×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Space banner

   

This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.
BMC Client Management 12.8 ... Administering Managing security Managing administrator access through security profiles

Managing static objects of a security profile

Static objects define existing database object types and objects. The Static Objects tab enables defining which of all existing database object types and objects an administrator is to be able to access and in which way. To access an individual object the administrator must be assigned at least read access to the respective top node. For example, the administrator must have at least read access to the Reports top node, to access a specific report. 

By default, the Static Objects tab, will always contain one entry which is the respective administrator. When administrators are created they will automatically be added here so that they can check their access rights. The default access defined at creation time is Read Access; any other access denied.

The following sections are provided:

The Static Objects tab displays the following information about the objects the administrator is given access to:

Parameter

Description

Name

Displays the name of the object for which the right is assigned, for example, Hardware Inventory Report or All Devices for a query.

Object Type

Displays the object type of the selected object, such as Query or Report .

Via Administrator Group

Shows whether the access to the object is directly assigned to the administrator or is inherited through a group membership. The field is empty if it is directly assigned or it will contain the name of the group or groups from which the administrator inherits.

Read Access

Contains one of the following options:

  • Allow to grant read access.
  • Deny to prevent access, in which case the administrator cannot see the object nor any of its children in the console .

Write Access

Contains one of the following options:

  • Allow to grant write access.
  • Deny to prevent access.

The administrator must have read access granted on the respective object to be able to be assigned write access.

Assign Access

Contains one of the following options:

  • Allow to grant assign access.
  • Deny to prevent access.

This type of access is only important for objects that also have Assign Access capability. If the object does not have Assign Access, the user will not have Assign Access either, regardless of this setting.

The database objects affected by this parameter are operational rules, packages, and transfer windows.

Direct Access Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Direct Access functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required.
  • Respect Windows permissions: Access rights to the local files and the Windows Registry are restricted to those of the local account.

Remote Control Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Remote Control functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required with the specification on when they are not required, for an absent user, a closed session, or both.
Remote Control Session

Contains one of the following options:

  • Allow to provide access.
  • Deny to prevent access to a specific device of a group even if administrator has access to all other group members.
  • Inherit to provide access through group membership.
  • Required is the default access and applies only to devices.

Real User Rights

Shows whether the administrator is accessing the local files and Windows Registry of a device with the access rights to a system account or only those of the local account.

  • Yes limits access to a local account.
  • Empty or blank indicates access to the complete system.

This parameter applies only to devices.

Adding a static object

When you add objects to the security profile, always include the complete hierarchy to the target object including the object's top node; otherwise, the administrators might still not be able to access the object.

  1. Click Edit > Add Object .
    The Select Static Objects dialog box opens.

  2. In the Object Type list, select the type of the database object to add. 
    This list is filtered according to your licenses.

    Note

    The Top Nodes object type option displays the complete list of all top nodes available in the console, so they can be added directly.

  3. You have the option to change the view of the objects displayed. From the left panel select a method to display static object:
    • Click Hierarchy to see the objects in a hierarchy.
    • Click All to see all objects available to you.
    • Click Search to search for a specific object.
    • (Only for devices and groups) Click Topology to view a topological view of the objects. 
    The object list display will change depending on the option you select.
  4. Select one or more objects from this window, or search for specific objects through the Search tab.
  5. Click Add  to move the selected objects to the Selected Objects box.
    The Properties dialog box appears to define the type of access for the selected objects.

  6. Select the respective options and then click OK.

    Note

    If the access rights to the local files and the Windows Registry are to be restricted to those those of the local account, check the option Respect Windows permissions when accessing files and the Registry in the Direct Access Acknowledgement panel. This option is only applicable to devices.

    The objects will be added to the Selected Objects box in which they will be listed with their name and their type.

  7. (Optional) To add objects of another type repeat the preceding steps.
  8. Click OK to add all selected objects to the list of security objects for the security profile.

Modifying access rights of a static object

Objects to which access is assigned via a group cannot be modified. To restrict the access further than that assigned through the group, the object must be assigned individually a second time with new settings.

  1. Select the object for which the access is to be modified in the table in the right window pane.
  2. Select Edit > Properties.
    The Properties dialog box appears.
  3. Select the options for the desired type of access.
  4. Click OK to confirm the modifications and close the window.

Removing an object

When you remove a parent object, you also remove all of its children and the administrators cannot access the children. 

  1. Select the object to be removed from the list of security objects in the right window pane.
  2. Select Edit  > Remove Object .
    A confirmation window appears.
  3. Click OK to confirm the removal.
Was this page helpful? Yes No Submitting... Thank you
Last modified by Darshana Bhangare on Jun 01, 2021

Comments

Log in or register to comment.

Assigning capabilities to a security profile
Managing access dynamically
© Copyright 2013 - 2021 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.