Security permissions required for operations

The following list shows which capability and access types are needed for which basic operation. The capabilities and access rights listed are the minimum requirements to execute these operations, but, of course the administrator can have more extensive permissions than those. For example, when specified Write Access Deny, this means that no write access is necessary to execute this operation, but of course the administrator can be assigned write access to these objects anyway.

Groups are divided in two different types: those with and those without the capability populate. User and device groups have the additional capability populate. The capabilities for administrator groups are the same as for administrators, thus they do not have the capability populate. Administrator groups are treated not as groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the following paragraphs.

Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned the capability Manage Security.

To create or delete an object in a folder

When you want to create an object within a folder or delete one from a folder you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Write access on the object under which the new one is created.
    By default the administrator creating the new object has read/write/assign access on this new object.

Example

To create a new operational rule under a folder called Your Operational Rules or to delete it you need:

Capabilities

Access Rights

View Operational Rules

Read Allow, Write Deny on the Operational Rules top node,

Manage Operational Rules

Read Allow and Write Allow on the folder Your Operational Rules.

To create or delete an object in/from a group

To create an object within a group or to delete it from there you need the following capabilities and access rights:

  • View and populate capabilities on the group.
  • Write access on the object itself and its parent.

Example

To delete a device called Your Device from the group called AllYourDevices you need:

Capabilities

Access Rights

View Devices and Device Groups

Read Allow, Write Deny on the Device Groups top node,

Manage Devices

Read Allow and Write Allow on the group AllYourDevices and the device called Your Device.

Populate Device Groups

To modify an object

To modify the attributes of an object you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Read and write access on the object.

To export an object

To export an object from the console you need the following capabilities and access rights:

  • View capability of the object type,
  • Read access on the object to be exported.

To import an object

When you want to import an object you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Write access on the object under which the new one is imported (created).
    By default the administrator importing the object has read/write/assign access on this new object.

To manage access rights (security) of an object

To be able to modify the security profile of an object you need the following capabilities and access rights:

  • View and manage Security Profile capabilities,
  • View capability on administrators,
  • View capability on the object type,
  • Write access on the object for which the access rights are to be modified.

Example

To modify the access rights administrator France has on a specific device, the Master Server you need the following permissions:

Capabilities

Access Rights

View and Mange Security Profile

Read Allow, Write Deny on the Device Groups top node,

View Administrators

Read Allow and Write Allow on the group AllYourDevices and the device called Master Server.

View Devices

To add or remove an object to/from a folder

To add an object to or remove an object from a folder you need the following capabilities and access rights:

  • View and manage capabilities on the object type,
  • Read and write access on the parent object to/from which the child object is to be added/removed and Read access on the child

Example

To add a query All Devices to an existing folder, General Queries you need:

Capabilities

Access Rights

View Queries

Read Allow, Write Deny on the Queries top node,

Manage Queries

Read Allow and Write Allow on the folder General Queries and Read Allow on the query All Devices.

To add or remove an object to/from a group

To add an object to or remove it from a group you need the following capabilities and access rights:

  • View and populate capabilities on the group (parent object type), and view capability on the member (child object type),
  • Read and write access on the group (parent object) to/from which the member (child object) is to be added, and read access on the child.

Example

To add a device Your Device to an existing device group, Your Device Group you need:

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Populate Device Groups

Read Allow and Write Allow on the device group Your Device Group and

View Devices

Read Allow on the device Your Device.

To move (cutting and pasting) an object

The cut and paste operation on an object is divided into two different actions: the cut action and the paste action, as cut objects, depending on their type, can be pasted under more than one parent object.

  • View and manage or populate (for device and user groups) capabilities on the object type
  • Read and write access on the old and new parent object, read access on the object to be cut and pasted.

Example

In this example we will cut the Your Operational Rule object from its current parent, the Your Operational Rules folder and paste it under a new folder called Test Rules :

Capabilities

Access Rights

View Operational Rules

Read Allow, Write Deny on the Operational Rules top node,

Manage Operational Rules

Read Allow and Write Allow on the objects Your Operational Rules and Test Rules, as well as Read Allow on the object Your Operational Rule.

To duplicate (copy and paste) an object

Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators, devices, users and device and user groups can be copied from one location to another (be duplicated), as they can be members of more than one group. You can also duplicate members of folders, but in this case the pasted member must be given a new name.

