• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    Server Automation Documentation

    Page tree

    The General panel lets you provide a name and description for the role, choose an object permissions template, and assign system authorizations, command authorizations, and authorization profiles to the role.

    You can grant varying levels of system authorizations to a role. For example, Server.* authorizes a user to perform all possible actions relating to servers. AuditJob.* authorizes a user to perform all possible actions relating to Audit Jobs. You can also choose to authorize more specific classes of actions. For example, AuditJob.Read lets a user view Audit Jobs. For a full listing of all possible system authorizations, see System authorizations.

    Similarly, you can grant authorizations to perform specific Network Shell and nexec commands. If you do not authorize specific commands, a role faces no restrictions when using commands. In other words, a user who assumes that role can perform any command. If you do assign commands to a role, users who assume that role are restricted to those commands.

    In addition to granting individual authorizations for system authorizations and commands, you can assign one or more authorization profiles to a role. An authorization profile is a collection of system and command authorizations. For more information about creating authorization profiles, see Creating an authorization profile.

    Note

    If you change authorizations for a role while a user is active, the console may give the appearance of that user being incorrectly authorized or not authorized for certain actions. The console does not correctly display all changed user options until the user exits and logs on again. Although the console may give the appearance of incorrectly displaying some options, the correct authorizations are always in effect at the Application Server. Thus the user can never perform an action for which he or she is not authorized.

    Field definitions

    Field

    Description

    Name

    Identifying name.

    Note

    Try to avoid the inclusion of space characters in role names. If you must include a space character in the role name, associate a Windows automation principal with this role through the Agent ACL panel of this wizard. Using an automation principal for Windows user mapping ensures that this role will be able to access target Windows servers. 

    Description

    Optional descriptive text.

    Object Permissions Template

    Click Browse to select an access control list (ACL) template to use to define permissions that are automatically granted to objects created by this role.
    If you do not specify an object permissions template, the role is granted full permission to any object that the role creates. For example, when creating a BLPackage, the role is granted BLPackage.*. For more information about defining an ACL template, see Creating an ACL template.

    System Commands

    Under Available Authorizations, do any of the following:

    • To grant the role individual system authorizations, click the System tab at the bottom of the Available Authorizations list. Then, select the system authorizations you want to make available to the role.
    • To grant the role individual command authorizations, click the Commands tab at the bottom of the Available Authorizations list. Then, select the commands you want to make available to the role.
    • To assign authorization profiles to the role, click the Profiles tab at the bottom of the Available Authorizations list. Then, select the authorization profiles you want to assign to the role.

      Use Shift-click or Control-click to select multiple items. Click the right arrow to move your selections to the Selected Authorizations list.

    Where to go from here

    Role - Agent ACL

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.