Minimum permissions for patching

This topic was edited by a BMC Contributor and has not been approved.  More information.

There are four main patching operations in a BMC Server Automation environment. The patching operations and the corresponding activities that a role must perform for each operation is listed in the table below.

Patching operationWhat activities does the role perform?
Patch catalog management

Creates and updates both offline and online patch catalogs. Patches are added to the catalog as depot objects according to filters defined for the catalog.

The BLAdmin or patch administrator typically performs this operation in a BSA environment.

Patch analysis

Analyzing the configuration of target servers and determining the patches required to remediate the servers.

The patch administrator typically performs this operation in a BSA environment.

Patch remediation

The role performing this operation performs the following:

  • Downloads the payload from vendor sites and stores them in a patch repository
  • Packages the payload as a BLPackage

The patch administrator typically performs this operation in a BSA environment.

Patch Deploy

Creates a deploy job to apply the patches

The system administrator typically performs this operation in a BSA environment.

This topic lists the minimum permissions required by the role to perform the various patching operations. Some object-level permissions must also be granted to the role performing the patching operations.

You might want to create different roles to perform each of the patching operations or a combination of patching operations. If you want to create one role with all responsibilities for patch analysis and remediation, refer to the consolidated list of permissions. A consolidated list of object-level permissions accompanies the consolidated list of permissions.

Important

 If the Application Server is configured with an NSH proxy server, ensure that the user performing patching is assigned with NSH_Proxy.Connect permission in addition to the permissions mentioned below. The NSH_Proxy.Connect permission allows the user to acquire NSH proxy credentials that are required for patching. For more information, see Setting up a Network Shell client to run in proxy mode.

Patch catalog management

PermissionDescription

ACLPolicy.*
or
ACLPolicy.Read 

Optional: Create access control list (ACL) policies to grant permissions to other roles that download patch objects.

If the ACL policies already exist, only ACLPolicy.Read is necessary.

ACLTemplate.*Create an ACL template to other roles that download patch objects.
AIXPatchSoftware.*AIX only: Manage AIX depot software

AIXSoftware.*

AIX only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

DepotFile.*Optional: Manage offline patch catalog metadata content.

DepotFolder.Read
DepotFolder.Write

Create the patch catalog in a depot folder.

LinuxSoftware.*Linux only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.
PatchCatalog.*Create and manage a patch catalog.
PatchDownloadJob.*Run a job that downloads patches manually, rather than downloading them along with patch metadata.
PatchGlobalConfig.ModifyOptional: Manage global patch settings.
PatchSmartGroup.*Create smart groups in the patch catalog.
Server.Browse
Server.Read
Create a patch repository on a helper server.
ServerGroup.ReadOptional: Allow user to browse to the helper server when selecting it.
SolarisSoftware.*Solaris only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.
WindowsSoftware.*Windows only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

Object level permissions for patch catalog management

ObjectPermissionsDescription
Depot foldersDepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 
Grant these permissions to the catalog management role on the depot folder where you create a patch catalog and to all depot folders and groups that are parents of the patch catalog folder.
Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the catalog management role on the server that functions as a patch repository.

Patch analysis

PermissionDescription
AIXSoftware.ReadAIX only: Read the relevant type of software.
DepotFolder.ReadRead the patch catalog, which is stored in the Depot.
JobFolder.Read
JobFolder.Write 
Create Patch Analysis jobs in a job folder and browse any parent folders.
JobGroup.Read
JobGroup.Write 
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
LinuxSoftware.ReadLinux only: Read required software
PatchCatalog.Read
PatchCatalog.Modify 

Access patch catalogs.

PatchCatalog.Modify is only needed for Solaris and AIX.