  • View and manage or populate (for device and user groups) capabilities of the object type,
  • Read and write access on both, the old and new, and read access on the object to be copied,

A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights as the copy and paste operation.

Example

For the following example we want to copy a device, which belongs to a group called HQ Devices to another group called Servers :

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Populate Device Groups

Read Allow and Write Allow on the groups HQ Devices and Servers,

View Devices

as well as Read Allow on the device.

To synchronize with a directory server

All groups, including the administrator groups can be synchronized with a directory server in Client Management. For this administrator needs the following capabilities and access rights:

  • View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on administrators (parent),
  • View capability on devices/users,
  • View and manage capability on directory servers (child)
  • Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group (parent)
  • Read access on the administrators/device/users and
  • Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign access, if it populates an administrator group.

Example 1

For the following example we synchronize our new device group called MyNewGroup with an existing directory server, for example called AllLabClients :

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Manage Device Groups

Read Allow and Write Allow on the group MyNewGroup,

Populate Device Groups

Read Allow and Write Allow on the directory server AllLabClients,

View Devices

Read Allow on (some) clients of the directory server.

View Directory Servers

Manage Directory Servers

The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server. The Manage capability for the devices is not required, because it is the system which will create the new objects that are added to the group. Therefore you will also not be able to see these new group members, if you do not have at least Read access to the children of the synchronized group.

Example 2

For the following example we synchronize an administrator group called MyNewAdmins with an existing directory server, for example called AllLabAdmins :

Capabilities

Access Rights

View Administrators

Read Allow and Write Allow on the administrator group MyNewAdmins,

Manage Administrators

Read Allow and Write Allow on the directory server AllLabAdmins,

View Directory Servers

Read Allow on (some) administrators of the directory server.

Manage Directory Servers

The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server.

To manage assignments

The following table recapitulates the required capabilities and access rights to manage assignments between the different non-modifying database objects with the understanding that the view capability as well as read access is always required on both the parent and child object:

