Security permissions required for operations
The following list shows which capability and access types are needed for which basic operation. The capabilities and access rights listed are the minimum requirements to execute these operations, but, of course the administrator can have more extensive permissions than those. For example, when specified Write Access Deny, this means that no write access is necessary to execute this operation, but of course the administrator can be assigned write access to these objects anyway.
Groups are divided in two different types: those with and those without the capability populate. User and device groups have the additional capability populate. The capabilities for administrator groups are the same as for administrators, thus they do not have the capability populate. Administrator groups are treated not as groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the following paragraphs.
Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned the capability Manage Security.
To create or delete an object in a folder
When you want to create an object within a folder or delete one from a folder you need the following capabilities and access rights:
- View and manage capabilities of the object type,
Write access on the object under which the new one is created.
By default the administrator creating the new object has read/write/assign access on this new object.
Example
To create a new operational rule under a folder called Your Operational Rules or to delete it you need:
Capabilities | Access Rights |
---|---|
View Operational Rules | Read Allow, Write Deny on the Operational Rules top node, |
Manage Operational Rules | Read Allow and Write Allow on the folder Your Operational Rules. |
To create or delete an object in/from a group
To create an object within a group or to delete it from there you need the following capabilities and access rights:
- View and populate capabilities on the group.
- Write access on the object itself and its parent.
Example
To delete a device called Your Device from the group called AllYourDevices you need:
Capabilities | Access Rights |
---|---|
View Devices and Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Manage Devices | Read Allow and Write Allow on the group AllYourDevices and the device called Your Device. |
Populate Device Groups |
To modify an object
To modify the attributes of an object you need the following capabilities and access rights:
- View and manage capabilities of the object type,
- Read and write access on the object.
To export an object
To export an object from the console you need the following capabilities and access rights:
- View capability of the object type,
- Read access on the object to be exported.
To import an object
When you want to import an object you need the following capabilities and access rights:
- View and manage capabilities of the object type,
Write access on the object under which the new one is imported (created).
By default the administrator importing the object has read/write/assign access on this new object.
To manage access rights (security) of an object
To be able to modify the security profile of an object you need the following capabilities and access rights:
- View and manage Security Profile capabilities,
- View capability on administrators,
- View capability on the object type,
- Write access on the object for which the access rights are to be modified.
Example
To modify the access rights administrator France has on a specific device, the Master Server you need the following permissions:
Capabilities | Access Rights |
---|---|
View and Mange Security Profile | Read Allow, Write Deny on the Device Groups top node, |
View Administrators | Read Allow and Write Allow on the group AllYourDevices and the device called Master Server. |
View Devices |
To add or remove an object to/from a folder
To add an object to or remove an object from a folder you need the following capabilities and access rights:
- View and manage capabilities on the object type,
- Read and write access on the parent object to/from which the child object is to be added/removed and Read access on the child
Example
To add a query All Devices to an existing folder, General Queries you need:
Capabilities | Access Rights |
---|---|
View Queries | Read Allow, Write Deny on the Queries top node, |
Manage Queries | Read Allow and Write Allow on the folder General Queries and Read Allow on the query All Devices. |
To add or remove an object to/from a group
To add an object to or remove it from a group you need the following capabilities and access rights:
- View and populate capabilities on the group (parent object type), and view capability on the member (child object type),
- Read and write access on the group (parent object) to/from which the member (child object) is to be added, and read access on the child.
Example
To add a device Your Device to an existing device group, Your Device Group you need:
Capabilities | Access Rights |
---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Populate Device Groups | Read Allow and Write Allow on the device group Your Device Group and |
View Devices | Read Allow on the device Your Device. |
To move (cutting and pasting) an object
The cut and paste operation on an object is divided into two different actions: the cut action and the paste action, as cut objects, depending on their type, can be pasted under more than one parent object.
- View and manage or populate (for device and user groups) capabilities on the object type
- Read and write access on the old and new parent object, read access on the object to be cut and pasted.
Example
In this example we will cut the Your Operational Rule object from its current parent, the Your Operational Rules folder and paste it under a new folder called Test Rules :
Capabilities | Access Rights |
---|---|
View Operational Rules | Read Allow, Write Deny on the Operational Rules top node, |
Manage Operational Rules | Read Allow and Write Allow on the objects Your Operational Rules and Test Rules, as well as Read Allow on the object Your Operational Rule. |
To duplicate (copy and paste) an object
Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators, devices, users and device and user groups can be copied from one location to another (be duplicated), as they can be members of more than one group. You can also duplicate members of folders, but in this case the pasted member must be given a new name.
