×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

BMC Decision Support for Server Automation 8.9 ... Using Working with views using Open schema

Role Based Access Control (RBAC) domain

The RBAC domain provides information about role level authorizations, object level authorizations, assigned roles for users, and audit trails for changes to system objects.

You can use this information to build your own custom RBAC reports using your own reporting tool.

This topic contains the following sections:

RBAC domain entity-relationship diagram (ERD)

The following figure provides the ERD for the RBAC domain. It shows the relationships between the dimension, fact, bridge, and generic tables.

To view the detailed expressions that allow you to join tables, you can download the RBAC BDSSA BI Reporting Model Schema Definition.html file.

Tip

To understand the relationships between tables, click the ERD image below and then click the magnifying glass icon to zoom in to the image.

Tables in the RBAC domain

The following tables comprise the RBAC domain:

  • Dimension tables - Describe the properties of an object that are subject to change. These tables are prefixed with D_, for example, D_JOB.
  • Fact tables - Contain factual information that remains constant and is required for reporting. These tables are prefixed with F_, for example, F_JOB_RUN.

Dimension tables

Table Name/DescriptionERD

D_BL_ACL_POLICY

Contains information about ACL polices such as name, description, and the dates on which the policy, user, and role were created or modified.

Note: D_BLUSER is also referenced in the ERD as ACL_POLICY_CREATED_USER.

D_BL_AUTH_PROFILE

Contains information about authentication profiles such as name, description, and the dates on which the policy, user, and role were created or modified.

Note: D_BLUSER is also referenced in the ERD as ACL_POLICY_CREATED_USER, PROFILE_MODIFIER_USER.

Note: BL_SITE is also referenced in the ERD as AUTH_PROFILE_BL_SITE.

D_BLGROUP

Contains information about the folder group where the job is stored, such as the group name, the group type (Server, Job, Depot), the fully qualified path to the group, and the parent group details.

Note: D_BLGROUP is referenced in the ERD as D_SMART_BLGROUP.

D_BLROLE

Contains information about roles such as name, description, whether the role is enabled or not, and the dates on which the policy, user, and role were created or modified.

Note: D_BLUSER is also referenced in the ERD as BL_ROLE_USER.

D_BLUSER

Contains information about users such as name, description, encrypted password, number of failed logins, whether the user is enabled or not, and the dates on which the policy, user, and role were created or modified.

D_CUSTOM_COMMAND

Contains information about custom command such as display name, command and its type, run time arguments, and the dates on which the policy, user, and role were created or modified.

D_DEPOT_OBJECT

Contains information about the depot objects for each object type, such as name, description, date (created, modified), object type (Patch, Audit, Compliance...) and the dates on object was created or modified.

Note: OBJECT_TYPE is also referenced in the ERD as BLPKG_NSH_OBJECT_TYPE.

D_JOB

Contains job details such as the name, description, and type of job, as well as the dates on which the jobs were created or modified.

D_SERVER

Contains device details for the job, such as the name and description of a server, and the OS release/version.

D_TEMPLATE

Contains template details, such as the name and description of a template, type (Audit, Snapshot, Compliance), and the dates on which it was created or modified.

Fact tables

Table Name/DescriptionERD

F_AUDIT_TRAIL

Contains details for the audit trail related to user/role changes for any object. It contains the user name, role name, object name, message, and if the action was success or not.

Note:

B_ROLE_USER is also referenced in the ERD as BL_ROLE_USER.

BLAUTH is also referenced in the ERD as AUDIT_TRAIL_BL_AUTH.

F_BLPACKAGE_AUTH

Contains details for package authentication such as name, object type, RBAC method, and date and time.

Note: B_ROLE_USER is also referenced in the ERD as BL_ROLE_USER.


F_CONFIG_FILE_AUTH

Contains details for the configuration file authentication such as name, object type, role ID, RBAC method, and date and time.


F_CUSTOM_COMMAND_AUTH

Contains details for the custom command authentication such as custom command ID, object type, role ID, RBAC method, and date and time.

F_GROUP_AUTH

Contains details for the group authentication such as group name, group type, object type, role ID, RBAC method, and date and time.

F_JOB_AUTH

Contains details for the job authentication such as job type, object type, role ID, RBAC method, and date and time.

F_SERVER_AUTH

Contains details for the server (device) authentication such as server id, object type, role id, RBAC method date and time.

F_TEMPLATE_AUTH

Contains details for the template authentication such as template ID, object type, role ID, RBAC method, and date and time.

Built-in RBAC views 

BMC Decision Support for Server Automation provides the following built-in views.