Parent

Child

Child Capabilities

Parent Access

Child Access

Custom Compliance Rule

Report

Assign Report

Assign

Read

Device

Custom Compliance Rule

Assign Compliance Rule

Assign

Read

Device

Inventory Filter

Assign Filters

Assign

Read

Device

Managed Application

Manage Managed Applications

Assign

Read

Device

Application List

Assign Application Lists

Assign

Read

Device

Licensed Software

Assign Licensed Software

Assign

Read

Device

Operational Rule

Assign Operational Rules

Assign

Read

Device

Package

Assign Packages

Assign

Read

Device

Patch Group

Assign Patch Groups

Assign

Read

Device

Patch Job

Assign Patch Jobs

Assign

Read

Device

Rollout

Assign Rollout

Assign

Read

Device

SCAP Job

Assign Compliance Rule

Assign

Read

Device

Task

Assign Task

Assign

Read

Device

Transfer Window

Assign Transfer Windows

Assign

Read

Device Group *

Custom Compliance Rule *

Assign Compliance Rule

Assign

Read

Device Group

Inventory Filter

Assign Filters

Assign

Read

Device Group

Managed Application

Manage Managed Applications

Assign

Read

Device Group

Licensed Software

Assign Licensed Software

Assign

Read

Device Group

Application List

Assign Application Lists

Assign

Read

Device Group

Operational Rule

Assign Operational Rules

Assign

Read

Device Group

Package

Assign Packages

Assign

Read

Device Group

Patch Group

Assign Patch Groups

Assign

Read

Device Group

Patch Job

Assign Patch Jobs

Assign

Read

Device Group

Report

Assign Reports

Assign

Read

Device Group

Rollout

Assign Rollout

Assign

Read

Device Group

SCAP Job

Assign Compliance Rule

Assign

Read

Device Group

Task

Assign Task

Assign

Read

Device Group

Transfer Window

Assign Transfer Windows

Assign

Read

Monitored Applications

Schedule Template

Manage Schedule Templates

Assign

Read

Operational Rule

Task

Assign Task

Assign

Read

Package

Operational Rule

Manage Operational Rules

Write

Write

Patch Group

Package

Manage Patch Groups

Write

Write

Patch Group

Task

Assign Task

Assign

Read

Prohibited Applications

Schedule Template

Manage Schedule Templates

Assign

Read

Query

Sub-Report

Manage Reports

Write

Write

Rollout

Task

Assign Task

Assign

Read

Rollout

User Account

Populate Rollout

Assign

Read

Scan Configuration

Scan

Assign Scan

Assign

Read

Scanner

Scan

Assign Scan

Assign

Read

SCAP Job

SCAP Package

Manage Compliance Rules

Write

Read

Target List

Scan

Assign Scan

Assign

Read

User

Operational Rule

Manage Operational Rules

Assign

Read

User Group

Operational Rule

Manage Operational Rules

Assign

Read

  • The assignment of a compliance rule to a device group in this case is used by the compliance rule to check the group members for their compliance.

To populate database objects

The following table recapitulates the required capabilities and access rights to manage assignments between the different database objects concerning their population. Same as with the preceding table, the view capability as well as read access is always required on both the parent and child object:

Parent

Child

Parent Capabilities

Parent Access

Child Access

Administrator Group

Directory Server

Manage Administrators

Write

Read

Device Group *

Custom Compliance Rule *

Populate Device Groups

Write

Read

Device Group

Directory Server

Populate Device Groups

Write

Read

Device Group

Query

Populate Device Groups

Write

Read

Rollout

Device Group

Populate Rollouts

Write

Read

Rollout

Target

Populate Rollouts

Write

Read

User Group

Directory Server

Populate User Groups

Write

Read

User Group

Query

Populate User Groups

Write

Read

  • The assignment of a compliance rule to a device group here actually populates the device group with the result of its compliance check, that is, the group will contain all compliant devices, all non-compliant devices or those which could not be evaluated.

To schedule scans and rollouts

The following table recapitulates the required capabilities and access rights to schedule the execution of the different database objects. Same as with the preceding table, the view capability as well as read access is always required on the object:

Object

Capabilities

Access

Asset Discovery Scan

Schedule Scans

Write

SCAP Compliance Scan

Schedule Compliance Rules

Write

Operational Rule

Schedule Operational Rules

Write

Rollout

Schedule Rollout

Write

To configure BMC Helix Client Management

The following table recapitulates the required capabilities and access rights to define the basic configuration of CM functionalities:

Functionality

Capabilities

Access

Compliance Management

Configure Compliance Management

Write

Operating System Deployment

Configure Operating System Deployment

Write

Patch Group

Configure Patch Groups

Write

Patch Job

Configure Patch Jobs

Write

Task Management

Configure Task Management

Write

To assign or unassign an object to or from a group

To assign/unassign an object to a group that modifies its content (queries, directory servers and compliance rules) you need the following capabilities and access rights. Be aware that administrator groups are handled as usual like folders (see below), not like groups. It causes the contents of the group to change.

  • View and populate capabilities for group (parent)
    • if the directory server is to be synchronized as well, not only to be assigned you also need the manage capability
  • View capability on the object to be assigned (child),
  • Read and write access on the parent and read access on the child.

Example

To assign a query All Servers to device group All Servers France you need the following permissions:

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Populate Device Groups

Read Allow and Write Allow on the group All Servers France ,

View Queries

and Read Allow on query All Servers .

To assign or unassign an object to or from another object

To assign/unassign an object to/from another object, such as operational rules, packages, transfer windows, and so on, you need the following capabilities and access rights:

  • View and assign capabilities on the target object (parent),
  • View and assign capabilities on the object to be assigned (child),
  • Read access on the parent and read and assign access on the child.

Example

To assign a transfer window High Speed Downstream to device Server France you need the following permissions:

Capabilities

Access Rights

View Devices

Read Allow, Write Deny on the Transfer Windows top node,

Assign Devices

Read Allow and Assign Allow on the device Server France

View Transfer Windows

and Read Allow on transfer window High Speed Downstream .

Assign Transfer Windows

To publish a package to master

You need following capabilities and access rights to publish a specific package:

To publish a package, an administrator should have:

  • Read and Manage Package Capability
  • Read Device Capability
  • Write Access on the package

To publish on the master:

  • Read Access on the master for on-premises environment. On SaaS, this access is not required.

To publish on a Relay:

  • Read Access on the relay
Was this page helpful? Yes No Submitting... Thank you

Comments