Recommendations for adopting BladeLogic Portal
This topic contains the following sections, which provide recommendations for adopting BladeLogic Portal:
BladeLogic Portal provides two approaches for controlling access to the user interface and its underlying objects and operations. Depending on your situation and security requirements, you can choose to secure access to the portal by using existing RBAC controls in BMC Server Automation, or you can opt for a more lightweight solution and adopt a thin layer of control at the portal level.
Existing organizations with RBAC implementations
Organizations that have developed RBAC controls in BMC Server Automation can continue to use those controls. RBAC defines users and roles and the access they have to managed objects (known as "targets" in the portal). RBAC defines what actions users can perform on targets.
For organizations in this situation, BMC recommends creating a portal security group for each role that requires access to BladeLogic Portal. If you have users that understand the roles to which they are assigned and the actions those roles can perform, you can assign a name to each portal security group that aligns with its corresponding role in BMC Server Automation.
Using portal security groups, you can also optionally set portal-level restrictions. These restrictions prevent members of a group from accessing certain portal functions altogether. For example, you can prevent members of a group from having the capability to perform patch analysis by removing that option inside the portal user interface itself. If you have RBAC controls in place that already prevent a role from performing certain actions, it is not necessary to set any portal-level restrictions, because those restrictions are carried over from BMC Server Automation.
Organizations with limited RBAC requirements
In some cases, organizations that have less rigid security requirements and have not yet implemented RBAC in BMC Server Automation can use basic portal-level restrictions to control user access.
In this situation, BMC recommends setting up a few roles in BMC Server Automation with mostly unrestricted access to the product. Then, you can set up portal security groups that map to those roles. Portal-level restrictions defined for the portal security groups can be used to restrict access to certain portal features and functions.
This approach is not as secure as a full RBAC implementation. For example, there is little control over the underlying targets. However, it may be suitable for some implementations.
Portal operations and the capabilities of your operators
As you adopt BladeLogic Portal, take some time to discover exactly how functionality is exposed to end users and consider whether it may be beneficial to review your current working practices. BladeLogic Portal provides a simple user interface that allows operators to create operations in various ways:
- From existing jobs in BMC Server Automation that have already defined all job properties and targets
- From existing jobs in BMC Server Automation that allow some job properties and targets to be modified
- From certain types of content (such as compliance rules or BLPackages) that can be used as the basis of an operation but which still require users to set targets and job properties. See Creating or modifying an operation for a list of content types that can be used to define operations.
Some organizations take a very controlled approach to exposing BMC Server Automation jobs to end users. Everything is predefined. Operators can only execute a job and see its results. However, BladeLogic Portal provides a much simpler, more prescriptive user interface that enables BMC Server Automation administrators to put more responsibility safely in the hands of end users, freeing up the administrator's time to add value to the solution and at the same time promoting better adoption of the tool .
Of course, you can use portal and continue to use your existing methods if you prefer.
Simplifying the operator's job
Administrators can take the following actions to simplify the end-user experience in BladeLogic Portal.
Naming for underlying content and jobs
Although it is possible for portal operators to use the portal interface to investigate what a job or piece of content does, it is easier for the operator if the description of the job or content makes the purpose clear. When naming content and the folder structures that hold content in BMC Server Automation, adopt descriptive naming schemes and conventions that make it easy for your operators to search for and identify what they need.
Setting default folders for portal operators
Operators typically have a task to perform and do not want to be confused by unnecessary steps or terminology. Administrators can shield end users from some complexity by setting up default folders and directories where the portal creates content inside BMC Server Automation (for example, new jobs or depot items that are created as a result of portal operations). You can set default folders at two levels:
- Site level—While connected to a particular site, all generated content is stored in default folders. See Managing sites.
- Portal security group level—Generated content is stored in default folders that are defined for each portal security group. See Managing portal security groups.
Creating job templates
BMC Server Automation provides numerous options when executing jobs. Often it is very important to get these settings correct if a job is to execute as intended.
Instead of expecting portal operators to understand all these settings, BMC Server Automation administrators can set up job templates inside of BMC Server Automation. Job templates define the required job execution settings for certain job types (for example, patching jobs). Administration can then let portal operators select from these templates.
When operators create new operations inside of the portal, they can select a job template. In doing so, the job execution settings described by the template are copied to the new operation. This mechanism ensures that the power of BMC Server Automation is available to portal operators, but avoids the confusion of myriad options that they might select incorrectly and that might impact the successful execution of an operation.
Specifying preferred content
BMC Server Automation administrators can flag an item as preferred content by setting the item's IS_HIGHLIGHTED property to True. This act makes the content visible in a Preferred Content tab inside of the portal. When operators start creating new operations, they can immediately select the preferred content instead of having to search for content by using the standard search mechanisms.