Managing security settings

From the Security tab of the Global Settings  >  System Variables  page, you can define the following default security settings of your system:

Parameter

Description

Create Default System Administrator

The value in this field defines if system authentication is used for logon. If the value set is Yes, your general system login can be used. This means that all attempted logins which are authenticated by the system cause a matching login to be created in the database. For security reasons, however, no capabilities will be assigned to these logins. All of these automatically created administrator logins have their System Password Check box in the Properties window checked. If the value is set to No, a specific user login must be created for each administrator to log on to the BMC CM console. The default value for this attribute is No. For more information about how to create administrator logins, refer to the What you have to know about Administrators topic.

Account Locking AttemptsThe value in this field defines the number of failed sign-in attempts that will lock an administrator account. You can choose a value between 1 and 20.
Account Automatically Unlocked (min)The value in this field defines the time in minutes beyond which an administrator account will be unlocked without any manual intervention. You can choose a value between 1 and 60.

Display Hidden Devices in the Topology Graph

This parameter defines, if users without read access rights to the master or relays can view their devices in the topology graph. By default this option is set to No, they cannot. If the option is activated, the administrator can see the part of the topology including the devices on which he has access rights but all devices on which he does not have at least read access, that is, master and relays will appear dimmed and are not accessible. All other devices on which he has no access rights will not appear in the view.

Maintain Administrators at Directory Server Synchronization

This parameter defines if administrators are also removed from synchronized groups during resynchronization. Normally, if an administrator is removed from his AD group it will also be removed from his CM group during the next synchronization. However, if the capabilities or access rights of this administrator are transferred via the administrator group, this might cause a number of problems, if the administrator in question is assigned as a populator for groups for example, causing the groups to "depopulate" and if operational rules are assigned to this group, they will be unassigned from the devices of the group.

Disable all administrators that are not a member of any group at a directory server synchronization

As administrators might have functionalities that are to be transferred to other administrators when they are deleted, such as being a populator, it is not possible to automatically delete administrators if they no longer belong to any group. This option allows however, to disable the administrators that are not a member of any administrator group to distinguish them. By default this option is deactivated.

Allow Object Assignments to Unknown Device

If this option is activated devices unknown to the BCM database can be assigned to the available objects, that is, operational rules, transfer windows, and so on. In this case the unknown device displays the Assigned Objects node in addition to the Inventory and Events nodes. After the device becomes known to the database it will synchronize all assigned objects and thus be operational automatically. By default this option is not activated.

Block Access to MyApps

This option deactivates the access to the application kiosk MyApps of the browser agent interface. If it is activated neither user nor administrator can access this page.

Authorize Deprecation of Relays

Check this box to allow the deprecation of relays even though it still is the parent to other devices. In this case the relay will be moved to Lost and Found from where it can be deleted and its former children will be removed from the Topology view but they can still be displayed via their device groups.

Request System Credentials for Windows Remote Access

Check this box to force the use of credentials when directly accessing Windows devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.

Request System Credentials for Linux Remote Access

Check this box to force the use of credentials when directly accessing Linux devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.

Request System Credentials for Mac OS Remote Access

Check this box to force the use of credentials when directly accessing MAC OS devices. In this case you is required to enter your credentials when accessing the target device via the Direct Access or Remote Control functionality.

Remote Access Acknowledgement Timeout (sec)

This parameter defines the timeout in seconds after within which the remote user can allow remote access request to an administrator. If the timeout is reached the administrator is informed that the remote user did not respond within the time allowed for the direct access or remote control request.If the value is set to zero, the timeout functionality is disabled.

Lock the new installed agent servicesCheck this box to lock the newly installed agent services.
Service Unlock PasswordEnter the service unlock password.
Security Level

Defines the security level used by the BCM agents. The following options are available:

Starting from BCM version 12.7 and later— Activates AES encryption instead of the legacy bespoke cryptography, which is no longer considered safe. When changing this for existing deployments, asset discovery scans and SCAP jobs will not be compatible with BCM agents earlier than version 12.7.

Before BCM version 12.7 — Use the legacy bespoke cryptography.

Was this page helpful? Yes No Submitting... Thank you

Comments