- View and manage or populate (for device and user groups) capabilities of the object type,
- Read and write access on both, the old and new, and read access on the object to be copied,
A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights as the copy and paste operation.
Example
For the following example we want to copy a device, which belongs to a group called HQ Devices to another group called Servers :
Capabilities | Access Rights |
---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Populate Device Groups | Read Allow and Write Allow on the groups HQ Devices and Servers, |
View Devices | as well as Read Allow on the device. |
To synchronize with a directory server
All groups, including the administrator groups can be synchronized with a directory server in Client Management. For this administrator needs the following capabilities and access rights:
- View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on administrators (parent),
- View capability on devices/users,
- View and manage capability on directory servers (child)
- Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group (parent)
- Read access on the administrators/device/users and
- Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign access, if it populates an administrator group.
Example 1
For the following example we synchronize our new device group called MyNewGroup with an existing directory server, for example called AllLabClients :
Capabilities | Access Rights |
---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Manage Device Groups | Read Allow and Write Allow on the group MyNewGroup, |
Populate Device Groups | Read Allow and Write Allow on the directory server AllLabClients, |
View Devices | Read Allow on (some) clients of the directory server. |
View Directory Servers | |
Manage Directory Servers |
The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server. The Manage capability for the devices is not required, because it is the system which will create the new objects that are added to the group. Therefore you will also not be able to see these new group members, if you do not have at least Read access to the children of the synchronized group.
Example 2
For the following example we synchronize an administrator group called MyNewAdmins with an existing directory server, for example called AllLabAdmins :
Capabilities | Access Rights |
---|---|
View Administrators | Read Allow and Write Allow on the administrator group MyNewAdmins, |
Manage Administrators | Read Allow and Write Allow on the directory server AllLabAdmins, |
View Directory Servers | Read Allow on (some) administrators of the directory server. |
Manage Directory Servers |
The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server.
To manage assignments
The following table recapitulates the required capabilities and access rights to manage assignments between the different non-modifying database objects with the understanding that the view capability as well as read access is always required on both the parent and child object:
Parent | Child | Child Capabilities | Parent Access | Child Access |
---|---|---|---|---|
Custom Compliance Rule | Report | Assign Report | Assign | Read |
Device | Custom Compliance Rule | Assign Compliance Rule | Assign | Read |
Device | Inventory Filter | Assign Filters | Assign | Read |
Device | Managed Application | Manage Managed Applications | Assign | Read |
Device | Application List | Assign Application Lists | Assign | Read |
Device | Licensed Software | Assign Licensed Software | Assign | Read |
Device | Operational Rule | Assign Operational Rules | Assign | Read |
Device | Package | Assign Packages | Assign | Read |
Device | Patch Group | Assign Patch Groups | Assign | Read |
Device | Patch Job | Assign Patch Jobs | Assign | Read |
Device | Rollout | Assign Rollout | Assign | Read |
Device | SCAP Job | Assign Compliance Rule | Assign | Read |
Device | Task | Assign Task | Assign | Read |
Device | Transfer Window | Assign Transfer Windows | Assign | Read |
Device Group * | Custom Compliance Rule * | Assign Compliance Rule | Assign | Read |
Device Group | Inventory Filter | Assign Filters | Assign | Read |
Device Group | Managed Application | Manage Managed Applications | Assign | Read |
Device Group | Licensed Software | Assign Licensed Software | Assign | Read |
Device Group | Application List | Assign Application Lists | Assign | Read |
Device Group | Operational Rule | Assign Operational Rules | Assign | Read |
Device Group | Package | Assign Packages | Assign | Read |
Device Group | Patch Group | Assign Patch Groups | Assign | Read |
Device Group | Patch Job | Assign Patch Jobs | Assign | Read |
Device Group | Report | Assign Reports | Assign | Read |
Device Group | Rollout | Assign Rollout | Assign | Read |
Device Group | SCAP Job | Assign Compliance Rule | Assign | Read |
Device Group | Task | Assign Task | Assign | Read |
Device Group | Transfer Window | Assign Transfer Windows | Assign | Read |
Monitored Applications | Schedule Template | Manage Schedule Templates | Assign | Read |
Operational Rule | Task | Assign Task | Assign | Read |
Package | Operational Rule | Manage Operational Rules | Write | Write |
Patch Group | Package | Manage Patch Groups | Write | Write |
Patch Group | Task | Assign Task | Assign | Read |
Prohibited Applications | Schedule Template | Manage Schedule Templates | Assign | Read |
Query | Sub-Report | Manage Reports | Write | Write |
Rollout | Task | Assign Task | Assign | Read |
Rollout | User Account | Populate Rollout | Assign | Read |
Scan Configuration | Scan | Assign Scan | Assign | Read |
Scanner | Scan | Assign Scan | Assign | Read |
SCAP Job | SCAP Package | Manage Compliance Rules | Write | Read |
Target List | Scan | Assign Scan | Assign | Read |
User | Operational Rule | Manage Operational Rules | Assign | Read |
User Group | Operational Rule | Manage Operational Rules | Assign | Read |
- The assignment of a compliance rule to a device group in this case is used by the compliance rule to check the group members for their compliance.
