Managing dataset permissions
For fresh installations and upgrades, all users have read and write access to the data in the datasets. All users, provided they have appropriate permissions, can perform create, read, update, and delete operations on the data. However, you can restrict certain users from making changes to the data. You can do this using the dataset level permissions, which ensures data security at the dataset level.
Dataset level permissions can be configured only for user groups or user roles and cannot be configured for individual users. When user groups or user roles are assigned permissions for a particular dataset, the users of that groups or roles get read and write access for the assigned dataset. All other user groups or roles continue to have only read access to the particular dataset.
Remedy Application Service (RAS) is a user account used by Remedy applications for integration with other Remedy applications. This account and the accounts used by Installers, Distributed Servers and Escalation are treated as special accounts. They are excluded from dataset permissions.
ADDMGroup and OtherGroup have access to BMC.ADDM dataset. By default, all users belonging to these user groups have permissions to create, read, update, and delete data. Consider that ADDM administrator does not want other users to modify the data in the BMC.ADDM dataset. The administrator configures dataset permissions for BMC.ADDM dataset and selects the ADDMGroup, thereby allowing users of ADDMGroup to create, read, update, delete data in BMC.ADDM dataset. However, the users of OtherGroup will continue to have read access to data in BMC.ADDM dataset.
Controlling client write access to datasets
By default, all BMC CMDB clients can create, modify, and delete instances in a dataset. However, you can choose to restrict this write access to one or more specific clients: BMC Impact Solutions Publishing Server, BMC Impact Model Designer, and the Reconciliation Engine. When you do this, BMC CMDB users cannot write to the dataset with a browser. You can also set a dataset to have no write access whatsoever.
Consider restricting write access to your production dataset. By allowing only the Reconciliation Engine to write to your production dataset, you prevent unauthorized changes to your single source of reference. Changes then must be made to other datasets and then reconciled to the production dataset.
To assign permissions to a dataset
The following steps explain how to assign dataset permissions:
- In the Atrium Core Console, open the Dataset Configuration application.
- Select the desired dataset. In the Permissions list, select the desired group and roles.
- Click Save.