Outposts restricted by organizations

An enterprise can define multiple organizations in BMC Helix Portal, such as Sales, Marketing, and Customer Support. A BMC Helix Discovery user can be a member in none, one, or multiple organizations depending on their work profile. 

A BMC Helix Discovery administrator may want the IT infrastructure to be segmented by organizations. This way, only the members of an organization can perform actions related to their organization. The members can view and manage the Outposts and credentials of their organization and perform Snapshot and Scheduled scans by using only the Outpost linked to their organization.

Therefore, after a BMC Helix Discovery administrator registers an Outpost from an instance, the administrator can perform one of the following tasks:

  • Associate the Outpost with one or more organizations. This action makes the Outpost restricted, which means only those users belonging to an organization can use the linked Outpost for a discovery run.
  • Associate the Outpost with no organization. This action makes it an unrestricted Outpost because users belonging to all organizations can use the Outpost for a discovery scan.

For example, there are three organizations, Sales, HR, and Marketing. An administrator wants to restrict Outpost-1 to Sales, Outpost-2 to HR, and Outpost-3 to Marketing. User-A belongs to the Sales and Marketing organizations. When User-A logs in and tries to create a scan, User-A sees the available organizations as Sales and Marketing. Therefore, the Outposts available for scanning would be Outpost-1 and Outpost-3. Outpost-2 would not be available for scanning because User-A is not a member of the HR organization.

Important

By default, BMC Helix Discovery disables the ability to associate an Outpost with an organization. You must contact BMC Customer Support and request for activating the organization option for your instance. Thereafter, you can enable the setting from the Administration > Other Settings UI. For more information about enabling this setting, see Configuring discovery settings.

After you enable the setting, an additional field Restrict by Organization is displayed in the Add a New Run dialog box of a new discovery scan. You can select an organization and in the scope via field, associate its linked Outpost for a scan. 

 

The following video explains in brief the process for enabling the organization option and using it for a discovery scan.

Impact of Outpost restrictions

Before you configure an Outpost to be restricted to one or more organizations, be aware of the following impact of your selection:

  • A user of one organization cannot manage the Outposts, scan jobs, and credentials created by users of other organizations of which they are not a member.
  • The options available in the Restrict by Organization list are limited to the organizations of which the logged-in user is a member, plus the Unrestricted option.
  • If a user is not a member of any organization, only the Unrestricted option is available in the list.
  • In the scope via field, only those Outposts are listed that are linked to the selected organization.
  • In the scope via field, if you select Anything suitable, the Outposts used for scanning are filtered to only those associated with the organization.
  • If you select Unrestricted from the Restrict by Organization list, then in the scope via field, only unrestricted Outposts are available for selection.
  • Scheduled scans restricted to an organization can be edited only by a user belonging to that organization.
  • If an Unrestricted scheduled scan is configured, then any user who has permission to edit scheduled scans can edit the scan, including changing the scan to an organization that the user belongs to.

Important

After you enable the setting to restrict an Outpost to an organization and then apply the restrictions to an Outpost, if you want to revert to disabling this setting, you must first remove all restrictions on scans and Outposts and then disable the setting.

Examples

The following scenarios help you better understand how various combinations of organization memberships and Outpost restrictions impact a new snapshot or scheduled run.

Example 1

User's organizations:

UserMember of organization
User AOrg1, Org2, Org3

Outpost restrictions:

OutpostRestricted by organization
Outpost1Org1, Org2
Outpost2Org3
Outpost3Org4

In this scenario, when User A adds a new scan, the following options are available:

  • In the Restrict by Organization list, User A sees the options Org1, Org2, and Org3.
    • If User A selects Org1 (or Org2), the scope via Outpost list displays the options Outpost1 and Anything suitable.
    • If User A selects Org3, the scope via Outpost list displays the options Outpost2 and Anything suitable.
    • The scope via Outpost list does not display Outpost3 as an option because it is restricted to Org4 and User A is not a member of Org4.

Example 2

User's organizations:

UserMember of organization
User AOrg1, Org2, Org3, Org4, Org5, Org6

Outpost restrictions:

OutpostRestricted by organization
Outpost1Org1, Org2
Outpost2Org3
Outpost3Org4

In this scenario, when User A adds a new scan, the following options are available:

  • In the Restrict by Organization list, User A sees the options Org1, Org2, Org3, Org4, and Unrestricted.
  • Org5 and Org6 are unavailable as they are not associated with any Outpost.

Example 3

User's organizations:

UserMember of organization
User AOrg1, Org2, Org3

Outpost restrictions:

OutpostRestricted by organization
Outpost1Org1, Org2
Outpost2Org3
Outpost3Unrestricted

In this scenario, when User A adds a new scan, the following options are available:

  • In the Restrict by Organization list, the available options are Org1, Org2, Org3, and Unrestricted.
    • If User A selects Org1 or Org2, the scope via Outpost list displays Outpost1 and Anything suitable.
    • If User A selects Org3, the scope via Outpost list displays Outpost2 and Anything suitable.
    • If User A selects Unrestricted (Outpost3), the scope via Outpost list displays Anything suitable.

Example 4

User's organization:

UserMember of organization
User AOrg1

Outpost restrictions:

OutpostRestricted by organization
Outpost1Org2
Outpost2Org3

In this scenario, when User A adds a new scan, the following options are available:

  • The Restrict by Organizations list is not displayed as User A is a member of an organization that is not linked to any of the available Outposts.
  • The scope via Outpost list displays the option Anything suitable.
  • If an attempt is made to scan, it fails and the Recent Runs tab shows an error, Unrestricted . 


Was this page helpful? Yes No Submitting... Thank you

Comments