Managing portal security groups for BMC Server Automation

A portal security group (PSG) is a group of users that inherit a set of restrictions and permissions. A portal security group has a one-to-one mapping to a BMC Server Automation role. After a PSG is created in the portal and mapped to a role in BMC Server Automation, all users that are assigned to that role in BMC Server Automation can log on to the portal with their BMC Server Automation credentials.

This topic includes the following sections:

Predefined PSGs

The installation procedure automatically creates a portal security group for portal administration. This group, known as the portal administrator group, is mapped to the BLAdmins role in BMC Server Automation (or to any other role granted the same permissions as BLAdmins). Users assigned to the BLAdmins role in BMC Server Automation can log on to the portal and manage the portal environment.

Another PSG is created automatically when you add an additional site . This PSG is the site administrator group. Currently, the site administrator must belong to the same role as the portal administrator. Essentially, a site administrator group has authorizations to administer its own site, while the portal administrator group has authorizations to administer all sites. The following table explains the different capabilities of the portal administrator and the site administrator.

Type of administrative actionPortal administrator groupSite administrator group
SitesAble to add, edit, or delete all sites, except deleting the primary siteAble to edit only their own site
Portal security groups

Able to edit or delete any PSG except the portal administrator's PSG.

Portal administrators can only add PSGs for the primary site.

Able to add, edit, and delete PSGs for their own site except their own site administrator PSG.
OperationsAuthorized to perform all types of operations. Portal administrators can only see, edit, or delete operations created by a user that belongs to their own PSG.Authorized to perform all types of operations. Can only see, edit, or delete operations created by a user that belongs to their own PSG.

Portal-level restrictions

Restrictions set at the portal level provide a thin layer of control that prevents members of portal security groups from accessing certain features and functions of the portal environment.

Portal-level restrictions are optional and do not supersede the underlying RBAC controls set up in your BMC Server Automation environment. For example, if a new portal security group maps to a role that does not have RBAC rights to create patch operations, selecting patch authorizations at the portal level when you define the security group would not mean that operators who are members of this security group would now be able to create patch operations.

The intent of portal-level restrictions is to provide a very simple security mechanism for those organizations who have not implemented or do not require the sophisticated RBAC controls available in BMC Server Automation.

Default values for portal security groups

To make it easier to create operations in the portal, you can define values for:

  • Default depot and job paths—When members of a portal security group perform an action that creates job or depot items, the items are placed in these default depot and job locations. Default values defined at the portal security group level take precedence over default locations defined at the site level in a portal. Setting default values for jobs and depot items means portal operators do not have to manually select a folder when they create operations, thus shielding them from some complexity. Advanced operators can be given the ability to override folder locations when they create new operations.
  • Deploy templates—When members of a portal security group set up a deploy operation or a patching or compliance operation (which automatically generate Deploy jobs for remediation purposes), the deploy operation can use the settings in a Deploy template. By specifying Deploy templates for a security group, you can provide a limited number of recommended Deploy templates that group members can choose from when they are defining an operation. When you run a remediation operation for a patching operation, you can use a Deploy template based on an advanced Deploy job, which enables you to schedule the Simulate, Stage, and Commit phases of the job individually. 

 

Note

When specifying a Deploy template, select a Deploy Job based on a BLPackage. You cannot use a Deploy Job based on an executable software package or a File Deploy Job.

BMC recommends using a job specifically designed to define deployment options. If you choose to use a live Deploy Job as a Deploy template, scheduling for that job could be changed inadvertently in BMC Server Automation, which could cause operations in the portal to use incorrect scheduling.

Importing BSA roles to function as portal security groups

Before creating new portal security groups, the portal administrator must import roles and their associated users from BMC Server Automation. When you import a role, it is automatically converted into a portal security group in the portal.

When you import a role to create a portal security group, the security group is assigned a unique name. This automatic naming occurs for all portal sites except the primary site. At the primary site, the portal security group is given the same name as the role being imported. At all sites except the primary site, names are assigned by using this format:

ImportedRole@SiteName

where ImportedRole is the name of a role being imported and SiteName is the name of the site to which you are currently connected. 

After performing this procedure, you can still add new portal security groups in the future. You can also repeat this procedure to allow additional roles to use the portal.

