This documentation supports the 9.1 to 9.1 Service Pack 3 version and its patches of BMC Atrium Core. The documentation for version 9.1.04 and its patches is available here.

To view the latest version, select the version from the Product version menu.

Understanding instance permissions

Multitenancy enables you to control which records and configuration data are exposed to a user, based on the user's membership in a company, business unit, or other group. To support multitenancy, Drift Management offers a flexible permissions model that lets you grant read permission to instances of drift data in the Drift Console.

Within BMC Atrium CMDB, multitenancy means that one BMC Atrium CMDB holds data about the IT environments of multiple companies, usually in the case of an IT service provider, and each company has access only its own data. Each company's data is represented in the BMC Atrium CMDB as an account.

For each class in each account, you can specify default read and write permissions to be applied to newly created instances. You can also specify default permissions to be applied to all classes that do not have specific permissions defined. You can override these default permissions for a particular instance by specifying permissions for the instance.

Important

Drift Management inherits the instance access as currently defined within BMC Atrium CMDB. Drift Management does not make any changes to this level of access.

To have read or write access to drift components, users must belong to the appropriate base groups (Drift Master, Drift Admin, or Drift Viewer) and belong to at least one of the groups identified by the Drift Master when the component is being created or modified.

Drift Management provides the ability to control who can view and modify the following Drift Management components:

  • Drift Reports
  • Snapshot or comparison jobs
  • Authoring components: baselines, targets, qualification sets, include sets and exclude sets

The Drift Master defines instance access to the Drift Management components when the components are created, by using the Accessible To field. This field is on all Drift Management wizards, authoring components, and job components.

Defining instance permissions

In the Accessible To field, the Drift Master selects the groups that can have access to that data. More than one group can have permission to view instances in Drift Management components.

To define instance permissions

  1. As a Drift Master, open one of the Drift Management wizards, authoring components, or job components.
  2. Use the Accessible To field to select the groups who can have access permission.
  3. Continue defining the Drift Management components.

Important

Be careful when deleting groups from the Accessible To field for a comparison job, because you might lose permissions to the underlying baselines and targets.

Examples of Drift Management instance permissions

Access to specific Drift Management components is defined when the Drift Master creates a new job, baseline, or target. This section provides examples of how Drift Management roles work in conjunction with instance permissions. The examples use the users and group memberships shown in the following table.

 Example Drift Management permission groups

UserBelongs to these groups

Frank Field

Drift Master, Cisco, Juniper

Tom Target

Drift Master, AMD, Intel, IT

Betty Baseline

Drift Master, Cisco

Johnny Job

Drift Admin, Cisco

Colin Column

Drift Admin, Juniper

Jennifer Java

Drift Viewer, Cisco

Cheryl Change-Request

Juniper, Intel, Cisco, IT, AMD

Jessica

Drift Admin, AMD

Example 1

When creating a baseline, Drift Master Frank Field grants the Cisco and Juniper groups data access to the baseline.

Question: From the list of users, who can view and modify the baseline?

Answer: Frank and Betty. Tom has Drift Master permission, but no permission to Cisco and Juniper. Betty has Drift Master and Cisco permission. Johnny Job has Cisco permission, but belongs to the Drift Admin (not Drift Master) group.

Example 2

When creating a target, Tom provides access to the AMD group.

Question: Who can view and modify the target?

Answer: Tom, Cheryl, and Jessica.

Example 3

Frank and Betty want to create a comparison job.

Question: When using the Comparison Job Wizard, will they see the target listed in the target library that Tom created?

Answer: No. Although Frank and Betty are Drift Masters, Frank and Betty do not belong to the same groups as Tom. They do not have AMD, Intel, or IT permissions.

Example 4

Frank and Betty create a job and select Cisco as the access group.

Question: Who can execute the job?

Answer: Frank, Betty, and Johnny

Question: Who can view the Drift Reports created by the job?

Answer: Frank, Betty, Johnny, and Jennifer

Example 5

Tom creates a job and selects AMD as the Accessible To group.

Question: Who can execute the job?

Answer: Only Tom and Jessica can execute the job.

Question: Who can view the Drift Reports created by the job?

Answer: Only Tom and Jessica can view the Drift Reports. Cheryl only has access to the Drift Dashboard.

Was this page helpful? Yes No Submitting... Thank you

Comments