Page tree
Skip to end of metadata
Go to start of metadata

This topic lists the minimum permissions needed for the four different roles that could be responsible for patching activities. For each of these roles, some object-level permissions must also be granted to perform patching activities. The roles are:

In addition to these roles, this topic provides a consolidated list of permissions if you only want to create one role with all responsibilities for patch analysis and remediation. A consolidated list of object-level permissions accompanies the consolidated list of permissions.

Patch catalog management

PermissionDescription

ACLPolicy.*
or
ACLPolicy.Read 

Optional: Create access control list (ACL) policies to grant permissions to other roles that download patch objects.

If the ACL policies already exist, only ACLPolicy.Read is necessary.

ACLTemplate.*Create an ACL template to other roles that download patch objects.
AIXPatchSoftware.* 

AIXSoftware.*

AIX only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

DepotFile.*Optional: Manage offline patch catalog metadata content.

DepotFolder.Read
DepotFolder.Write

Create the patch catalog in a depot folder.

LinuxSoftware.*Linux only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.
PatchCatalog.*Create and manage a patch catalog.
PatchDownloadJob.*Run a job that downloads patches manually, rather than downloading them along with patch metadata.
PatchingAnalysisConfig.ModifyOptional: Manage global patch settings.
PatchSmartGroup.*Create smart groups in the patch catalog.
Server.Browse
Server.Read
Create a patch repository on a helper server.
ServerGroup.ReadOptional: Allow user to browse to the helper server when selecting it.
SolarisSoftware.*Solaris only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.
WindowsSoftware.*Windows only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

Object level permissions for patch catalog management

ObjectPermissionsDescription
Depot foldersDepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 
Grant these permissions to the catalog management role on the depot folder where you create a patch catalog and to all depot folders and groups that are parents of the patch catalog folder.
Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the catalog management role on the server that functions as a patch repository.

Patch analysis

PermissionDescription
AIXSoftware.ReadAIX only: Read the relevant type of software.
DepotFolder.ReadRead the patch catalog, which is stored in the Depot.
JobFolder.Read
JobFolder.Write 
Create Patch Analysis jobs in a job folder and browse any parent folders.
LinuxSoftware.ReadLinux only: Read required software
PatchCatalog.Read
PatchCatalog.Modify 

Access patch catalogs.

PatchCatalog.Modify is only needed for Solaris and AIX.

Server.ReadRead contents of target servers.
ServerGroup.ReadBrowse groups of target servers.
SolarisSoftware.Read
SolarisSoftware.Modify 
Solaris only: Read and interpret required software.
WindowsSoftware.Read
WindowsSoftware.Modify 
Windows only: Read and interpret required software.

Object level permissions for patch analysis

ObjectPermissionsDescription
Target serversServer.ReadGrant these permissions to the patch analysis role on the target servers.
Target server groupsServerGroup.ReadGrant these permissions to the patch analysis role on any target server groups that hold the target server.
Job folder containing the Patching JobJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 
Grant these permissions to the patch analysis role on the job folder where you create a Patching Job and to all parent job folders or groups.

Patch remediation

PermissionDescription
ACLPolicy.* 
ACLTemplate.* 
AIXPatchSoftware.Read 
AIXSoftware.ReadAIX only: Read required software.
BatchJob.*Create and execute Batch Jobs that run concatenated Deploy Jobs.
BLPackage.*Create remediation packages.
CustomSoftware.*Linux and Windows only: Create Linux and Windows remediation jobs.
DeployJob.*Create Deploy Jobs for remediation purposes.
DepotFolder.Read
DepotFolder.Write 
Create packages in the depot and browse any parent groups.
JobFolder.Read
JobFolder.Write
Create remediation jobs in job folders and browse any parent groups or folders.
LinuxSoftware.ReadLinux only: Read required software.
PatchCatalog.ReadRead the patch catalog.
PatchDownloadJob.*Manage patch download jobs.
PatchingJob.ReadRead contents of Patching Jobs.
PatchRemedationJob.*Manage patch remediation jobs
PatchSmartGroup.ReadRead smart groups containing patch catalogs.
Server.Browse
Server.Deploy
Server.Read 
Read the contents of the patch repository.
ServerGroup.ReadFind servers.
SolarisSoftware.Read
SolarisSoftware.Modify 
Solaris only: Read and interpret required software.
WindowsSoftware.Read
WindowsSoftware.Modify 
Windows only: Read and interpret required software.