If you want to create a set of roles with minimum permissions to perform actions in the portal, you can first import predefined roles into BMC Server Automation. Then you can import those roles into the portal.

To import portal security groups

  1. At top right, click the drop-down menu by your user name. Then, select Administration.
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Click Import security groups  .
    The Import Security Groups page opens.



  4. For BSA Site , select the BMC Server Automation instance from which you want to import role and user information.

  5. Select Override Permissions if you want to overwrite the settings for existing portal security groups with names that match the names of the roles you are importing. If you select this option, the authorizations for the existing portal security groups will match the authorizations of the roles you are importing. 

    Existing portal security groups are not affected if their names do not match the names of the roles you are importing.
  6. Using the list of BMC Server Automation roles, check the roles you want to import. 
    Click select all to select all roles in the list, or click clear to deselect all roles. 
    To search for roles by name, enter a text string in the search box and click Filter the role names  . The portal lists only roles with names that include the string you entered.
  7. Click Import.
    The selected roles are imported into the portal and mapped to a portal security group with the same name. Users of BMC Server Automation who are assigned to a role that you have imported are now able to log on to the portal by using their BMC Server Automation credentials.

Adding new portal security groups

In addition to importing portal security groups, you can also create new groups.

Currently, only one portal security group can be mapped to a role in BMC Server Automation.

SecurityGroupsOverview

To add a new portal security group

  1. At top right, click the drop-down menu by your user name. Then, select Administration
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select the Add a new security group icon .
    The Create Group page opens.
  4. Enter the following information.

    OptionDescription
    Group NameName of the portal security group.
    Group DescriptionOptional descriptive text for the portal security group.
    BSA Site

    The BSA Site or or BNA Site option specifies the Application Server in either BMC Server Automation or BMC Network Automation to which this portal security group has access. 

    See Managing sites for more information.

    BSA Role NameSpecifies the role in BMC Server Automation that determines which user authorizations are assigned to this portal security group.
    Portal Level Permission

    The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field.

    Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal.

    Requirements for auto-selection

    When you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically. 

     Click here to see lists of the minimum permissions required.

    The following lists shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically. Be forewarned that these lists are long!

    Batch checkbox
    BatchJob.Read 
    BatchJob.Create 
    BatchJob.Modify 
    BatchJob.ModifySchedule 
    BatchJob.ModifyTargets 
    BatchJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    AuditJob.Read 
    AuditJob.Create 
    AuditJob.Modify 
    AuditJob.ModifySchedule 
    AuditJob.ModifyTargets 
    AuditJob.Execute
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    PatchingJob.Read 
    PatchingJob.Create 
    PatchingJob.Modify 
    PatchingJob.ModifySchedule 
    PatchingJob.ModifyTargets 
    PatchingJob.Execute
    PatchRemediationJob.Read 
    PatchRemediationJob.Create 
    PatchRemediationJob.Modify 
    PatchRemediationJob.ModifySchedule 
    PatchRemediationJob.ModifyTargets 
    PatchRemediationJob.Execute
    PatchDownloadJob.Read 
    PatchDownloadJob.Create 
    PatchDownloadJob.Modify 
    PatchDownloadJob.ModifySchedule 
    PatchDownloadJob.ModifyTargets 
    PatchDownloadJob.Execute
    NSHScriptJob.Read
    NSHScriptJob.Create 
    NSHScriptJob.Modify 
    NSHScriptJob.ModifySchedule 
    NSHScriptJob.ModifyTargets 
    NSHScriptJob.Execute
    DiscoveryJob.Read 
    DiscoveryJob.Modify 
    DiscoveryJob.Modify 
    DiscoveryJob.ModifyTargets 
    DiscoveryJob.Execute 
    DiscoveryJob.Delete
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass.*
    PropertyInstance.*
    Repeater.*
    Server.Read 
    Server.Discover
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify


