Managing portal security groups for BMC Server Automation

A portal security group (PSG) is a group of users that inherit a set of restrictions and permissions. A portal security group has a one-to-one mapping to a BMC Server Automation role. After a PSG is created in the portal and mapped to a role in BMC Server Automation, all users that are assigned to that role in BMC Server Automation can log on to the portal with their BMC Server Automation credentials.

This topic includes the following sections:

Predefined PSGs

The installation procedure automatically creates a portal security group for portal administration. This group, known as the portal administrator group, is mapped to the BLAdmins role in BMC Server Automation (or to any other role granted the same permissions as BLAdmins). Users assigned to the BLAdmins role in BMC Server Automation can log on to the portal and manage the portal environment.

Another PSG is created automatically when you add an additional site . This PSG is the site administrator group. Currently, the site administrator must belong to the same role as the portal administrator. Essentially, a site administrator group has authorizations to administer its own site, while the portal administrator group has authorizations to administer all sites. The following table explains the different capabilities of the portal administrator and the site administrator.

Portal-level restrictions

Restrictions set at the portal level provide a thin layer of control that prevents members of portal security groups from accessing certain features and functions of the portal environment.

Portal-level restrictions are optional and do not supersede the underlying RBAC controls set up in your BMC Server Automation environment. For example, if a new portal security group maps to a role that does not have RBAC rights to create patch operations, selecting patch authorizations at the portal level when you define the security group would not mean that operators who are members of this security group would now be able to create patch operations.

The intent of portal-level restrictions is to provide a very simple security mechanism for those organizations who have not implemented or do not require the sophisticated RBAC controls available in BMC Server Automation.

Default values for portal security groups

To make it easier to create operations in the portal, you can define values for:

• Default depot and job paths—When members of a portal security group perform an action that creates job or depot items, the items are placed in these default depot and job locations. Default values defined at the portal security group level take precedence over default locations defined at the site level in a portal. Setting default values for jobs and depot items means portal operators do not have to manually select a folder when they create operations, thus shielding them from some complexity. Advanced operators can be given the ability to override folder locations when they create new operations.
• Deploy templates—When members of a portal security group set up a deploy operation or a patching or compliance operation (which automatically generate Deploy jobs for remediation purposes), the deploy operation can use the settings in a Deploy template. By specifying Deploy templates for a security group, you can provide a limited number of recommended Deploy templates that group members can choose from when they are defining an operation. When you run a remediation operation for a patching operation, you can use a Deploy template based on an advanced Deploy job, which enables you to schedule the Simulate, Stage, and Commit phases of the job individually. 

Importing BSA roles to function as portal security groups

Before creating new portal security groups, the portal administrator must import roles and their associated users from BMC Server Automation. When you import a role, it is automatically converted into a portal security group in the portal.

When you import a role to create a portal security group, the security group is assigned a unique name. This automatic naming occurs for all portal sites except the primary site. At the primary site, the portal security group is given the same name as the role being imported. At all sites except the primary site, names are assigned by using this format:

ImportedRole@SiteName

where ImportedRole is the name of a role being imported and SiteName is the name of the site to which you are currently connected. 

After performing this procedure, you can still add new portal security groups in the future. You can also repeat this procedure to allow additional roles to use the portal.

If you want to create a set of roles with minimum permissions to perform actions in the portal, you can first import predefined roles into BMC Server Automation. Then you can import those roles into the portal.

To import portal security groups

1. At top right, click the drop-down menu by your user name. Then, select Administration.
   The portal displays the Administration page.
2. Click the Security Groups tab, if it is not already selected.
   A list of portal security groups opens.

3. Click Import security groups  .
   The Import Security Groups page opens.

   

   
   
   

4. For BSA Site , select the BMC Server Automation instance from which you want to import role and user information.

5. Select Override Permissions if you want to overwrite the settings for existing portal security groups with names that match the names of the roles you are importing. If you select this option, the authorizations for the existing portal security groups will match the authorizations of the roles you are importing. 
   
