Walkthrough: Restricting permissions for a Compliance officer

This topic walks you through the process of setting up a Compliance officer, who is in charge of performing compliance analyses, and limiting permissions so that this user cannot perform other types of actions in BMC BladeLogic Server Automation (BSA). Although this process is not essential for compliance analysis, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a Compliance officer with a limited set of permissions, a superuser such as the BLAdmins role must perform compliance analysis.

This topic includes the following sections:

Introduction

This topic is intended for system administrators who manage data center authorizations. The goal of this topic is to grant the minimum set of permissions to the role and user who performs compliance analysis.

What are roles and users?

BSA manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

What does this walkthrough show?

This walkthrough shows how to:

  • Create an authorization profile, which is a collection of authorizations to perform certain tasks — in this case to perform compliance analysis.
  • Create a role for a Compliance officer.
  • Create a Compliance user who is assigned to the Compliance officer role and thus is granted the permissions available to the Compliance officer.

What do I need to do before I get started?

For this walkthrough, you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)

How to restrict permissions for a Compliance officer

 StepExample screen
1

Create an authorization profile for compliance analysis. An authorization profile is a collection of all authorizations needed to perform all compliance analysis tasks.

  1. Log on to BSA as the RBAC administrator (typically RBACAdmin or a user with equivalent permissions).
  2. Expand the RBAC Manager folder.
  3. Right-click Authorization Profiles and select New > Authorization Profile.
    The Authorization Profile Creation wizard opens. 
  4. For Name, enter a name, such as Manage Compliance Job.
  5. In the list of authorizations, move the following authorizations to the list at right:

    Note

    The recommended list of required authorizations for a Compliance officer are broader than those recommended for a simple Compliance user running a basic Compliance Job (as listed in Creating Compliance Jobs).

    • AuditJob.*
    • BLPackage.*
    • Component.*
    • ComponentGroup.*
    • ComponentTemplate.*
    • ComponentTemplateFolder.*
    • ConfigFile.* or at least ConfigFile.Read
    • ConfigurationObjectClass.* or at least ConfigurationObjectClass.Read
    • DepotFolder.*
    • DepotGroup.*
    • DiscoveryJob.*
    • ExtendedObject.* or at least ExtendedObject.Read
    • JobFolder.*
    • JobGroup.*
    • PropertyClass.*
    • PropertyInstance.*
    • Server.*
      Or, if you prefer a less extensive set of Server authorizations:
      Server.Audit, Server.Browse, Server.Deploy, Server.Discover, Server.ModifyProperties, Server.Read, Server.Snapshot
    • ServerGroup.*
    • (If planning to run remediation) DeployJob.Create, DeployJob.Execute, DeployJob.Modify, DeployJob.ModifySchedule, DeployJob.Read
  6. Click Finish.

2

Still logged on as the RBAC administrator, create a role for Compliance management. Assign the authorization profile you just created to the role.

  1. In the RBAC Manager folder, right-click Roles and select New > Role.
    The Role Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceRole.
  3. Make sure the Profile tab is selected at bottom. Then, in the list of authorization profiles, select Manage Compliance Job and move it to the right.
  4. Click Finish.
3

Still logged on as the RBAC administrator, create a Compliance user. Assign this user to the role you just created.

  1. In the RBAC Manager folder, right-click Users and select New > User.
    The User Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceUser.
  3. For SRP Authentication Options, enter a password and then confirm the password by typing it again.
    This option is only necessary if your organization uses SRP authentication, the default approach for BSA. 
  4. Click Next.
  5. In the list of roles, select ComplianceUser and move it to the right.
  6. Click Finish.

4

Grant the new role (that you created in step 2) permissions to read various global configuration files, global extended objects, and server objects that your component templates will test for compliance. (For example, many rules in the Compliance Content component templates check the compliance of global configuration files and global extended objects.)

  1. Select Configuration > Config Object Dictionary View.

  2. In the Configuration Object Dictionary, browse through the list of configuration files and identify those that are involved in compliance analyses.

