Managing groups
All users of the BMC Atrium Discovery system must be a member of one or more groups. Membership of groups defines the various BMC Atrium Discovery modules that a user is entitled to access. For example, users defined as members of the System group are able to create and edit user details, while members of the Public group cannot access these areas.
To log in, a user must be in a group that has permissions security/user/passwd
, appserver/login
and appserver/module/home
. Only four default groups have this permission: readonly, public, system and admin. Every user must be a member of one of these four groups, or a member of a custom group that has at least these permissions.
For example, a user who is only in the discovery group cannot login. You should put a user that requires access to discovery commands into the discovery and public groups.
The BMC Atrium Discovery Administrator is responsible for setting up details of all the user groups in the BMC Atrium Discovery system.
Each group is a collection of permissions. Permissions control granular access to BMC Atrium Discovery modules and are described in Group Permissions.
The default security groups
The default user groups and their security access rights are as follows:
- admin — These users have the highest level of customer access to the system.
- appmodel — These users can write and edit patterns, and create nodes to model business applications. They cannot view credentials but can run discovery (in order to test patterns).
- discovery — These users have access to all of the discovery-related data. They can start and stop discovery, add and remove credentials, and enable or disable audit logging.
- cmdb-export-administrator — These users have access to all of the export-related data. They can build, modify, delete and run Exporters.
- public — These users have read/write access to all of the system although they cannot access the discovery credentials.
- readonly — These users have read only access to the system. They cannot view the credentials for logging into target hosts.
- system — These users have full access to the system.
- unlocker — These users are able to unlock and unblock user accounts which have been locked or blocked after exceeding the number of permitted authentication failures. See Managing security policies for more information.
Listing all current groups
- Click Administration.
- From the Security section, click Groups.
The Groups page lists all the current groups and allows you to edit details, delete groups or create a new group.
To create a new group
- From the Groups page, click Add at the bottom of the page.
The Add Group page is displayed. The page is arranged into functional areas, and then subdivided into columns. The arrangement of the columns from left to right is as follows:- Wildcard: contain items which when checked, select a number of permissions. When you mouseover a wildcard permission, it and the permissions it applies are highlighted.
- Read: read permissions relating to the functional area.
- Write: write permissions relating to the functional area.
- Misc: miscellaneous permissions relating to the functional area, such as appliance reboot.
- In Group name, enter a name for the new group.
- Select the check boxes that indicate the BMC Atrium Discovery modules that members of this user group are allowed to access. The * wildcard matches anything, so selecting this check box will give unrestricted access to everything in the system.
- to save the changes, click OK.
Once the group is set up you can add users. See Managing system users.
To amend group details
You can change a group name and the modules that group members can access. The access defined by the group membership will apply the next time users in this group log in.
- From the Groups page, click Edit next to the user.
The page is redisplayed showing editable fields. - Amend or overwrite the Name field.
- Select one or more check boxes corresponding with the BMC Atrium Discovery modules that members of this group can access.
- To save the changes, click OK.
To delete a group
You can delete any group provided you have created it initially. You cannot delete either the public or the system groups.
- From the Groups page, click Delete next to the group to be deleted.
The group is deleted and the system does not display any confirmation.
Group permissions
The following table shows the permissions assigned by default to each group in BMC Atrium Discovery. The individual permissions are described in System Group Permissions by Category.
Group Name | Permissions |
---|---|
admin |
|
appmodel |
|
cmdb-export-administrator |
|
discovery |
|
maintenance |
|
public |
|
readonly |
|
system |
|
unlocker |
|
System group permissions by category
The system group security permissions are shown by category in the following tables.
There are no permissions that restrict access to patterns. All logged in users can view patterns.
Security permissions
The following table shows the current group permissions relating to the security operations.