   Existing portal security groups are not affected if their names do not match the names of the roles you are importing.
6. Using the list of BMC Server Automation roles, check the roles you want to import. 
   Click select all to select all roles in the list, or click clear to deselect all roles. 
   To search for roles by name, enter a text string in the search box and click Filter the role names  . The portal lists only roles with names that include the string you entered.
7. Click Import.
   The selected roles are imported into the portal and mapped to a portal security group with the same name. Users of BMC Server Automation who are assigned to a role that you have imported are now able to log on to the portal by using their BMC Server Automation credentials.

Adding new portal security groups

In addition to importing portal security groups, you can also create new groups.

Currently, only one portal security group can be mapped to a role in BMC Server Automation.

To add a new portal security group

1. At top right, click the drop-down menu by your user name. Then, select Administration. 
   The portal displays the Administration page.
2. Click the Security Groups tab, if it is not already selected.
   A list of portal security groups opens.
3. Select the Add a new security group icon .
   The Create Group page opens.
   

4. Enter the following information.

   Option	Description
   Group Name	Name of the portal security group.
   Group Description	Optional descriptive text for the portal security group.
   BSA Site	The BSA Site or or BNA Site option specifies the Application Server in either BMC Server Automation or BMC Network Automation to which this portal security group has access.  See Managing sites for more information.
   BSA Role Name	Specifies the role in BMC Server Automation that determines which user authorizations are assigned to this portal security group.
   Portal Level Permission	The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field. Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal. Requirements for auto-selection When you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically.   Click here to see lists of the minimum permissions required. The following lists shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically. Be forewarned that these lists are long! Batch checkbox BatchJob.Read  BatchJob.Create  BatchJob.Modify  BatchJob.ModifySchedule  BatchJob.ModifyTargets  BatchJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* AuditJob.Read  AuditJob.Create  AuditJob.Modify  AuditJob.ModifySchedule  AuditJob.ModifyTargets  AuditJob.Execute DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute PatchingJob.Read  PatchingJob.Create  PatchingJob.Modify  PatchingJob.ModifySchedule  PatchingJob.ModifyTargets  PatchingJob.Execute PatchRemediationJob.Read  PatchRemediationJob.Create  PatchRemediationJob.Modify  PatchRemediationJob.ModifySchedule  PatchRemediationJob.ModifyTargets  PatchRemediationJob.Execute PatchDownloadJob.Read  PatchDownloadJob.Create  PatchDownloadJob.Modify  PatchDownloadJob.ModifySchedule  PatchDownloadJob.ModifyTargets  PatchDownloadJob.Execute NSHScriptJob.Read NSHScriptJob.Create  NSHScriptJob.Modify  NSHScriptJob.ModifySchedule  NSHScriptJob.ModifyTargets  NSHScriptJob.Execute DiscoveryJob.Read  DiscoveryJob.Modify  DiscoveryJob.Modify  DiscoveryJob.ModifyTargets  DiscoveryJob.Execute  DiscoveryJob.Delete JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass.* PropertyInstance.* Repeater.* Server.Read  Server.Discover ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify  Compliance checkbox AuditJob.Read  AuditJob.Create  AuditJob.Modify  AuditJob.ModifySchedule  AuditJob.ModifyTargets  AuditJob.Execute DiscoveryJob.Read  DiscoveryJob.Modify  DiscoveryJob.Modify  DiscoveryJob.ModifyTargets  DiscoveryJob.Execute  DiscoveryJob.Delete Component.Read  Component.Audit  Component.Create  Component.ModifyExceptions ComponentGroup.Read  ComponentGroup.Write  ComponentGroup.Modify ComponentTemplate.Read ComponentTemplateFolder.Read  ComponentTemplateFolder.Write ComponentTemplateGroup.Read  ComponentTemplateGroup.Write DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write Server.Read  Server.Discover ServerGroup.Read Deploy checkbox DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass PropertyInstance.* Repeater.* Server.Read ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify NSH Script checkbox NSHScriptJob.Read  NSHScriptJob.Create  NSHScriptJob.Modify  NSHScriptJob.ModifySchedule  NSHScriptJob.ModifyTargets  NSHScriptJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass.* PropertyInstance.* Repeater.* Server.Read ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify Patch checkbox PatchingJob.Read  PatchingJob.Create  PatchingJob.Modify  PatchingJob.ModifySchedule  PatchingJob.ModifyTargets  PatchingJob.Execute PatchRemediationJob.Read  PatchRemediationJob.Create  PatchRemediationJob.Modify  PatchRemediationJob.ModifySchedule  PatchRemediationJob.ModifyTargets  PatchRemediationJob.Execute PatchDownloadJob.Read  PatchDownloadJob.Create  PatchDownloadJob.Modify  PatchDownloadJob.ModifySchedule  PatchDownloadJob.ModifyTargets  PatchDownloadJob.Execute PatchCatalog.Read  PatchCatalog.Write PatchSmartGroup.Read ComponentTemplate.Read ComponentTemplateGroup.Read Component.Read ComponentGroup.Read Server.Read DeployJob.* BatchJob.* ACLTemplate.* BLPackage.Read  BLPackage.Write  BLPackage.Modify JobFolder.Read  JobFolder.Write DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write ServerGroup.Read  ServerGroup.Write CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify Partial permissions If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation.  For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal. You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions. Vulnerability Manager permission The Vulnerability Manager permission lets users perform actions using the tools available in the Vulnerability Manager menu. Vulnerability Manager is a portal-level activity only. There are no corresponding permissions in BMC Server Automation. Threat Director permission The Threat Director permission lets users perform actions using the tools available in the Threat Director menu. Many of the actions that you can perform require servers to be licensed for Threat Director. Threat Director is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.
   Asset Groups	The Asset Groups option lets you grant this portal security group access to asset groups that are defined in a vulnerability management system.  If you do not grant access to any asset groups, the portal security group is granted access to all assets. To make options available in the Asset Groups option, you must import an asset group file using Vulnerability Manager > Import or Threat Director > Import. Click here for a description of the full process for assigning asset groups to portal security groups.
   Default Depot Path	The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
   Default Job Path	The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
   Deploy Templates	The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates, including Deploy Jobs that are automatically created as part of auto-remediation for Patch Analysis jobs. To choose a template, click Add and browse to a job. Select it and click OK .  Ctrl-click to select multiple jobs and then click OK . If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job. See Adding a deploy template for instructions describing how to set up a deploy template.