Server.ReadRead contents of target servers.
ServerGroup.ReadBrowse groups of target servers.
SolarisSoftware.Read
SolarisSoftware.Modify 
Solaris only: Read and interpret required software.
WindowsSoftware.Read
WindowsSoftware.Modify 
Windows only: Read and interpret required software.
PatchSmartGroup.ReadAllow user to open patch smart groups
PatchSmartGroup.WriteAllow user to add new objects into patch smart groups

Object level permissions for patch analysis

ObjectPermissionsDescription
Target serversServer.ReadGrant these permissions to the patch analysis role on the target servers.
Target server groupsServerGroup.ReadGrant these permissions to the patch analysis role on any target server groups that hold the target server.
Job folder containing the Patching JobJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 
Grant these permissions to the patch analysis role on the job folder where you create a Patching Job and to all parent job folders or groups.
Patching jobsPatchingJob.ExecuteGrant this permission on any Patching Jobs

Patch remediation

PermissionDescription
ACLPolicy.*Manage ACL policies
ACLTemplate.*Manage ACL templates
AIXPatchSoftware.ReadAIX only: Read required software.
AIXSoftware.ReadAIX only: Read required software.
BatchJob.*Create and execute Batch Jobs that run concatenated Deploy Jobs.
BLPackage.*Create remediation packages.
CustomSoftware.*Linux and Windows only: Create Linux and Windows remediation jobs.
DeployJob.*Create Deploy Jobs for remediation purposes.
DepotFolder.Read
DepotFolder.Write 
Create packages in the depot and browse any parent groups.

DepotGroup.Read
DepotGroup.Write 

Navigate to the patch catalog or remediation objects in a depot group.

JobFolder.Read
JobFolder.Write
Create remediation jobs in job folders and browse any parent groups or folders.
JobGroup.Read
JobGroup.Write 
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
LinuxSoftware.ReadLinux only: Read required software.
PatchCatalog.ReadRead the patch catalog.
PatchDownloadJob.*Manage patch download jobs.
PatchingJob.ReadRead contents of Patching Jobs.
PatchRemedationJob.*Manage patch remediation jobs
PatchSmartGroup.ReadRead smart groups containing patch catalogs.
Server.Browse
Server.Deploy
Server.Read 
Read the contents of the patch repository.
ServerGroup.ReadFind servers.
SolarisSoftware.Read
SolarisSoftware.Modify 
Solaris only: Read and interpret required software.
WindowsSoftware.Read
WindowsSoftware.Modify 
Windows only: Read and interpret required software.

Object level permissions for patch remediation

ObjectPermissionsDescription
Patching jobsPatchingJob.ReadGrant this permission to the patch remediation role on any Patching Jobs used for remediation purposes.
Server functioning as a patch repository

Server.Browse
Server.Read
Grant these permissions to the patch remediation role on the server used as a patch repository.
Job folder containing the Patching JobJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 
Grant these permissions to the patch remediation role on the job folder where you create a remediation Job and to all parent job folders or groups.
Depot groups where packages are created in the depot.DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 
Grant these permissions to the patch remediation role on the depot folder where you create a remediation package and to all parent depot folders and groups.

Patch deployment

PermissionDescription
BLPackage.ReadRead remediation packages.
CustomSoftware.ReadLinux only: Read Linux remediation jobs.
BatchJob.Execute
BatchJob.Read 
Read and execute Batch Jobs that run concatenated Deploy Jobs.
DeployJob.Execute
DeployJob.Read 
Read and execute jobs that deploy patch packages.
Server.Deploy
Server.Read 
Deploy patches to target servers.
ServerGroup.ReadBrowse groups of target servers to which patches are deployed.

Object level permissions for patch deployment

ObjectPermissionsDescription
Target servers

Server.Deploy
Server.Read 

Grant this permission to the patch deployment role on any target servers where patches are deployed.
Target server groups

ServerGroup.ReadGrant these permissions to the patch deployment role on any groups of target servers.

Consolidated list of minimum permissions for patching

PermissionDescription
ACLPolicy.*Create ACL policies to grant permissions to other roles that download patch objects.
ACLTemplate.*Create ACL templates to grant permissions to other roles that download patch objects.
AIXPatchSoftware.*AIX only: Create and read patch software.

