Assigning capabilities to a security profile
To assign a capability to an administrator or administrator group, proceed as follows:
- Select the administrator or administrator group for whom one or more capabilities are to be assigned either as the node in the left window pane or as the entry in the table in the right window pane and then select the Capabilities tab of the Security Profile node.
Click Edit > Properties.
The Properties dialog box appears. It has the following tabs about the capabilities which are grouped by their functionality type:
In this tab you can add or remove capabilities to/from the selected administrator or administrator group. You will see, that capabilities which are inherited via an admin's group are dimmed. To do so check or clear the boxes next to the respective capability. A capability that was already assigned via group does not need to be added again. If you want to assign all capabilities to this administrator you can click the Select All Capabilities button at the bottom of the list.
This tab is only available for administrators and displays the list of all capabilities the administrators inherited through their group membership. This tab is only for information, you cannot make any modifications in it.
- Click OK to assign the selected capabilities to the administrators and to close the window.
The Capabilities tab provides the list of available capabilities in the right window pane, which are grouped by their functionality type. These capabilities define which of the the CM functionalities administrators and administrator groups can access in the console. A granted access is indicated bysymbol, denied access by symbol, and a granted access that is inherited by an administrator from the administrator group by symbol. Be aware, that when an administrator is assigned a capability twice, once directly and once via a group, the group capability "overwrites" the individual one and will also be displayed as such.
The fields in this column display all BMC Client Management parts and object types with their symbol and their name for which capabilities can be assigned.
This access type is the most restrictive of all and provides administrators with the general access to a specific object type, such as reports or devices. If the View capability is not assigned, the main node of the object type will not appear among the nodes in the left console window and no operations of any type can be executed on it. For example, if you do not provide an administrator with the capability to View Device Groups, the Device Groups node will not be displayed and thus the administrator cannot manage or populate any device groups, because he cannot see them.
This capability allows administrators to create new objects of the specified type or modify and delete existing ones. For example, the capability Manage Operational Rules allows you to create any number of operational rules under the main Operational Rules node. You can also delete any existing operational rules or modify them. It also allows for the creation of links between objects (which are not a device or a device group) such as adding and defining the query for a report. However, this capability does not allow you to assign the operational rule to a software distribution for a client device or a user or a group.
This capability permits administrators to create the relations between database objects of the specified type and devices/users or device groups/user groups. You only need to have the assign capability for the object being assigned, for example, when assigning an operational rule to a device group you only need the Assign Operational Rules capability. Creating links between any type of objects which are not a device or device group, such as adding a package to an operational rule falls under the manage capability.
This capability is necessary for all operations which might influence the content of the object type, such as assigning a directory server or a query to manage the contents as a dynamic group or finding the targets of a rollout.
If an administrator is to be able to actually schedule objects of the respective type, that is, operational rules, rollouts and asset discover scans, this capability must be assigned. If the administrator is to schedule packages and patch packages, this operational rule capability also must be assigned, because the execution/installation of packages and patch packages is based on the execution of operational rules.
If an administrator is to be able to configure a functionality such as Patch Management or Operating System Deployment , this capability must be assigned. If an administrator does not have this capability for these functionalities the respective Configuration node will not be accessible for these features.