Object level permissions for patch remediation

ObjectPermissionsDescription
Patching jobsPatchingJob.ReadGrant this permission to the patch remediation role on any Patching Jobs used for remediation purposes.
Server functioning as a patch repository

 

Server.Browse
Server.Read
Grant these permissions to the patch remediation role on the server used as a patch repository.
Job folder containing the Patching JobJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 
Grant these permissions to the patch remediation role on the job folder where you create a remediation Job and to all parent job folders or groups.
Depot groups where packages are created in the depot.DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 
Grant these permissions to the patch remediation role on the depot folder where you create a remediation package and to all parent depot folders and groups.

 

Patch deployment

PermissionDescription
BLPackage.ReadRead remediation packages.
CustomSoftware.ReadLinux only: Read Linux remediation jobs.
BatchJob.Execute
BatchJob.Read 
Read and execute Batch Jobs that run concatenated Deploy Jobs.
DeployJob.Execute
DeployJob.Read 
Read and execute jobs that deploy patch packages.
Server.Deploy
Server.Read 
Deploy patches to target servers.
ServerGroup.ReadBrowse groups of target servers to which patches are deployed.

Object level permissions for patch deployment

ObjectPermissionsDescription
Target servers

Server.Deploy
Server.Read 

Grant this permission to the patch deployment role on any target servers where patches are deployed.
Target server groups

 

ServerGroup.ReadGrant these permissions to the patch deployment role on any groups of target servers.

Consolidated list of minimum permissions for patching

PermissionDescription
ACLPolicy.*Create ACL policies to grant permissions to other roles that download patch objects.
ACLTemplate.*Create ACL templates to grant permissions to other roles that download patch objects.
AIXPatchSoftware.*AIX only: Create and read patch software.

AIXSoftware.*

AIX only: Create and read software.

BatchJob.*Create and execute Batch Jobs that run concatenated Deploy Jobs
BLPackage.*Create remediation packages and read their contents.
CustomSoftware.*Linux and Windows only: Create Linux remediation jobs and read their contents.
DeployJob.*Read and execute jobs that deploy patch packages.
DepotFile.*Optional: Manage offline patch catalog metadata content.
DepotFolder.Read
DepotFolder.Write
Create the patch catalog in a depot folder or create remediation objects in a depot folder.

DepotGroup.Read
DepotGroup.Write 

Navigate to the patch catalog or remediation objects in a depot group.

JobFolder.Read
JobFolder.Write
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
JobGroup.Read
JobGroup.Write 
Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.
LinuxSoftware.*Linux only: Create and read software.
PatchCatalog.*Create and manage a patch catalog
PatchDownloadJob.*Manage patch downloads.
PatchingAnalysisConfig.ModifyOptional: Manage global patch settings.
PatchingJob.ReadRead the jobs used as the basis of remediation.
PatchRemedationJob.*Manage patch remediation jobs.
PatchSmartGroup.*Create smart groups in the patch catalog.
Server.Browse
Server.Deploy
Server.Read
Server.Write 
Create a patch repository on a helper server, read the contents of the repository, read contents of target servers, deploy patches to target servers.
ServerGroup.ReadAllow user to browse to the helper server when selecting it and to browse to target servers.
SolarisSoftware.*Solaris only: Create and read software.
WindowsSoftware.*Windows only: Create and read software.

Consolidated list of object level permissions for patching

ObjectPermissionsDescription
Depot folders

DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 

Grant these permissions on the depot folder where you create a patch catalog and to all depot folders that are parents of the patch catalog folder.

Also grant these permissions on the depot folder where you create any remediation packages and to all parent job folders or groups.

Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the server used as a patch repository.
Target serversServer.Deploy
Server.Read
Grant these permissions on target servers.
Target server groupsServerGroup.ReadGrant these permissions on any target server groups that hold the target server.
Job folder containing Patching and remediation jobsJobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write

Grant these permissions on the job folder where you create a Patching Job and to all parent job folders or groups.

Also grant these permissions on the job folder where you create any remediation jobs and to all parent job folders or groups.

Patching jobsPatchingJob.ReadGrant this permission on any Patching Jobs.