Capabilities and access rights
Capabilities define the general access types which can be assigned to an administrator or an administrator group to access a specific object type and execute operations on it. They can be assigned to an administrator directly and via an administrator group of which he is a member.
After you selected a capability node in the left window pane, it displays information via its tabs:
- Administrator: The Administrator tab concerns administrators to which this capability is assigned.
- Group: The Group tab concerns administrator groups to which this capability is assigned.
The Access Rights to the individual objects of a specific type, such an individual operational rule or a report, are defined through the Security tab.
The Capabilities node lists the capabilities in the right window pane in accordance with the purchased licenses. The node provides the following information:
This column displays the name of the individual capability. Capabilities on almost all BCM database object types are divided up into the following basic access types:
This access type is the most restrictive of all and provides administrators with the general access to a specific object type, such as reports or devices. If the View capability is not assigned, the main node of the object type will not appear among the nodes in the left console window and no operations of any type may be executed on it. For example, if you do not provide an administrator with the capability to View Device Groups, the Device Groups node will not be displayed on the left console window and thus the administrator cannot manage or populate any device groups, because he cannot see them.
This capability allows administrators to create new objects of the specified type, for example, the capability Manage Operational Rules allows you to create any number of operational rules under the main Operational Rules node. It also allows you to delete any existing operational rules or modify them. It also allows for the creation of links between objects (which are not a device or a device group) such as adding and defining the query for a report. However, this capability does not allow you to assign the operational rule to a software distribution for a client device or group.
Permits administrators to create the relations between database objects of the specified types. You only need to have the assign capability for the object being assigned, for example, when assigning an operational rule to a device group you only need the Assign Operational Rules capability. Creating links between any type of objects that do not have the assign capability falls under the manage capability. With the exception of operational rules and rollouts, this capability also includes the possibility to define the schedule for the object relation.
This capability allows the administrator to access the Configuration node of the following CM modules to define their configuration parameters: Compliance Management, OS Deployment, Patch Management, Task Management and Software License Management.
The special capabilities are the following:
Populate Device Groups
This capability is necessary for all operations which might influence the content of a device group, such as assigning a directory server to manage the contents of the dynamic group.
Populate User Groups
This capability is necessary for all operations which might influence the content of a user group, such as assigning a directory server to manage the contents of the dynamic group.
Schedule Operational Rules
This capability is required if an administrator is to be able to actually schedule operational rules. Since the execution/installation of packages and patch packages is based on the execution of operational rules an administrator will also need this capability if he is to schedule packages and patch packages.
This capability is required if an administrator is to be able to actually to schedule rollouts. It also allows him to cancel a rollout. If you are upgrading from a earlier version without this capability, any administrator assigned the assign rollout capability will be automatically assigned this capability as well.
Manage Rollout User Accounts
This capability allows the administrator to manage, that is, add or remove, the user accounts for the rollout. If you are upgrading from a earlier version without this capability, any administrator assigned the manage rollout capability will be automatically assigned this capability as well.
This capability is required if an administrator is to use the file transfer functionality of the direct access function.