AIXSoftware.*

AIX only: Create and read software.

BatchJob.*Create and execute Batch Jobs that run concatenated Deploy Jobs
BLPackage.*Create remediation packages and read their contents.
CustomSoftware.*Linux and Windows only: Create Linux remediation jobs and read their contents.
DeployJob.*Read and execute jobs that deploy patch packages.
DepotFile.*Optional: Manage offline patch catalog metadata content.
DepotFolder.Read
DepotFolder.Write
Create the patch catalog in a depot folder or create remediation objects in a depot folder.

DepotGroup.Read
DepotGroup.Write 

Navigate to the patch catalog or remediation objects in a depot group.

JobFolder.Read
JobFolder.Write
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
JobGroup.Read
JobGroup.Write 
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
LinuxSoftware.*Linux only: Create and read software.
PatchCatalog.*Create and manage a patch catalog
PatchDownloadJob.*Manage patch downloads.
PatchGlobalConfig.ModifyOptional: Manage global patch settings.
PatchingJob.ReadRead the jobs used as the basis of remediation.
PatchRemedationJob.*Manage patch remediation jobs.
PatchSmartGroup.*Create smart groups in the patch catalog.
Server.Browse
Server.Deploy
Server.Read
Server.Write 
Create a patch repository on a helper server, read the contents of the repository, read contents of target servers, deploy patches to target servers.
ServerGroup.ReadAllow user to browse to the helper server when selecting it and to browse to target servers.
SolarisSoftware.*Solaris only: Create and read software.
WindowsSoftware.*Windows only: Create and read software.
PatchSmartGroup.ReadAllow user to open patch smart groups
PatchSmartGroup.WriteAllow user to add new objects into patch smart groups

Consolidated list of object level permissions for patching

ObjectPermissionsDescription
Depot folders

DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 

Grant these permissions on the depot folder where you create a patch catalog and to all depot folders that are parents of the patch catalog folder.

Also grant these permissions on the depot folder where you create any remediation packages and to all parent job folders or groups.

Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the server used as a patch repository.
Target serversServer.Deploy
Server.Read
Grant these permissions on target servers.
Target server groupsServerGroup.ReadGrant these permissions on any target server groups that hold the target server.
Job folder containing Patching and remediation jobsJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write

Grant these permissions on the job folder where you create a Patching Job and to all parent job folders or groups.

Also grant these permissions on the job folder where you create any remediation jobs and to all parent job folders or groups.

Patching jobs

PatchingJob.Read

PatchingJob.Execute

Grant this permission on any Patching Jobs.
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Pedro jose Barbero iglesias

     

    Hi there,

    I regret to tell that when creating a Role with the minimun permissions listed here for only Patching analysis purpouses this doesn't work.

    When the patch analysis job wizard starts this can't conclude the creation task because the finish button doesn't make any effect.

    Even using the conslidation list,  but with the same result.

    Regards.

    Sep 16, 2016 05:50
    1. Moiz Nalwalla

      Hi Pedro,

      As Srikanth has pointed out below, the authorizations required for patch analysis operation only allow the role to execute the patch analysis job and read results. It does not allow the role to creating deploy jobs. For doing this the role would require minimum authorizations for other patching operations too.

      I modified the content on this page to provide explanations about each patching operation and the authorizations that must be assigned to the role to successfully perform that operation. Hope this helps.

       

      Feb 17, 2017 12:23
  2. Parag Desai

    I am able to reproduce the issue Pedro is facing. I even added PatchingJob.Create/* , which I think is anyways missing, but it did not help. Clicking the Finish button does not create the job and the the wizard stays on the same page.

    Sep 29, 2016 04:54
  3. Moiz Nalwalla

    Thanks for that information Parag Desai.

    Pedro jose Barbero iglesias, Parag has raised a defect (Id: QM002133314) to fix this issue. We will keep you informed about its progress.

    Thanks again for bringing this up.

    Sep 30, 2016 04:22