Role-based access

Role-based access (RBAC) to the features and components comprised in TrueSight Operations Management is enabled by persona-based authorization profiles. Each authorization profile is associated with one or more BMC Remedy Single Sign-On realms and comprises user groups, roles and permissions, and objects. Collectively, the authorization profile components determine the features and objects that users can access and monitor. You can use each default authorization profile as is, you can modify its attributes, or you can create your own authorization profiles.

This topic provides an overview of authorization profiles and the components that compose them.

Overview of the RBAC process

To configure access control, you must complete the following steps:

Step

Task

Resource

1

Set up users and user groups in Remedy Single Sign-On.

Managing users and user groups

2

Create or modify the components that compose an authorization profile. You can create or modify these components in any order.

Managing roles

Specifying objects

Creating, editing, and deleting PATROL Agent ACLs

3

Modify the default authorization profiles or create new ones.

Managing authorization profiles

Realms and tenants

Tenants or realms segment users in Remedy Single Sign-On and enable multitenancy support. In TrueSight Operations Management, each realm represents a tenant.

The * tenant (realm), with default user groups and users , is created in Remedy Single Sign-On when you install the TrueSight Presentation Server component.

For information about supported versions of BMC Remedy Single Sign-On, see System requirements for Presentation Server.

Authorization profile structure

The following diagram illustrates the basic structure of an authorization profile. Each profile is associated with one or more realms and comprises user groups, roles and permissions, and objects. You can use each default authorization profile as is, you can modify any of its elements, or you can create your own authorization profiles.

The Superadmin in the * tenant (realm) can create and modify authorization profiles and apply them to multiple tenants. Authorization profiles created by tenant administrators apply to users of that tenant. For more information about tenant user administration, see Access control for SaaS administrators .

Authorization Profile components

When creating an authorization profile,

you must already know the user groups, roles, and objects required for the new profile. You cannot create or modify components during the creation of the authorization profile.

See the following topics for more information about modifying and creating the required elements:

Default authorization profiles

The following persona-based authorization profiles are created in the TrueSight Presentation Server for the * tenant (realm) during the installation of the TrueSight Presentation Server component:

API-Only User
Application Specialist–Applications
Application Specialist–Services
Capacity Administration
Capacity Planning
Capacity View
Cloud Cost Control
Cloud Cost Control Consumer
Executive
IT Operations User
Service Manager
Solution Administrator
Technology Specialist

Solution Administrator profile

By default, users in the Solution Administrator profile are associated with the roles, permissions, and objects that enable those users to access all features in the products, including the ability to modify and create authorization profiles.

The following table shows the user groups, roles and permissions, and objects the compose the Solution Administrator authorization profile. However, you must note the following restrictions:

The Solution Administrator profile has unrestricted access to all realms, all features, and all objects in the TrueSight Operations Management solution.
A non-Solution Administrator user belonging to the * (default) realm do not have an unrestricted access to objects in other realms.

Solution Administrator
* tenant (realm)
User Groups	Roles and Permissions		Objects
Administrators	Super Admin	All Permissions Assigned	Category	Types	Sources	Objects
			TrueSight Presentation	Monitoring Policy Configuration Types PATROL Solutions PATROL Agent ACLs Devices Event Groups Groups Applications Services Shared Dashboards (available from version 11.3.03)	TrueSight Presentation Server	All Object Access
			TrueSight Infrastructure	Views Monitor Groups CIs Component Folders Event Folders	Not applicable	All Object Access

Predefined user groups and users

When you install TrueSight Presentation Server, the following out-of-the-box user groups and users are created in your Remedy Single Sign-On (SSO) server for the default * tenant. Not all out-of-the-box user groups contain out-of-the-box users. The out-of-the-box user groups have default permissions. You can enable the out-of-the-box user group and provide an out-of-the-box user group name to it. After checking the authorization profile associated with the user group, you will be permitted to login.You can enable the out-of-the-box user group and give it a name using the tssh CLI command. For more information see tssh commands.

Out-of-the-box user groups	Out-of-the-box users	Description
Administrators	admin	Out-of-the-box administrator user
	bppmws_internal	Internal user that supports: Distributed Service Models Cloud Lifecycle Management integration BMC Service Resolution integration
	csm_user	Internal user that supports: Cloud Lifecycle Management integration BMC Change Management integration BMC Service Resolution integration
API Group	apiuser	Internal user that supports TrueSight Capacity Optimization Integration BMC - TrueSight Operations Management 10.1/10.5/10.7/11.0/11.3 Extractor BMC - TrueSight Operations Management 10.1/10.5/10.7/11.0/11.3 Generic Extractor
Capacity_Administration	None	Users in this group have access to the Administration, Capacity, and Cloud Cost Control sections in the TrueSight console. The users can perform all administrative activities and have access to the Administration section in the TrueSight Capacity Optimization console as well.
Capacity_View	None	Users in this group can view the Capacity section (Views and Investigate) in the TrueSight console, and Reports section in the TrueSight Capacity Optimization console. The users cannot perform administrative activities such as creating custom views.
Capacity_Planning	None	Users in this group can perform all capacity planning related activities. The users have access to the Capacity section (Views and Investigate) in the TrueSight console, and to all sections in the TrueSight Capacity Optimization console, except the Administration section. The users can create and edit views, and view and edit Investigate studies. The users cannot perform administrative activities in the TrueSight Capacity Optimization console.
Cloud_Cost_Control	None	Users in this group can view and analyze cloud costs across all dimensions such as cloud provider, cloud service, and so on. The users have access to all pages in the Cloud Cost Control section. Also, the users can access all the entities (such as business services, cost pools, resources). The users cannot perform administrative activities in the TrueSight Capacity Optimization console.
Cloud_Cost_Control_Consumer	None	Users in this group can perform limited functions and access only the following pages in the Cloud Cost Control section in the TrueSight console: Budget Business Services Cost Pools Servers Cost Optimization The users cannot perform administrative activities. The administrative user needs to configure access groups in the TrueSight Capacity Optimization console to allow the users access to the required entities such as domains, cost pools, and resources.
Central Monitoring Administrators	None	NA
Model Administrators	service_admin	Default service model administration user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Monitoring Administrators	event_admin	Default event administration user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Operators	oper	Default operator user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Supervisors	user	Default supervisor user for the TrueSight Presentation Server and TrueSight Infrastructure Management
Viewers	None	NA
WS Full Access	None	NA