Recommendation

BMC recommends that you apply appropriate filters (such as date duration or bl_site_id) while querying the views. You can also apply other filters based on your requirements. Filtering the data improves performance by decreasing the amount of data being fetched, thereby minimizing the time required to process the views.

View Name/DescriptionColumns in the viewExample

VO_AUDIT_TRAIL_DETAILS

Provides the audit trails for the changes related to authorizations
that happened to the system objects over a selected time period.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • USER_HIST_ID
  • BL_AUTH_ID
  • LOG_DATE
  • ROLE_NAME
  • USER_NAME
  • OBJECT_AUTHORIZATION
  • OBJECT_TYPE
  • OBJECT_NAME
  • AUTHORIZATION_
    RESULT_MESSAGE
Select * from
VO_AUDIT_TRAIL_DETAILS
where
user_name='BLAdmin' and
object_authorization=
'BLPackage.Modify'
and object_type='BLPackage'
and bl_site_id=1

VO_OBJECT_AUTH_FOR_GROUP

Provides the object-level authorizations by group. This report also
shows information about groups for a selected role.

Authorizations are grouped by authorization methods.
An authorization can be assigned through an ACL policy, directly,
or an authorization profile.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • ROLE_NAME
  • OBJECT_AUTHORIZATION
  • GROUP_TYPE
  • GROUP_NAME
  • AUTHORIZATION_METHOD
  • PROFILE_NAME

Select * from
VO_OBJECT_AUTH_FOR_GROUP
where
object_authorization=
'JobFolder.*' and
group_type='Job Group'
and bl_site_id=2

VO_OBJECT_AUTH_FOR_JOB

Provides the object-level authorizations by job. This report
also shows information about jobs for a selected role.

Authorizations are grouped by authorization methods.
An authorization can be assigned through an ACL policy, directly,
or an authorization profile.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • ROLE_NAME
  • JOB_TYPE
  • JOB_NAME
  • OBJECT_AUTHORIZATION
  • AUTHORIZATION_METHOD
  • PROFILE_NAME

select * from
vo_object_auth_for_job
where bl_site_id=1 and
role_name = 'everyone'
and object_authorization=
'patchingjob.read'

VO_OBJECT_AUTH_FOR_SERVER

Provides the object-level authorizations by server. This report
also shows information about servers for a selected role.

Authorizations are grouped by authorization methods.
An authorization can be assigned through an ACL policy, directly,
or an authorization profile.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • ROLE_NAME
  • SERVER_HIST_ID
  • SERVER_NAME
  • OS_NAME
  • OS_RELEASE
  • OS_VERSION
  • OBJECT_AUTHORIZATION
  • AUTHORIZATION_METHOD
  • PROFILE_NAME

select * from
vo_object_auth_for_server
where os_name = 'windows'
and os_version = '2012'
and bl_site_id=1;

VO_OBJECT_AUTH_FOR_TEMPLATE

Provides the object-level authorizations by template. This report
also shows information about templates for a selected role.

Authorizations are grouped by authorization methods.
An authorization can be assigned through an ACL policy,
directly, or an authorization profile.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • ROLE_NAME
  • OBJECT_NAME
  • OBJECT_AUTHORIZATION
  • AUTHORIZATION_METHOD
  • AUTH_PROFILE

select * from
vo_object_auth_for_template
where bl_site_id=1 and
object_authorization =
'componenttemplate.*';

VO_ROLE_AUTHORIZATION_SUMMARY

Lists the number of servers, jobs, templates, groups, BLPackages,
commands, and configuration files that the role is authorized to view. 
It also lists the detailed authorizations for the role. 
Authorizations are grouped by authorization methods.
An authorization can be assigned through an ACL policy,
directly, or an authorization profile.

  • BL_SITE_ID
  • ROLE_HIST_ID
  • ROLE_NAME
  • PROFILE_NAME
  • AUTHORIZATION_METHOD
  • ROLE_AUTHORIZATION

select * from
vo_role_authorization_summary
where bl_site_id=1 and
role_name='patchinguser';

VO_USER_SUMMARY

Displays the latest role assigned to a user, total number of roles,
and roles assigned to each user.

  • BL_SITE_ID
  • USER_HIST_ID
  • USER_NAME
  • ROLE_HIST_ID
  • ROLE_NAME
  • NO_OF_ROLES

select * from vo_user_summary
where bl_site_id=1 and
user_name =
'<user_input_name>';

Where to go from here

Compliance domain

Job Activity domain   

Patch Management domain

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Last modified by Bob Massa on Sep 30, 2016

Comments

Log in or register to comment.

Patch Management domain
Compliance domain
© Copyright 2013 - 2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.