/ System / Commands

Under Available Authorizations, do any of the following:

  • To assign authorization profiles to the role, click the Profiles tab at the bottom of the Available Authorizations list. Then, select the authorization profiles that you want to assign to the role.
  • To grant the role individual system authorizations, click the System tab at the bottom of the Available Authorizations list. Then, select the system authorizations that you want to make available to the role.
  • To grant the role individual command authorizations, click the Commands tab at the bottom of the Available Authorizations list. Then, select the commands that you want to make available to the role.

Use Shift-click or Control-click to select multiple items. Click the right arrow to move your selections to the Selected Authorizations list.

Where to go from here

Role - Agent ACL

Was this page helpful? Yes No Submitting... Thank you

Comments