Permission | Definition |
---|---|
| Enables the user to view and configure group membership to a user.
|
| Enables the user to configure the HTTPS settings, which include:
|
| Enables the user to view and configure the security options which include accounts and passwords, login page, and UI security page.
|
| Enables the user to unlock and re-activate accounts for other users from the Users page of the UI. To navigate to the page:
|
| Enables the user to change her or his own BMC Atrium Discovery password from the UI. |
| Enables the user to view and configure the user security information related to system users, groups, security policies, HTTPS settings, LDAP, Web authentication settings, active sessions, appliance audit, and so on. |
| Enables viewing the discovery session log file. |
Credential vault permissions
BMC Atrium Discovery stores all passwords used to access customer devices in a credential vault which can be secured. The contents of the vault can be encrypted and secured using a passphrase.
The following table shows the current group permissions relating to the vault operations.
Permission | Definition |
---|---|
| Enables the user to open, close, and set the passphrase for the credential vault from the Vault Management page of the UI. To navigate to the page:
|
| Enables the user to manage the following types of credentials which are based on the system to access:
|
| Enables the user to view and manage credentials (For example, Windows proxies, vSphere credentials, and so on).
|
Discovery permissions
The following table shows the current group permissions relating to the discovery operations.
Permission | Definition |
---|---|
| Enables the user to read the discovery options. These are separate from the main system settings. |
| Enables the user to test discovery credentials. For example, from the UI, you can test: |
| Enables the user to view and amend the platform discovery commands from the Discovery Platforms page.
|
| Enables the user to query a host on the network. For more information, see Query Builder. |
| Enables the user to view and modify sensitive data filters from the Sensitive Data Filters page of the UI. To navigate to the page:
|
| Enables the user to view and modify the Windows proxies.
|
| Enables the user to configure the port settings that Discovery uses.
|
Consolidation permissions
The following table shows the current group permissions relating to configuring consolidation and scanning appliances.
Permission | Definition |
---|---|
| Enables the user to change the configuration on the consolidation appliance (set as consolidation appliance and approve scanning appliances).
|
| Enables the user to add new consolidation targets to a scanning appliance from the Discovery Consolidation page on the UI. |
| Enables the user to view the consolidation setup page from the Discovery Consolidation page on the UI. |
Datastore permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the datastore operations.
Permission | Definition |
---|---|
| Enables the user to read or write the datastore through the main user interface (UI). |
| Enables the user to read or write to any partition which support user interaction. |
| Enables the user to read or write to the given partition. The name is one of: |
| An internal permission. Do not use this. |
Audit permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the audit operations.
Permission | Definition |
---|---|
| Enables the user to read or write to the audit log. Audit logs are stored in the datastore. You can view the audit logs in the log viewer from the UI. Logs can be downloaded from the appliance through the Support Services administration page. |
| Enables the user to write to the audit log. |
| Enables the user to purge the audit log.
|
| Enables the user to administer the audit service.
|
Reasoning permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the reasoning operations.
Permission | Definition |
---|---|
| Enables the user to start reasoning. |
| Enables the user to start and stop reasoning. |
| Enables the user to stop reasoning. |
| Enables the user to view the reasoning status information. |
reasoning/provider | An internal permission. Do not use this. |
| Enables the user to view the Discovery Status page. |
| Enables the user to cancel consolidations or local scans.
|
| An internal permission. Do not use this. |
| An internal permission. Do not use this. |
| Enables the user to configure patterns. |
| Enables the user to execute patterns. |
| Enables the user to write patterns using pattern templates from the appliance.
|
Search permissions
These permissions relate to listing and cancelling searches using the Search Management Page. To navigate to the Search Management page:
- Click Administration.
- From the Model section, click Search Management.
For more information on viewing and cancelling searches, see Using the Search service.
Permission | Definition |
---|---|
| Enables the user to view searches submitted by all users. |
| Enables the user to cancel searches submitted by all users. |
Taxonomy permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the taxonomy operations.
Permission | Definition |
---|---|
| Enables the user to read node kind information. |
| Enables the user to write node kind information. |
| Enables the user to read relationship kind information. |
| Enables the user to write relationship kind information. |
| Enables the user to read role kind information. |
| Enables the user to write role kind information. |
Application server permissions
The following table shows the current group permissions relating to the application server operations.