To populate database objects
The following table recapitulates the required capabilities and access rights to manage assignments between the different database objects concerning their population. Same as with the preceding table, the view capability as well as read access is always required on both the parent and child object:
Parent | Child | Parent Capabilities | Parent Access | Child Access |
---|---|---|---|---|
Administrator Group | Directory Server | Manage Administrators | Write | Read |
Device Group * | Custom Compliance Rule * | Populate Device Groups | Write | Read |
Device Group | Directory Server | Populate Device Groups | Write | Read |
Device Group | Query | Populate Device Groups | Write | Read |
Rollout | Device Group | Populate Rollouts | Write | Read |
Rollout | Target | Populate Rollouts | Write | Read |
User Group | Directory Server | Populate User Groups | Write | Read |
User Group | Query | Populate User Groups | Write | Read |
- The assignment of a compliance rule to a device group here actually populates the device group with the result of its compliance check, that is, the group will contain all compliant devices, all non-compliant devices or those which could not be evaluated.
To schedule scans and rollouts
The following table recapitulates the required capabilities and access rights to schedule the execution of the different database objects. Same as with the preceding table, the view capability as well as read access is always required on the object:
Object | Capabilities | Access |
---|---|---|
Asset Discovery Scan | Schedule Scans | Write |
SCAP Compliance Scan | Schedule Compliance Rules | Write |
Operational Rule | Schedule Operational Rules | Write |
Rollout | Schedule Rollout | Write |
To configure BMC Helix Client Management
The following table recapitulates the required capabilities and access rights to define the basic configuration of CM functionalities:
Functionality | Capabilities | Access |
---|---|---|
Compliance Management | Configure Compliance Management | Write |
Operating System Deployment | Configure Operating System Deployment | Write |
Patch Group | Configure Patch Groups | Write |
Patch Job | Configure Patch Jobs | Write |
Task Management | Configure Task Management | Write |
To assign or unassign an object to or from a group
To assign/unassign an object to a group that modifies its content (queries, directory servers and compliance rules) you need the following capabilities and access rights. Be aware that administrator groups are handled as usual like folders (see below), not like groups. It causes the contents of the group to change.
- View and populate capabilities for group (parent)
- if the directory server is to be synchronized as well, not only to be assigned you also need the manage capability
- View capability on the object to be assigned (child),
- Read and write access on the parent and read access on the child.
Example
To assign a query All Servers to device group All Servers France you need the following permissions:
Capabilities | Access Rights |
---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Populate Device Groups | Read Allow and Write Allow on the group All Servers France , |
View Queries | and Read Allow on query All Servers . |
To assign or unassign an object to or from another object
To assign/unassign an object to/from another object, such as operational rules, packages, transfer windows, and so on, you need the following capabilities and access rights:
- View and assign capabilities on the target object (parent),
- View and assign capabilities on the object to be assigned (child),
- Read access on the parent and read and assign access on the child.
Example
To assign a transfer window High Speed Downstream to device Server France you need the following permissions:
Capabilities | Access Rights |
---|---|
View Devices | Read Allow, Write Deny on the Transfer Windows top node, |
Assign Devices | Read Allow and Assign Allow on the device Server France |
View Transfer Windows | and Read Allow on transfer window High Speed Downstream . |
Assign Transfer Windows |
To publish a package to master
You need following capabilities and access rights to publish a specific package:
To publish a package, an administrator should have:
- Read and Manage Package Capability
- Read Device Capability
- Write Access on the package
To publish on the master:
- Read Access on the master for on-premises environment. On SaaS, this access is not required.
To publish on a Relay:
- Read Access on the relay
Comments
Log in or register to comment.