5. Click Create Group .
   The portal security group is created. Users of BMC Server Automation who are assigned to the role to which this group is mapped are now able to log on to the portal by using their BMC Server Automation credentials.
   For some settings to take affect, you must log out and then log back into the portal.

Modifying portal security groups

1. At top right, click the drop-down menu by your user name. Then, select Administration. 
   The portal displays the Administration page.
2. Click the Security Groups tab, if it is not already selected.
   A list of portal security groups opens.
3. Select a portal security group and click Edit the current security group  .
   The Update Group page opens.
4. Modify the settings for the portal security group by changing any of the following options:
   

   Option	Description
   Group Name	Name of the portal security group.
   Group Description	Optional descriptive text for the portal security group.
   BSA Site	The BSA Site or or BNA Site option specifies the Application Server in either BMC Server Automation or BMC Network Automation to which this portal security group has access.  See Managing sites for more information.
   BSA Role Name	Specifies the role in BMC Server Automation that determines which user authorizations are assigned to this portal security group.
   Portal Level Permission	The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field. Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal. Requirements for auto-selection When you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically.   Click here to see lists of the minimum permissions required. The following lists shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically. Be forewarned that these lists are long! Batch checkbox BatchJob.Read  BatchJob.Create  BatchJob.Modify  BatchJob.ModifySchedule  BatchJob.ModifyTargets  BatchJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* AuditJob.Read  AuditJob.Create  AuditJob.Modify  AuditJob.ModifySchedule  AuditJob.ModifyTargets  AuditJob.Execute DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute PatchingJob.Read  PatchingJob.Create  PatchingJob.Modify  PatchingJob.ModifySchedule  PatchingJob.ModifyTargets  PatchingJob.Execute PatchRemediationJob.Read  PatchRemediationJob.Create  PatchRemediationJob.Modify  PatchRemediationJob.ModifySchedule  PatchRemediationJob.ModifyTargets  PatchRemediationJob.Execute PatchDownloadJob.Read  PatchDownloadJob.Create  PatchDownloadJob.Modify  PatchDownloadJob.ModifySchedule  PatchDownloadJob.ModifyTargets  PatchDownloadJob.Execute NSHScriptJob.Read NSHScriptJob.Create  NSHScriptJob.Modify  NSHScriptJob.ModifySchedule  NSHScriptJob.ModifyTargets  NSHScriptJob.Execute DiscoveryJob.Read  DiscoveryJob.Modify  DiscoveryJob.Modify  DiscoveryJob.ModifyTargets  DiscoveryJob.Execute  DiscoveryJob.Delete JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass.* PropertyInstance.* Repeater.* Server.Read  Server.Discover ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify  Compliance checkbox AuditJob.Read  AuditJob.Create  AuditJob.Modify  AuditJob.ModifySchedule  AuditJob.ModifyTargets  AuditJob.Execute DiscoveryJob.Read  DiscoveryJob.Modify  DiscoveryJob.Modify  DiscoveryJob.ModifyTargets  DiscoveryJob.Execute  DiscoveryJob.Delete Component.Read  Component.Audit  Component.Create  Component.ModifyExceptions ComponentGroup.Read  ComponentGroup.Write  ComponentGroup.Modify ComponentTemplate.Read ComponentTemplateFolder.Read  ComponentTemplateFolder.Write ComponentTemplateGroup.Read  ComponentTemplateGroup.Write DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write Server.Read  Server.Discover ServerGroup.Read Deploy checkbox DeployJob.Read  DeployJob.Create  DeployJob.Modify  DeployJob.ModifySchedule  DeployJob.ModifyProperties  DeployJob.ModifyTargets  DeployJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass PropertyInstance.* Repeater.* Server.Read ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify NSH Script checkbox NSHScriptJob.Read  NSHScriptJob.Create  NSHScriptJob.Modify  NSHScriptJob.ModifySchedule  NSHScriptJob.ModifyTargets  NSHScriptJob.Execute BLPackage.Read  BLPackage.Write  BLPackage.Modify  BLPackage.ModifyProperties ApplicationDiscoveryJob.* JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write DepotFolder.Read  DepotFolder.Write ComponentTemplateFolder.Read ComponentTemplateGroup.Read ComponentGroup.Read DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify ComponentTemplate.Read Component.Read DepotFile.* ConfigFile.* ConfigurationObjectClass.* DeregisterConfigurationObjects.* DistributeConfigurationObjects.* ExecutionTask.* NSHScript.* PropertyClass.* PropertyInstance.* Repeater.* Server.Read ServerGroup.* DiscoveryJob.* CustomCommand.Read  CustomCommand.Create  CustomCommand.Modify CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify HPUXSoftware.Read  HPUXSoftware.Create  HPUXSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXSoftware.Read  AIXSoftware.Create  AIXSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify Patch checkbox PatchingJob.Read  PatchingJob.Create  PatchingJob.Modify  PatchingJob.ModifySchedule  PatchingJob.ModifyTargets  PatchingJob.Execute PatchRemediationJob.Read  PatchRemediationJob.Create  PatchRemediationJob.Modify  PatchRemediationJob.ModifySchedule  PatchRemediationJob.ModifyTargets  PatchRemediationJob.Execute PatchDownloadJob.Read  PatchDownloadJob.Create  PatchDownloadJob.Modify  PatchDownloadJob.ModifySchedule  PatchDownloadJob.ModifyTargets  PatchDownloadJob.Execute PatchCatalog.Read  PatchCatalog.Write PatchSmartGroup.Read ComponentTemplate.Read ComponentTemplateGroup.Read Component.Read ComponentGroup.Read Server.Read DeployJob.* BatchJob.* ACLTemplate.* BLPackage.Read  BLPackage.Write  BLPackage.Modify JobFolder.Read  JobFolder.Write DepotFolder.Read  DepotFolder.Write  DepotFolder.Modify DepotGroup.Read  DepotGroup.Write  DepotGroup.Modify JobFolder.Read  JobFolder.Write JobGroup.Read  JobGroup.Write ServerGroup.Read  ServerGroup.Write CustomSoftware.Read  CustomSoftware.Create  CustomSoftware.Modify LinuxSoftware.Read  LinuxSoftware.Create  LinuxSoftware.Modify AIXPatchSoftware.Read  AIXPatchSoftware.Create  AIXPatchSoftware.Modify SolarisSoftware.Read  SolarisSoftware.Create  SolarisSoftware.Modify WindowsSoftware.Read  WindowsSoftware.Create  WindowsSoftware.Modify Partial permissions If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation.  For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal. You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions. Vulnerability Manager permission The Vulnerability Manager permission lets users perform actions using the tools available in the Vulnerability Manager menu. Vulnerability Manager is a portal-level activity only. There are no corresponding permissions in BMC Server Automation. Threat Director permission The Threat Director permission lets users perform actions using the tools available in the Threat Director menu. Many of the actions that you can perform require servers to be licensed for Threat Director. Threat Director is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.
   Asset Groups	The Asset Groups option lets you grant this portal security group access to asset groups that are defined in a vulnerability management system.  If you do not grant access to any asset groups, the portal security group is granted access to all assets. To make options available in the Asset Groups option, you must import an asset group file using Vulnerability Manager > Import or Threat Director > Import. Click here for a description of the full process for assigning asset groups to portal security groups.
   Default Depot Path	The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
   Default Job Path	The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
   Deploy Templates	The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates, including Deploy Jobs that are automatically created as part of auto-remediation for Patch Analysis jobs. To choose a template, click Add and browse to a job. Select it and click OK .  Ctrl-click to select multiple jobs and then click OK . If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job. See Adding a deploy template for instructions describing how to set up a deploy template.

