BMC TrueSight Operations Management 11.0 Planning

Role-based access

Role-based access (RBAC) to the features and components comprised in TrueSight Operations Management is enabled by persona-based authorization profiles. Each authorization profile is associated with one or more BMC Remedy Single Sign-On realms and comprises user groups, roles and permissions, and objects. Collectively, the authorization profile components determine the features and objects that users can access and monitor. You can use each default authorization profile as is, you can modify its attributes, or you can create your own authorization profiles.


This topic provides an overview of authorization profiles and the components that compose them.

Overview of the RBAC process

To configure access control, you must complete the following steps:

Step Task Resource
1 Set up users and user groups in Remedy Single Sign-On.

Managing users and user groups
2 Create or modify the components that compose an authorization profile. You can create or modify these components in any order.

Managing roles

Specifying objects

Creating, editing, and deleting PATROL Agent ACLs
3 Modify the default authorization profiles or create new ones. Managing authorization profiles

Realms and tenants

Tenants or realms segment users in Remedy Single Sign-On and enable multitenancy support. In TrueSight Operations Management, each realm represents a tenant.

The * tenant (realm), with default user groups and users , is created in Remedy Single Sign-On when you install the TrueSight Presentation Server component.

For information about supported versions of BMC Remedy Single Sign-On, see System requirements for Presentation Server.

Authorization profile structure

The following diagram illustrates the basic structure of an authorization profile. Each profile is associated with one or more realms and comprises user groups, roles and permissions, and objects. You can use each default authorization profile as is, you can modify any of its elements, or you can create your own authorization profiles. 

The Superadmin in the * tenant (realm) can create and modify authorization profiles and apply them to multiple tenants. Authorization profiles created by tenant administrators apply to users of that tenant. For more information about tenant user administration, see  Access control for SaaS administrators .

Authorization Profile components
When creating an authorization profile, you must already know the user groups, roles, and objects required for the new profile. You cannot create or modify components during the creation of the authorization profile. 

See the following topics for more information about modifying and creating the required elements:

  • Managing roles
  • Managing users and user groups
  • Specifying objects

Default authorization profiles

During the installation of TrueSight Presentation Server, the following persona-based authorization profiles are created in the TrueSight Presentation Server for the * tenant (realm):

  • API-Only User
  • Application Specialist–Applications
  • Application Specialist–Services
  • Capacity Administration
  • Capacity View
  • Executive
  • IT Operations User
  • Service Manager
  • Solution Administrator
  • Technology Specialist
Solution Administrator profile
By default, users in the Solution Administrator profile are associated with the roles, permissions, and objects that enable those users to access all features in the products, including the ability to modify and create authorization profiles. 

The Solution Administrator profile has unrestricted access to all realms and all features and objects in the TrueSight Operations Management solution. The following table shows the user groups, roles and permissions, and objects the compose the Solution Administrator authorization profile. However, you must note the following restrictions:

  • The Solution Administrator profile has unrestricted access to all realms, all features, and all objects in the TrueSight Operations Management solution.
  • A non-Solution Administrator user belonging to the * (default) realm do not have an unrestricted access to objects in other realms.
Solution Administrator
* tenant (realm)
User Groups Roles and Permissions Objects
Administrators



 Super Admin



 All Permissions Assigned



 Category Types Sources Objects
TrueSight Presentation

Monitoring Policy Configuration Types

PATROL Solutions

PATROL Agent ACLs

Devices

Event Groups

Groups

Applications

Services

 TrueSight Presentation Server All Object Access
TrueSight Infrastructure

Views

Monitor Groups

CIs

Component Folders

Event Folders

 Not applicable All Object Access

Predefined user groups and users

When you install TrueSight Presentation Server, the following default user groups and users are created in your Remedy Single Sign-On (SSO) server for the default * tenant. Not all default user groups contain default users. 

Default user groups Default users Description
Administrators admin  Default administrator user
bppmws_internal 

Internal user that supports:

  • Distributed Service Models
  • Cloud Lifecycle Management integration
  • BMC Service Resolution integration
csm_user

Internal user that supports:

  • Cloud Lifecycle Management integration
  • BMC Change Management integration
  • BMC Service Resolution integration
API Group apiuser

Internal user that supports TrueSight Capacity Optimization Integration

  • TrueSight Operations Management 10.1 Extractor in Capacity Optimization 10.5
  • Generic Extractor in Capacity Optimization 10.5
Capacity_Administration None

Users in this group can perform all administrative activities, and have access to the Administration section in both the consoles:

  • TrueSight console, hosted on the Presentation Server
  • TrueSight Capacity Optimization console, hosted on the Application Server
Capacity_View None

Users in this group can view the Capacity section (includes Views and Investigate) in the TrueSight console, and Reports section in the TrueSight Capacity Optimization console. 

The users cannot perform administrative activities such as creating custom views.
Capacity_Planning None

Users in this group can perform all capacity planning related activities. The users have access to the Capacity section (includes Views and Investigate) in the TrueSight console, and to all sections in the TrueSight Capacity Optimization console, except the Administration section.

