This documentation supports the 9.1 to 9.1 Service Pack 3 version and its patches of BMC Atrium Core. The documentation for version 9.1.04 and its patches is available here.

To view the latest version, select the version from the Product version menu.

Roles, instance permissions, and row-level access in BMC Atrium Core

This section discusses roles, instance permission, and row-level access for BMC Atrium Core.

Also see the following topics:

The CMDB Data View and CMDB Data Change roles do not completely control access to instances in BMC Atrium CMDB. They control access to the contents of instances in general. But to view or modify a specific instance, you must also have row-level access to that instance. A class attribute controls row-level security and another one controls write security. These attributes and the CMDB Data View and CMDB Data Change roles work together:

  • CMDBRowLevelSecurity — Users who are members of a group with row-level access have permission to view the instance if they also have the CMDB Data View or CMDB Data Change role.
  • CMDBWriteSecurity — Users who are members of a group with write access have permission to modify the instance if they also have row-level access and the CMDB Data Viewer role. This permission is useful for giving someone write access to a specific instance without giving write access to all instances with one of the CMDB Data Change roles.

If you have row-level access to an instance but not the CMDB Data View role, you cannot view the instance. If you have the CMDB Data Change role but not row-level access to an instance, you cannot view or modify the instance. The CMDB Data View All and CMDB Data Change All roles have row-level access to all instances and do not depend on the CMDBRowLevelSecurity attribute.

For example, suppose a service provider has created groups named Solaris Group and WindowsGroup. The service provider wants the SolarisGroup to have write access to certain CIs, and the WindowsGroup to have read access to those CIs. The service provider assigns both groups to the CMDB Data View role, and then adds those groups to the CMDBRowLevelSecurity attribute value for each CI, giving everyone read access to those CIs. You then add the SolarisGroup to the CMDBWriteSecurity attribute for the CIs he wants them to be able to modify.

The following table shows another example. Joe is a member of the Service Desk group and has the CMDB Data View role, and Jane is a member of the Change Team group and has the CMDB Data Change role. They are both members of the All Hands group.


Example instance permissions using roles and security attributes

InstanceId

CMDBRowLevelSecurity attribute

CMDBWriteSecurity attribute

Joe can read

Joe can write

Jane can read

Jane can write

1

NULL

NULL

2

NULL

Service Desk

3

Service Desk

NULL

Yes

4

Service Desk

Service Desk

Yes

Yes

5

Change Team

NULL

Yes

Yes

6

All Hands

NULL

Yes

Yes

Yes

7

All Hands

Service Desk

Yes

Yes

Yes

Yes

Neither user can read or write to instances 1 and 2, which have no group specified for row-level security. Neither write security nor the CMDB Data View and CMDB Data Change permission roles have any effect without row-level security.

Recommendations

You can automatically configure row-level security at the instance level using the Normalization Engine. The Normalization Engine includes rules that set the row-level and attribute-level permissions on CIs as you define them. For more information, see Normalization and instance permissions.

If BMC Atrium CMDB represents just one organization, use the CMDB Data View All and CMDB Data Change All roles for users. If you are using BMC Atrium CMDB for a multitenancy environment, use the CMDB Data View and CMDB Data Change roles with the CMDBRowLevelSecurity and CMDBWriteSecurity attributes.

Note

BMC Remedy IT Service Management (ITSM) uses instance permissions by means of the Company field. If you are planning to use BMC Remedy ITSM, see multi-tenancy before implementing instance permissions.

Related Topics

Was this page helpful? Yes No Submitting... Thank you

Comments