After you register an App Visibility portal in the TrueSight console, a new user, App_Visibility_Internal_<tspsHostID>, is automatically added to Remedy Single Sign-On. This is an internal user with a randomly generated password and should not be changed.

For more information about default users and passwords, see Default users and user groups .

Default authorization profiles and menu access

The following table lists the default authorization profiles and the default user groups and roles that compose them. To help you determine whether the default authorization profiles meet the access requirements of your organization, the last column in the table shows the menu options available to users in each default authorization profile.

Profile	User groups	Roles	Menu access
Solutions Administrator	Administrators	Super Admin	Dashboards Monitoring Applications Devices Events Groups Services Configuration Applications Application Discovery Global Thresholds Groups Integration Service Clusters Managed Devices Policies Synthetic Scripts Time Frames Administration Remedy SSO Authorization Profiles Components Integrations PATROL Agent ACLs Repository Roles User Accounts App Visibility Agents App Visibility Agent Policies TrueSight Smart Reporting
Application Specialist–Services	Central Monitoring Administrators Monitoring Administrators Service Model Administrators Supervisors WS Full Access	Blackout Administrator Data Collection Administrator Deployment Administrator Event Administrator Event Supervisor Monitoring Administrator Service Administrator Service Supervisor Web Services Access	Dashboards Monitoring Applications Devices Events Groups Services Configuration Applications Application Discovery Global Thresholds Groups Integration Service Clusters Managed Devices Policies Synthetic Scripts Time Frames Administration Components App Visibility Agents App Visibility Agent Policies Repository TrueSight Smart Reporting
Application Specialist–Applications	Central Monitoring Administrators Monitoring Administrators Service Model Administrators Supervisors WS Full Access	Application Operator Application Supervisor Blackout Administrator Data Collection Administrator Deployment Administrator Event Administrator Event Supervisor Monitoring Administrator Service Administrator Service Supervisor Web Services Access	Dashboards Monitoring Applications Devices Events Groups Services Configuration Applications Application Discovery Global Thresholds Groups Integration Service Clusters Managed Devices Policies Synthetic Scripts Time Frames Administration Components App Visibility Agents App Visibility Agent Policies Repository TrueSight Smart Reporting
Technology Specialist	Central Monitoring Administrators Monitoring Administrators Supervisors WS Full Access	Blackout Administrator Data Collection Administrator Deployment Administrator Event Administrator Event Supervisor Monitoring Administrator Service Supervisor Web Services Access	Dashboards Monitoring Applications Devices Events Groups Services Configuration Applications Application Discovery Global Thresholds Groups Integration Service Clusters Managed Devices Policies Synthetic Scripts Time Frames Administration Components App Visibility Agents App Visibility Agent Policies Repository TrueSight Smart Reporting
IT Operations User	Operators	Application Operator Data Collection Operator Event Operator Service Operator	Dashboards Monitoring Devices Events Groups Services
Service Manager	Central Monitoring Administrators Model Administrators Monitoring Administrators Supervisors WS Full Access	Event Administrator Service Administrator Event Supervisor Service Supervisor Data Collection Administrator Web Services Access Blackout Administrator Deployment Administrator Monitoring Administrator	Dashboards Monitoring Applications Devices Events Groups Services Configuration Applications Application Discovery Global Thresholds Groups Integration Service Clusters Managed Devices Policies Synthetic Scripts Time Frames Administration Components App Visibility Agents App Visibility Agent Policies Repository TrueSight Smart Reporting
Executive	Viewers	Read Only	Dashboards Monitoring Applications Devices Events Groups Services
Capacity Administration	Capacity_Administration	Capacity Administrator	Dashboards Administration Remedy SSO Components Capacity Views User Accounts
Capacity View	Capacity_View	Capacity Operator	Dashboards Capacity Views Views Investigate
Capacity Planning	Capacity_Planning	Capacity Planner	Dashboards Capacity Views Views Investigate
Cloud Cost Control	Cloud_Cost_Control	Cloud Planner	Dashboards Cloud Cost Control
Cloud Cost Control Consumer	Cloud_Cost_Control_Consumer	Cloud Consumer	Dashboards Cloud Cost Control

Role-based access

Overview of the RBAC process

Authorization profile structure

Default authorization profiles

Predefined user groups and users

Default authorization profiles and menu access

Related topics

Comments