The users can create and edit views, and view and edit Investigate studies. The users cannot perform administrative activities in the TrueSight Capacity Optimization console.
Cloud_Cost_Control None Users in this group can access and use the Cloud Cost Control section in the TrueSight console.
Central Monitoring Administrators None NA
Model Administrators service_admin

Default service model administration user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Monitoring Administrators event_admin

Default event administration user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Operators oper

Default operator user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Supervisors user

Default supervisor user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Viewers None NA
WS Full Access None NA

After you register an App Visibility portal in the TrueSight console, a new user, App_Visibility_Internal_<tspsHostID>, is automatically added to Remedy Single Sign-On. This is an internal user with a randomly generated password and should not be changed.

For more information about default users and passwords, see  Default users and user groups .

Default authorization profiles and menu access

The following table lists the default authorization profiles and the default  user groups  and roles that compose them. To help you determine whether the default authorization profiles meet the access requirements of your organization, the last column in the table shows the menu options available to users in each default authorization profile. 

Profile User groups Roles Menu access
Solutions Administrator Administrators Super Admin

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services

Configuration

  • Applications
  • Application Discovery
  • Global Thresholds
  • Groups
  • Integration Service Clusters
  • Managed Devices
  • Policies
  • Synthetic Scripts
  • Time Frames

Administration

  • Remedy SSO
  • Authorization Profiles
  • Components
  • Integrations
  • PATROL Agent ACLs
  • Repository
  • Roles
  • User Accounts
  • App Visibility Agents
  • App Visibility Agent Policies

TrueSight Smart Reporting

Application Specialist–Services

Central Monitoring Administrators

Monitoring Administrators 

Service Model Administrators

Supervisors 

WS Full Access 

Blackout Administrator 

Data Collection Administrator

Deployment Administrator 

Event Administrator 

Event Supervisor 

Monitoring Administrator

Service Administrator 

Service Supervisor 

Web Services Access 

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services

Configuration

  • Applications
  • Application Discovery
  • Global Thresholds
  • Groups
  • Integration Service Clusters
  • Managed Devices
  • Policies
  • Synthetic Scripts
  • Time Frames

Administration

  • Components
  • App Visibility Agents
  • App Visibility Agent Policies
  • Repository

TrueSight Smart Reporting

Application Specialist–Applications

Central Monitoring Administrators

Monitoring Administrators 

Service Model Administrators  

Supervisors  

WS Full Access  

Application Operator 

Application Supervisor 

Blackout Administrator 

Data Collection Administrator

Deployment Administrator 

Event Administrator 

Event Supervisor  

Monitoring Administrator

Service Administrator 

Service Supervisor  

Web Services Access  

 

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services

Configuration

  • Applications
  • Application Discovery
  • Global Thresholds
  • Groups
  • Integration Service Clusters
  • Managed Devices
  • Policies
  • Synthetic Scripts
  • Time Frames

Administration

  • Components
  • App Visibility Agents
  • App Visibility Agent Policies
  • Repository

TrueSight Smart Reporting
Technology Specialist

Central Monitoring Administrators

Monitoring Administrators 

Supervisors 

WS Full Access 

Blackout Administrator 

Data Collection Administrator

Deployment Administrator 

Event Administrator 

Event Supervisor 

Monitoring Administrator

Service Supervisor 

Web Services Access 

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services

Configuration

  • Applications
  • Application Discovery
  • Global Thresholds
  • Groups
  • Integration Service Clusters
  • Managed Devices
  • Policies
  • Synthetic Scripts
  • Time Frames

Administration

  • Components
  • App Visibility Agents
  • App Visibility Agent Policies
  • Repository

TrueSight Smart Reporting
IT Operations User Operators

Application Operator

Data Collection Operator 

Event Operator 

Service Operator

Dashboards

Monitoring

  • Devices
  • Events
  • Groups
  • Services
Service Manager

Central Monitoring Administrators

Model Administrators

Monitoring Administrators 

Supervisors 

WS Full Access 

Event Administrator 

Service Administrator 

Event Supervisor 

Service Supervisor 

Data Collection Administrator 

Web Services Access 

Blackout Administrator 

Deployment Administrator 

Monitoring Administrator

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services

Configuration

  • Applications
  • Application Discovery
  • Global Thresholds
  • Groups
  • Integration Service Clusters
  • Managed Devices
  • Policies
  • Synthetic Scripts
  • Time Frames

Administration

  • Components
  • App Visibility Agents
  • App Visibility Agent Policies
  • Repository

TrueSight Smart Reporting
Executive Viewers Read Only

Dashboards

Monitoring

  • Applications
  • Devices
  • Events
  • Groups
  • Services
Capacity Administration Capacity_Administration Capacity Administrator

Dashboards

Administration

  • Remedy SSO
  • Components
  • Capacity Views
  • User Accounts
Capacity View Capacity_View Capacity Operator

Dashboards

Capacity Views

Related topics

Default users and user groups

PATROL Agent ACLs

Security planning for Presentation Server

Updating the configuration of Remedy SSO for the Presentation Server authentication

Was this page helpful? Yes No Submitting... Thank you
Last modified by Harihara Subramanian on May 29, 2018
requirements planning concept security authorization access_control atrium_sso tsps remedy_sso sso

Comments

Security considerations for TrueSight Operations Management
Network ports
© Copyright 2015-2018 BMC Software, Inc. © Copyright 2013-2018 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport