Starting version 8.9.03, BMC Server Automation is renamed to TrueSight Server Automation. This space contains information about BMC Server Automation 8.9.02 and previous versions. For TrueSight Server Automation 8.9.03 and later releases, see TrueSight Server Automation 8.9.

Walkthrough: Restricting permissions for a patching administrator

This topic walks you through the process of setting up a patching administrator and limiting permissions so that administrator cannot perform other types of actions in BMC Server Automation. Although this process is not essential for patch management, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a patching administrator with a limited set of permissions, a superuser such as the BLAdmins role must perform patch management.

This topic includes the following sections:


This topic is intended for system administrators who manage data center authorizations and access to physical assets such as servers. The goal of this topic is to grant the minimum set of permissions to the role and user who perform patch management, as well as granting the minimum level of access to any servers where you will be setting up patching infrastructure.

What are roles and users?

BMC Server Automation (BSA) manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

What does this walkthrough show?

This walkthrough shows how to:

  • Create an authorization profile, which is a collection of authorizations to perform certain tasks–in this case to perform patch management.
  • Create a role for a patching administrator
  • Create a patching user who is assigned to the patching administrator role and thus is granted the permissions available to the patching administrator.
  • Grant the patching administrator access to the server that is used as a patch repository.  This requires you to set permissions for server within the BSA console and also to push an access control list (ACL) to the server. The ACL controls access at the server level.

What do I need to do before I get started?

  • For this walkthrough, you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)
  • Later in the walkthrough you have to log in as BLAdmin, the superuser, or a user with equivalent permissions.
  • You must also know which server you want to use as a patch repository so you can restrict access to it. The server you select must have ample free space. For the latest sizing and scalability recommendations, refer to the BMC Server Automation Sizing Guide in BMC Communities. 

How to restrict permissions for a patching administrator

StepExample screen

Create an authorization profile for patching. An authorization profile is a collection of all authorizations needed to perform all patching tasks.

  1. Log on to BSA as the RBAC administrator (typically RBACAdmin or a user with equivalent permissions).
  2. Expand the RBAC Manager folder.
  3. Right-click Authorization Profiles and select New > Authorization Profile.
    The Authorization Profile Creation wizard opens. 
  4. For Name, enter a name, such as Manage Patching Job.
    Note: This name must be unique.
  5. In the list of authorizations, move the following authorizations to the list at right:
    CustomSoftware.* (for Linux only)

    Tip: You can also type a character string in the Type to filter field to quickly locate an authorization, and you can press Ctrl-click to select multiple authorizations.

  6. Click Finish.

Still logged on as the RBAC administrator, create a role for patch administration. Assign the authorization profile you just created to the role.

  1. In the RBAC Manager folder, right-click Roles and select New > Role.
    The Role Creation wizard opens. 
  2. For Name, enter a name, such as PatchingUser.
    Note: This name must be unique.
  3. In the list of authorization profiles, select the name of the Authorization Profile that you set in Step 1.4 (for example, Manage Patching Job) and move it to the right.
  4. Make sure the Profile tab is selected at bottom. Then, in the list of authorization profiles, select Manage Patching Job and move it to the right.
  1. Click Next.
    The Agent ACLs page opens.
  2. For User Map, select Map to and enter root. 
    You need to map to a user that has authorizations to make changes to the repository where you will be storing patching information. For a UNIX server, this user is often root. 
  3. Click the Windows tab. Select Map to and enter Administrator.
  4. Click Finish.

Still logged on as the RBAC administrator, create a patching user. Assign this user to the role you just created.

  1. In the RBAC Manager folder, right-click Users and select New > User.
    The User Creation wizard opens.
  2. For Name, enter a name, such as PatchingUser.
    Note: This name must be unique.
  3. Leave the Description field blank, and leave default check boxes unchanged.
  4. For SRP Authentication Options, enter a password and then confirm the password by typing it again.
    This option is only necessary if your organization uses SRP authentication, the default approach for BSA. 
  5. Click Next.
  6. In the list of roles, select PatchingUser and move it to the right.
  7. Click Finish.

  1. In the Servers folder, navigate to the server you have selected for use as the patch repository.
  2. Select the server and in the Properties, Permissions, and Audit Trail view, select the Permissions tab.

  1. Click Add one or more ACL entries .
    The Permissions dialog box opens.
  2. For Role, select PatchingUser, the role we created earlier. 
  3. Under Available Permissions, select Server.* and move it to the list at right.
  4. Click OK.
  1. In the Jobs folder, navigate to a subfolder where the PatchingUser can create a job. Using the procedure described in the previous steps, grant the PatchingUser role the JobFolder.* permission. This action gives PatchingUser the ability to create and modify the contents of this folder.
  2. Repeat the same process for any higher level subfolders in the Jobs folder hierarchy. In other words, if the PatchingUser should be working in the Workspace/Automation Academy subfolder within the Jobs folder hierarchy, you must grant permissions to both the Workspace folder and the Automation Academy folder.

  1. Log off as the RBAC administrator and log in as the BLAdmin superuser or a user with equivalent permissions.
  2. Right-click the server you want to use as a patch repository and select Administration Task > Agent ACLs.
    The Agent ACL Preview dialog box opens.
  3. Click Push to push the revised ACLs to the server you have selected. 
    The system prompts you for a confirmation.
    The ACLs you are pushing include the new patching user who now should have access to the server. 
  4. Click OK

Wrapping it up

Congratulations. You have set up a role for patching administrators, created a patching user, and granted that user access to the patch repository server.

Where to go from here

Now that you have restricted access to the patching administrator, you can now set up patch catalogs. See Walkthrough: Setting up and managing an online patch catalog for Windows and Walkthrough: Setting up and managing a patch catalog for Linux.

Was this page helpful? Yes No Submitting... Thank you