  3. For each relevant entry in the list of configuration files, click the entry and then click the Permissions tab on the right.

  4. If the ConfigFile.Read authorization is not already granted to Everyone, grant it either to Everyone or to the role that you created for the Compliance officer.
    1. Click Add Entry .
    2. In the Add New Entry dialog box, select either Everyone or the Compliance officer's role (in this case, ComplianceRole).
    3. Use the arrow button to select the ConfigFile.Read authorization.
    4. Click OK.
  5. Repeat steps 3–4 for any other relevant configuration files.
    Alternatively, to perform this task on multiple configuration files (all at once), select all the configuration files whose permissions you want to update, right-click, and select Update Permissions. Then continue with the sub-steps in step 4 above, or as described in Updating permissions for one or more system objects.
  6. Repeat steps 2–5 for relevant extended objects, granting them the ExtendedObject.Read authorization.
  7. Repeat steps 2–5 for relevant server objects, granting them the ConfigurationObjectClass.Read authorization.

Wrapping it up

Congratulations. You have set up a role for Compliance officers and created a Compliance user.

Where to go from here

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Yechezkel Schatz

    Sandeep Das, I modified the list of minimum authorizations based on your comment. Let me know if this looks OK. Thanks for the great feedback!

    Jun 19, 2016 09:11
  2. Sandeep Das

    A Compliance Officer will need ConfigFile.Read permission to open any Red Hat CIS template. (E.g. CIS - Red Hat Enterprise Linux 6). 

    The CIS component templates are part of the product and the permissions listed here should allow a user to work with BMC provided templates.

     

    Can you please test whether the permissions listed on this page will allow a Compliance Officer to work with all the component templates that are shipped with BMC Compliance Content Installer? 

    BMC recommends to not use BLAdmin role for everyday tasks but I've found way too many instances of permissions for specialized roles not being documented properly.

     

    Jul 19, 2016 07:59
    1. Yechezkel Schatz

      Hi, Sandeep. I added ConfigFile.Read with a parenthetical remark to indicate that it's commonly needed when using Compliance Content templates. I added a similar parenthetical remark to a couple of other bullets, as well. As always, thanks for the great feedback!

      Jul 20, 2016 08:03
      1. Sandeep Das

        Thanks Yechezkel.

        Jul 21, 2016 01:05
        1. Yechezkel Schatz

          Hi Sandeep,

          I made more changes on the page. I modified the list in step 1 some more. More importantly, we identified a gap in the procedure here and I added another task (step 4) for granting the role read permissions on objects in the Configuration Object Dictionary.

          Thanks!

           

          Jul 27, 2016 08:54
          1. Sandeep Das

            Thanks Yechezkel. It looks like only the Windows Configuration Objects have the Everyone > ConfigFile.Read permission by default. Configuration Objects for other OS do not have this permission and updating them one by one is tedious as there are over 100 objects. It is possible to update the permissions in bulk and the steps here should mention that. Set filters to "Configuration Objects" and "All Operating Systems". Select all objects, right click and select Update Permissions.

            Repeat for Extended Objects and Server Objects. Although, ideally all objects should have the Everyone.Read permission by default just like the Windows configuration objects. Is it possible to get the development team to update the default permissions and remove the need for the post install configuration?

            And you've added ConfigFile.Read, ExtendedObjects.Read and ConfigurationObjectClass.Read permissions to the actual objects. Yet, the permission list for the compliance officer role has ConfigFile.*, ExtendedObjects.* and ConfigurationObjectClass.* permissions. The role should only have the minimum permissions required to perform the job.

             

            Jul 31, 2016 07:31
            1. Yechezkel Schatz

              Hi Sandeep,

              To address the three points in your last comment:

              • I added some text for bulk Update Permissions in step 5 of task 4.
              • In task 1, I added "or at least authorization.Read" for those 3 entries.
              • I passed on the request for everyone to have Read permissions by default to the Dev team. I would also suggest that you submit an RFE for this.

              Thanks so much for all the feedback!

              Regards,

              Yechezkel

              Aug 02, 2016 10:00