     Compliance checkbox
    AuditJob.Read 
    AuditJob.Create 
    AuditJob.Modify 
    AuditJob.ModifySchedule 
    AuditJob.ModifyTargets 
    AuditJob.Execute
    DiscoveryJob.Read 
    DiscoveryJob.Modify 
    DiscoveryJob.Modify 
    DiscoveryJob.ModifyTargets 
    DiscoveryJob.Execute 
    DiscoveryJob.Delete
    Component.Read 
    Component.Audit 
    Component.Create 
    Component.ModifyExceptions
    ComponentGroup.Read 
    ComponentGroup.Write 
    ComponentGroup.Modify
    ComponentTemplate.Read
    ComponentTemplateFolder.Read 
    ComponentTemplateFolder.Write
    ComponentTemplateGroup.Read 
    ComponentTemplateGroup.Write
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    Server.Read 
    Server.Discover
    ServerGroup.Read




    Deploy checkbox
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass
    PropertyInstance.*
    Repeater.*
    Server.Read
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify




    NSH Script checkbox
    NSHScriptJob.Read 
    NSHScriptJob.Create 
    NSHScriptJob.Modify 
    NSHScriptJob.ModifySchedule 
    NSHScriptJob.ModifyTargets 
    NSHScriptJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass.*
    PropertyInstance.*
    Repeater.*
    Server.Read
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify




    Patch checkbox
    PatchingJob.Read 
    PatchingJob.Create 
    PatchingJob.Modify 
    PatchingJob.ModifySchedule 
    PatchingJob.ModifyTargets 
    PatchingJob.Execute
    PatchRemediationJob.Read 
    PatchRemediationJob.Create 
    PatchRemediationJob.Modify 
    PatchRemediationJob.ModifySchedule 
    PatchRemediationJob.ModifyTargets 
    PatchRemediationJob.Execute
    PatchDownloadJob.Read 
    PatchDownloadJob.Create 
    PatchDownloadJob.Modify 
    PatchDownloadJob.ModifySchedule 
    PatchDownloadJob.ModifyTargets 
    PatchDownloadJob.Execute
    PatchCatalog.Read 
    PatchCatalog.Write
    PatchSmartGroup.Read
    ComponentTemplate.Read
    ComponentTemplateGroup.Read
    Component.Read
    ComponentGroup.Read
    Server.Read
    DeployJob.*
    BatchJob.*
    ACLTemplate.*
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify
    JobFolder.Read 
    JobFolder.Write
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    ServerGroup.Read 
    ServerGroup.Write
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify


    Partial permissions

    If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation. 

    For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal.

    You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions.

    Vulnerability Manager permission

    The Vulnerability Manager permission lets users perform actions using the tools available in the Vulnerability Manager menu. Vulnerability Manager is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.

    Threat Director permission

    The Threat Director permission lets users perform actions using the tools available in the Threat Director menu. Many of the actions that you can perform require servers to be licensed for Threat Director.

    Threat Director is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.


    Asset Groups

    The Asset Groups option lets you grant this portal security group access to asset groups that are defined in a vulnerability management system. 

    If you do not grant access to any asset groups, the portal security group is granted access to all assets.

    To make options available in the Asset Groups option, you must import an asset group file using Vulnerability Manager > Import or Threat Director > Import.

    Click here for a description of the full process for assigning asset groups to portal security groups.

    Default Depot Path

    The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Default Job Path

    The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Deploy Templates

    The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates, including Deploy Jobs that are automatically created as part of auto-remediation for Patch Analysis jobs. To choose a template, click Add and browse to a job. Select it and click OK Ctrl-click to select multiple jobs and then click OK .

    If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job.

    See Adding a deploy template for instructions describing how to set up a deploy template.

  5. Click Create Group .
    The portal security group is created. Users of BMC Server Automation who are assigned to the role to which this group is mapped are now able to log on to the portal by using their BMC Server Automation credentials.

    For some settings to take affect, you must log out and then log back into the portal.

Modifying portal security groups

  1. At top right, click the drop-down menu by your user name. Then, select Administration
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select a portal security group and click Edit the current security group  .
    The Update Group page opens.
  4. Modify the settings for the portal security group by changing any of the following options:
    OptionDescription
    Group NameName of the portal security group.
    Group DescriptionOptional descriptive text for the portal security group.
    BSA Site

    The BSA Site or or BNA Site option specifies the Application Server in either BMC Server Automation or BMC Network Automation to which this portal security group has access. 

    See Managing sites for more information.

    BSA Role NameSpecifies the role in BMC Server Automation that determines which user authorizations are assigned to this portal security group.
    Portal Level Permission

    The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field.

    Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal.