Permission | Definition |
---|---|
| Enables the user to log in to the appserver. |
| Enables the user to debug the appserver. |
| Enables the user to access the given module. The name is one of: |
| Enables the user to access any module. |
| The user is allowed to see sessions. |
Specific UI permissions
The following table shows the current group permissions relating to specific user interface operations.
Permission | Definition |
---|---|
| Enables the user to administer the dashboard. |
| Enables the user to administer the datastore. |
| Enables the user to administer the taxonomy. |
| Enables the user to access the Generic Search Query page and enter search queries. To navigate to the Generic Search Query page:
|
Appliance administration permissions
The following table shows the current group permissions relating to the appliance administration operations.
Permission | Definition |
---|---|
| Enables the user to create and modify categories from the Custom Categories page:
|
Appliance admin operations | |
| Enables the user to view appliance information (identity, support information, read-only information about the appliance software and hardware configuration, and so on) from the Appliance Configuration page.
|
| Enables the user to configure appliance information from the Appliance Configuration page.
|
| Enables the user to put the appliance into maintenance mode from the Appliance Control page. To navigate to the Appliance Control page:
|
| Enables the user to reboot the appliance from the Appliance Control page. To navigate to the Appliance Control page:
|
| Enables the user to reset the report usage statistics. |
| Enables the user to restart the appliance from the Appliance Control page. To navigate to the Appliance Control page:
|
| Enables the user to shut down the appliance from the Appliance Control page. To navigate to the Appliance Control page:
|
Baseline | |
| Enables the user to change the baseline configuration (such as the recipients of automatic emails, and the messages to be included) from the Appliance Baseline page. To navigate to the Appliance Baseline page:
|
| Enables the user to view the baseline configuration from the Appliance Baseline page. To navigate to the Appliance Baseline page:
|
| Enables the user to update the baseline configuration after changes have been seen from the Appliance Baseline page. To navigate to the Appliance Baseline page:
|
Cluster | |
| An internal permission. Do not use this. |
| Enables the user to use cluster management operations from the Cluster Management page. To navigate to the Cluster Management page:
|
| An internal permission. Do not use this. |
Logging | |
| Enables the user to view log information. |
| Enables the user to read log files. |
| Enables the user to delete log files.
|
| Enables the user to read the appliance log level from the Logs page. To navigate to the Logs page:
|
| Enables the user to change the service log levels at runtime from the Logs page. To navigate to the Logs page:
|
Import | |
| Enables the user to import data using the CiscoWorks importer. |
| Enables the user to import CSV data from the Import CSV Data page. To navigate to the CSV Data page:
|
| Enables the user to import Hardware Reference data (HRD) from the Import Hardware Reference Data page. To navigate to the Hardware Reference Data page:
|
Interface | |
| Enables the user to view interface information from the Appliance Configuration page for network interfaces. To navigate to the Appliance Configuration page for network interfaces:
|
| This permission is not used. |
Routing | |
| Obsolete permission. |
| Obsolete permission. |
DNS | |
| Enables the user to read DNS information.
|
| The user is allowed to write DNS information.
|
Email Configuration | |
| Enables the user to view email configuration information from the Appliance Configuration page for mail settings. To navigate to the page:
|
| Enables the user to configure the mail settings from the Appliance Configuration page for mail settings. To navigate to the page:
|
System | |
| Enables the user to read system configuration from the command line utilities and from the UI. |
| Enables the user to write system configuration from the command line utilities and from the UI. |
| Enables the user to read system settings from the command line utilities and from the UI. |
| Enables the user to write system settings from the command line utilities and from the UI. |
The 'all' permission (*) allows the user to perform any tasks in BMC Atrium Discovery. Each user has a token which is assigned by the security system and whenever a privilege is requested by a user, the security service checks the database to see if that particular user has permission to carry out that particular task.
However, the first check that BMC Atrium Discovery carries out is to see if the user has the * permission. If the answer is yes, no further privilege checks will be carried out.
Comments