Managing predefined administrator groups

The predefined objects also contain a number of further administrator groups for the following specific security scenarios:

  • Application Administrators
  • Compliance Administrators
  • Helpdesk Administrators
  • Inventory Administrators
  • Patch Administrators
  • Reporting Portal
  • Super Administrators
  • Software Distributors
  • Software Packagers

However, these objects only provide the initial profile for these types of administrators. To be operable, they still need to be assigned their static and dynamic objects with the respective access rights as well as their members. The following topics guide you through the steps that are necessary to adapt some of these profiles to the policies of your company and your IT environment and to populated them.

To configure the Super Administrator group

Before starting this procedure make sure your directory server is properly configured in CM. You will find information about how to do so in the section dedicated to Directory Servers.

This super administrator profile is an almost exact copy of the predefined admin administrator, with the only difference that it can be edited and modified. This new super administrator thus has full read and write access to all already existing objects as well as any objects that will be created in the BCM database.

  1. Log on to the console with a super administrator or the admin login.
  2. Then go to the Global Settings and the Administrator Groups node.
  3. Select the group called Super Administrators.
  4. Go to the Static Objects tab.
  5. Click the Edit > Add Object  menu item.
    The Select Static Objects pop-up window appears.
  6. Select all Top Nodes in the left box.
  7. Click Add .
    The Properties pop-up window appears.
  8. Leave all selections as they are, that is Read, Write and Assign access Allowed and click OK.
  9. Click OK to confirm the selected static objects.
  10. Go to the Dynamic Objects tab.
  11. Click the Edit > Add Results of Query  menu item.
    The Select Dynamic Objects pop-up window appears displaying queries that currently exist in the BCM database.
  12. Open the folder BMC Client Management database and select all the queries it contains.

    These queries ensure that the super administrator will be able to see all existing objects of any type as well as those that will be created in the future by any other administrator.

  13. Click OK.
    The Properties pop-up window appears.
  14. Leave the Read, Write and Assign access as they are, that is Allowed, and modify the Direct Access Acknowledgement and Remote Control Acknowledgement access to Not Required.
  15. Click OK to confirm the access rights for the selected queries.

The administrator group, that is, the specific profile for this type of administrator is now defined and can be populated.

To populate the Super Administrator group from Active Directory

This super administrator profile is an almost exact copy of the predefined admin administrator, with the only difference that it can be edited and modified. This new super administrator thus has full read and write access to all already existing objects as well as any objects that will be created in the BCM database.

  1. Select the subnode Dynamic Population of the Super Administrators in the left window pane.
  2. Select the subnode Directory Server in the left window pane.
  3. Select Edit > Assign Server 
    The Select a Directory Server dialog box appears on the screen. The dialog box lists all available directory servers with their organizational units depending on the base object, that is, in this case it will only display all available user groups.
  4. Select an entry from the list.

    You can either select the directory server itself or one of its children.

  5. Click OK to confirm.
    The Properties dialog box appears on the screen. Here you can specify if all administrators are to be synchronized or you can synchronize with a specific user group by selecting it from the Users sub-node of the directory server.
  6. Select the respective option from the list.
  7. Click OK to confirm.
    A confirmation window appears.
  8. Click OK to synchronize now.
    The connection with the directory server is established and all members of the selected entry are added to your current group. The Directory Server Synchronisation window appears as a confirmation listing all objects that were added with their status which in this case will either be New Object or Error. If more than 3000 elements are synchronized this window will be replaced by a simple confirmation message.
  9. Click OK to close this window.

The name of your group will be changed to the name of the directory server entry followed by the full name of the server in dotted notation. In this case, if you synchronized it with an organizational unit called Relay Servers, our group will now were changed from Super Administrators to Relay Servers.Full.Directory.Name. If the selected group has subunits these will also be synchronized and added to the group as subunit.group.server name. The elements will be added to this group in a flat list ignoring any hierarchy they might were located in on the directory server.

To configure and populate the Helpdesk Administrators group

This administrator requires access to all devices, either via the device groups or the device topology.

  1. Log on to the console with a super administrator or the admin login.
  2. Then go to the Global Settings and the Administrator Groups node.
  3. Select the group called Helpdesk Administrators.
  4. Go to the Static Objects tab.
  5. Click the Edit > Add Object  menu item.
    The Select Static Objects pop-up window appears.
  6. Under the Top Nodes select the Device Groups entry.
  7. Click Add .
    The Properties pop-up window appears.
  8. Leave all selections as they are, that is Read access Allowed, and Write and Assign access Denied, and click OK.
  9. Click OK to confirm the selected static objects.
  10. Go to the Dynamic Objects tab.
  11. Click the Edit > Add Results of Query  menu item.
    The Select Dynamic Objects pop-up window appears displaying queries that currently exist in the BCM database.
  12. Open the folder BMC Client Management database and select the queries All Devices and All Device Groups.
    These queries ensure, that the administrator will be able to see all existing devices and devices as well as those that will be created in the future by any other administrator.

  13. Click OK.
    The Properties pop-up window appears.
  14. Leave the Read, Write and Assign access as they are, that is Allowed.
  15. For the Direct Access Acknowledgement and Remote Control Acknowledgement you have the following possibilities, make your selections according to your company policies:
    1. Direct Access Acknowledgement
      • Required
        Select this radio button if system credentials must be provided to access the remote devices.
      • Not Required
        Select this radio button if no system credentials are required to access the remote devices.
      • Respect Windows permissions when accessing files and the Registry
        Check this box if the access rights to the local files and the Windows Registry are to be restricted to those those of the local account.
    2. Remote Control Acknowledgement
      • Required
        Select this radio button if system credentials must be provided to access the remote devices in any case.
      • Not Required
        Select this radio button if no credentials are required and then define for which case this selection is applicable: If User AbsentIf Session is Closed or both.

        The Inherited option is only of interest if you are defining this profile for an individual administrator instead of a group. In this case you can select this radio button if the access rights are to be inherited from the administrator group(s) the administrator belongs to. As long as the administrator is not a member of a group this option is interpreted as Deny.

  16. Click OK to confirm the access rights for the selected queries.
  17. The administrator group, that is the specific profile, for this type of administrator is now defined and can be used. It now only remains to add the administrators that are to be equipped with these types of rights.
  18. Click Add Administrator .

    Note

    If no administrators are created yet you can also create them directly here by clicking Create Administrator instead.

    The Select an Administrator pop-up window appears.

  19. Select the administrator(s) to add to the group.

    Note

    Be aware, that if this administrator is also a member of a group with more extensive access rights, he will ONLY have the rights of this more restrictive group, because the denied right always overwrites the allowed right.

  20. Click OK.
    The administrator is now added to the group and assigned with all capabilities and rights accorded to the group and displays in its Members tab.

You can now log off the console and log on again with the administrator login that is a member of this Helpdesk Administrators group and execute the required operations.

Was this page helpful? Yes No Submitting... Thank you

Comments