Page tree

Skip to end of metadata
Go to start of metadata

A standard BMC Server Automation installation provides the following built-in roles:

  • RBACAdmins
  • BLAdmins
  • GlobalReportAdmins
  • GlobalReportViewers

The RBACAdmins and BLAdmins roles are granted a combination of built-in and out-of-box authorizations. The GlobalReportAdmins and GlobalReportViewers roles are only granted out-of-box authorizations.

Built-in authorizations are intrinsic to a role. You cannot delete a built-in authorization. When you look at the definition of a role, you do not see built-in authorizations explicitly listed.

Out-of-box authorizations are permissions that are automatically assigned to roles when you initially perform a standard installation of BMC Server Automation. Unlike built-in authorizations, out-of-box authorizations are visible in RBAC. You can modify and delete out-of-box authorizations.

By default the built-in roles function as follows:

  • RBACAdmins — Built-in authorizations grant the RBACAdmins role Read and ModifyACL authorizations for all system objects in BMC Server Automation. This allows the RBACAdmins role to always have access to any system object in BMC Server Automation. Even if all roles that are granted access to a system object are deleted, the RBACAdmins role can still modify that object's authorizations so other roles can then access the object. In addition, out-of-box authorizations grant the RBACAdmins role authority to perform any actions in the RBAC Manager folder. For example, the RBACAdmins role can perform any action relating to roles, users, access control list (ACL) templates, and authorization profiles. The RBACAdmins role can be renamed but it cannot be deleted.
  • BLAdmins — Built-in authorizations grant the BLAdmins role Read permission for all system objects in BMC Server Automation. This allows the BLAdmins role to view all activity within BMC Server Automation. In addition, out-of-box authorizations grant the BLAdmins role full authority to perform any actions on any system object in BMC Server Automation except for roles, users, and authorization profiles. For these, the BLAdmins role is only granted Read authorization. This default set of authorizations lets the BLAdmins role view any system object in BMC Server Automation and modify any object except roles and authorization profiles. The BLAdmins role can be renamed but it cannot be deleted.
  • GlobalReportAdmins — Out-of-box authorizations grant the GlobalReportAdmins role authority to see and manage data for all reports in BMC BladeLogic Decision Support for Server Automation. Within BMC BladeLogic Decision Support for Server Automation, GlobalReportAdmins is granted additional authorizations that give the role full privileges for using and maintaining reports. The GlobalReportsAdmins role can be renamed but it cannot be deleted. By default, no users are assigned to this role.
  • GlobalReportViewers — Out-of-box authorizations grant the GlobalReportViewers role authority to read all reports at all sites for an installation of BMC BladeLogic Decision Support for Server Automation. Within BMC BladeLogic Decision Support for Server Automation, GlobalReportViewers is granted additional authorizations that give the role full privileges for viewing reports. The GlobalReportViewers role can be renamed but it cannot be deleted. By default no users are assigned to this role.

The following table summarizes the authorizations granted to the built-in roles:

Default Role

Built-in Authorizations

Out-of-box Authorizations

RBACAdmins

  • Granted Read authorization on all objects in BMC Server Automation (for example, BLPackage.Read).
  • Granted ModifyACL authorization on all objects in BMC Server Automation (for example, BLPackage.ModifyACL).

    The above authorizations are built-in and cannot be modified.
  • Granted * authorization for all system objects relating to RBAC (for example, Role.* and ACLTemplate.*).
  • Granted Server.PushACL to push ACLs to servers.

    The above authorizations can be modified as necessary.

BLAdmins

  • Granted Read authorization on all system objects within BMC Server Automation.
  • The Read authorization is built-in and cannot be modified.
  • Granted * authorization on all classes of system objects within BMC Server Automation except the following:
    • Role.Read (grants read-only access to roles)
    • AuthProfile.Read (grants read-only access to authorization profiles)
    • PatchAnalysisConfig.Modify (used for modifying the download locations for Windows patch analysis configurations)

      The above authorizations can be modified as necessary.

GlobalReportAdmins

N/A

Granted all reports-related authorizations in RBAC, including Reports.Administration, which allows the role to manage BMC BladeLogic Decision Support for Server Automation.

GlobalReportViewers

N/A

Granted all reports-related authorizations in RBAC except Reports.Administration.

BMC Server Automation provides built-in and out-of-box authorizations so you can manage access permissions with no further modifications. However, for a more granular system of permissions, you can modify the out-of-box authorizations granted to the built-in roles. You can create additional roles to develop sets of authorizations, and you can use object-based permissions to further restrict access throughout the BMC Server Automation system.

In addition to the built-in roles, BMC Server Automation provides two other roles that are used for special purposes:

  • Everyone — A role that is available when assigning object-based permissions. Granting permissions to the Everyone role is an easy way to make an object publicly available. For more information, see Defining permissions for a system object.
  • Current Role — A role that is available when creating an ACL template. This role grants permissions to the current role when that role creates an object. Using Current Role permissions in an ACL template is an easy way to give the creator of an object permission to use the object without having to revise an ACL template for each different role. For more information, see Creating an ACL template.