5. Click Update Group.
   For some settings to take affect, you must log out and then log back into the portal. 

Deleting portal security groups

1. At top right, click the drop-down menu by your user name. Then, select Administration. 
   The portal displays the Administration page.
2. Click the Security Groups tab, if it is not already selected.
   A list of portal security groups opens.
3. Select a portal security group and click Delete the current security group  .
   A dialog box asks you to confirm the deletion.

Importing predefined roles into BMC Server Automation

You can import predefined roles into BMC Server Automation. Each of these roles has a minimum set of permissions to perform actions. For example, the Compliance role has a minimum set of permissions to run Compliance Jobs.

After importing these roles into BMC Server Automation, you can create security groups based on those roles. Each security group has the minimum permissions for performing a certain type of action. You can view a  spreadsheet that lists the minimum BMC Server Automation permissions  granted to the roles you are importing, such as Compliance job execution or patch remediation. The list of permissions are BMC recommendations only. You may discover situations that require additional permissions.

To import predefined roles

1. Copy the attached JSON file to the server where the BMC Server Automation Application Server is installed. Note the location where you store the JSON file.
2. Ensure that the BMC Server Automation Application Server is started.
3. On the server where the BMC Server Automation Application Server is installed, open a command line.
4. Cd to one of the following locations:
   • (Windows): C:\Program Files\BMC Software\BladeLogic\NSH\bin
   • (UNIX): /opt/bmc/bladelogic/NSH/bin
5. Enter one of the following commands:
   • (Windows): blcontent READ_JSON "<location_of_json_file>\portal_roles.json"
   • (UNIX): ./blcontent READ_JSON "<location_of_json_file>/portal_roles.json" 
     
     The blcontent utility imports predefined roles from the JSON file. You can now import those roles into BladeLogic Portal to create security groups with minimum permissions for performing certain actions.