    Requirements for auto-selection

    When you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically. 

     Click here to see lists of the minimum permissions required.

    The following lists shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically. Be forewarned that these lists are long!

    Batch checkbox
    BatchJob.Read 
    BatchJob.Create 
    BatchJob.Modify 
    BatchJob.ModifySchedule 
    BatchJob.ModifyTargets 
    BatchJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    AuditJob.Read 
    AuditJob.Create 
    AuditJob.Modify 
    AuditJob.ModifySchedule 
    AuditJob.ModifyTargets 
    AuditJob.Execute
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    PatchingJob.Read 
    PatchingJob.Create 
    PatchingJob.Modify 
    PatchingJob.ModifySchedule 
    PatchingJob.ModifyTargets 
    PatchingJob.Execute
    PatchRemediationJob.Read 
    PatchRemediationJob.Create 
    PatchRemediationJob.Modify 
    PatchRemediationJob.ModifySchedule 
    PatchRemediationJob.ModifyTargets 
    PatchRemediationJob.Execute
    PatchDownloadJob.Read 
    PatchDownloadJob.Create 
    PatchDownloadJob.Modify 
    PatchDownloadJob.ModifySchedule 
    PatchDownloadJob.ModifyTargets 
    PatchDownloadJob.Execute
    NSHScriptJob.Read
    NSHScriptJob.Create 
    NSHScriptJob.Modify 
    NSHScriptJob.ModifySchedule 
    NSHScriptJob.ModifyTargets 
    NSHScriptJob.Execute
    DiscoveryJob.Read 
    DiscoveryJob.Modify 
    DiscoveryJob.Modify 
    DiscoveryJob.ModifyTargets 
    DiscoveryJob.Execute 
    DiscoveryJob.Delete
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass.*
    PropertyInstance.*
    Repeater.*
    Server.Read 
    Server.Discover
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify


     Compliance checkbox
    AuditJob.Read 
    AuditJob.Create 
    AuditJob.Modify 
    AuditJob.ModifySchedule 
    AuditJob.ModifyTargets 
    AuditJob.Execute
    DiscoveryJob.Read 
    DiscoveryJob.Modify 
    DiscoveryJob.Modify 
    DiscoveryJob.ModifyTargets 
    DiscoveryJob.Execute 
    DiscoveryJob.Delete
    Component.Read 
    Component.Audit 
    Component.Create 
    Component.ModifyExceptions
    ComponentGroup.Read 
    ComponentGroup.Write 
    ComponentGroup.Modify
    ComponentTemplate.Read
    ComponentTemplateFolder.Read 
    ComponentTemplateFolder.Write
    ComponentTemplateGroup.Read 
    ComponentTemplateGroup.Write
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    Server.Read 
    Server.Discover
    ServerGroup.Read




    Deploy checkbox
    DeployJob.Read 
    DeployJob.Create 
    DeployJob.Modify 
    DeployJob.ModifySchedule 
    DeployJob.ModifyProperties 
    DeployJob.ModifyTargets 
    DeployJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass
    PropertyInstance.*
    Repeater.*
    Server.Read
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify




    NSH Script checkbox
    NSHScriptJob.Read 
    NSHScriptJob.Create 
    NSHScriptJob.Modify 
    NSHScriptJob.ModifySchedule 
    NSHScriptJob.ModifyTargets 
    NSHScriptJob.Execute
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    DepotFolder.Read 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    ComponentTemplate.Read
    Component.Read
    DepotFile.*
    ConfigFile.*
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    ExecutionTask.*
    NSHScript.*
    PropertyClass.*
    PropertyInstance.*
    Repeater.*
    Server.Read
    ServerGroup.*
    DiscoveryJob.*
    CustomCommand.Read 
    CustomCommand.Create 
    CustomCommand.Modify
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify




    Patch checkbox
    PatchingJob.Read 
    PatchingJob.Create 
    PatchingJob.Modify 
    PatchingJob.ModifySchedule 
    PatchingJob.ModifyTargets 
    PatchingJob.Execute
    PatchRemediationJob.Read 
    PatchRemediationJob.Create 
    PatchRemediationJob.Modify 
    PatchRemediationJob.ModifySchedule 
    PatchRemediationJob.ModifyTargets 
    PatchRemediationJob.Execute
    PatchDownloadJob.Read 
    PatchDownloadJob.Create 
    PatchDownloadJob.Modify 
    PatchDownloadJob.ModifySchedule 
    PatchDownloadJob.ModifyTargets 
    PatchDownloadJob.Execute
    PatchCatalog.Read 
    PatchCatalog.Write
    PatchSmartGroup.Read
    ComponentTemplate.Read
    ComponentTemplateGroup.Read
    Component.Read
    ComponentGroup.Read
    Server.Read
    DeployJob.*
    BatchJob.*
    ACLTemplate.*
    BLPackage.Read 
    BLPackage.Write 
    BLPackage.Modify
    JobFolder.Read 
    JobFolder.Write
    DepotFolder.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    DepotGroup.Read 
    DepotGroup.Write 
    DepotGroup.Modify
    JobFolder.Read 
    JobFolder.Write
    JobGroup.Read 
    JobGroup.Write
    ServerGroup.Read 
    ServerGroup.Write
    CustomSoftware.Read 
    CustomSoftware.Create 
    CustomSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    SolarisSoftware.Modify
    WindowsSoftware.Read 
    WindowsSoftware.Create 
    WindowsSoftware.Modify


    Partial permissions

    If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation. 

    For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal.

    You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions.

    Vulnerability Manager permission

    The Vulnerability Manager permission lets users perform actions using the tools available in the Vulnerability Manager menu. Vulnerability Manager is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.

    Threat Director permission

    The Threat Director permission lets users perform actions using the tools available in the Threat Director menu. Many of the actions that you can perform require servers to be licensed for Threat Director.

    Threat Director is a portal-level activity only. There are no corresponding permissions in BMC Server Automation.


    Asset Groups

    The Asset Groups option lets you grant this portal security group access to asset groups that are defined in a vulnerability management system. 

    If you do not grant access to any asset groups, the portal security group is granted access to all assets.

    To make options available in the Asset Groups option, you must import an asset group file using Vulnerability Manager > Import or Threat Director > Import.

    Click here for a description of the full process for assigning asset groups to portal security groups.

    Default Depot Path

    The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Default Job Path

    The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Deploy Templates

    The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates, including Deploy Jobs that are automatically created as part of auto-remediation for Patch Analysis jobs. To choose a template, click Add and browse to a job. Select it and click OK Ctrl-click to select multiple jobs and then click OK .

    If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job.

    See Adding a deploy template for instructions describing how to set up a deploy template.

  5. Click Update Group.
    For some settings to take affect, you must log out and then log back into the portal. 

Deleting portal security groups

  1. At top right, click the drop-down menu by your user name. Then, select Administration
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select a portal security group and click Delete the current security group  .
    A dialog box asks you to confirm the deletion.

Importing predefined roles into BMC Server Automation

You can import predefined roles into BMC Server Automation. Each of these roles has a minimum set of permissions to perform actions. For example, the Compliance role has a minimum set of permissions to run Compliance Jobs.

After importing these roles into BMC Server Automation, you can create security groups based on those roles. Each security group has the minimum permissions for performing a certain type of action. You can view a  spreadsheet that lists the minimum BMC Server Automation permissions  granted to the roles you are importing, such as Compliance job execution or patch remediation. The list of permissions are BMC recommendations only. You may discover situations that require additional permissions.

To import predefined roles

  1. Copy the attached JSON file to the server where the BMC Server Automation Application Server is installed. Note the location where you store the JSON file.
  2. Ensure that the BMC Server Automation Application Server is started.
  3. On the server where the BMC Server Automation Application Server is installed, open a command line.
  4. Cd to one of the following locations:
    • (Windows): C:\Program Files\BMC Software\BladeLogic\NSH\bin
    • (UNIX): /opt/bmc/bladelogic/NSH/bin
  5. Enter one of the following commands:
    • (Windows): blcontent READ_JSON "<location_of_json_file>\portal_roles.json"
    • (UNIX): ./blcontent READ_JSON "<location_of_json_file>/portal_roles.json" 

      The blcontent utility imports predefined roles from the JSON file. You can now import those roles into BladeLogic Portal to create security groups with minimum permissions for performing certain actions.


Was this page helpful? Yes No Submitting... Thank you

Comments