Walkthrough: Restricting permissions for a Compliance officer

This topic walks you through the process of setting up a Compliance officer, who is in charge of performing compliance analyses, and limiting permissions so that this user cannot perform other types of actions in BMC BladeLogic Server Automation (BSA). Although this process is not essential for compliance analysis, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a Compliance officer with a limited set of permissions, a superuser such as the BLAdmins role must perform compliance analysis.

This topic includes the following sections:

Introduction

This topic is intended for system administrators who manage data center authorizations. The goal of this topic is to grant the minimum set of permissions to the role and user who performs compliance analysis.

What are roles and users?

BSA manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

What does this walkthrough show?

This walkthrough shows how to:

  • Create an authorization profile, which is a collection of authorizations to perform certain tasks — in this case to perform compliance analysis.
  • Create a role for a Compliance officer.
  • Create a Compliance user who is assigned to the Compliance officer role and thus is granted the permissions available to the Compliance officer.

What do I need to do before I get started?

For this walkthrough, you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)

How to restrict permissions for a Compliance officer

 

Step

Example screen

1

Create an authorization profile for compliance analysis. An authorization profile is a collection of all authorizations needed to perform all compliance analysis tasks.

  1. Log on to BSA as the RBAC administrator (typically RBACAdmin or a user with equivalent permissions).
  2. Expand the RBAC Manager folder.
  3. Right-click Authorization Profiles and select New > Authorization Profile.
    The Authorization Profile Creation wizard opens. 
  4. For Name, enter a name, such as Manage Compliance Job.

  5. In the list of authorizations, move the following authorizations to the list at right:

    Note

    The recommended list of required authorizations for a Compliance officer are broader than those recommended for a simple Compliance user running a basic Compliance Job (as listed in Creating-Compliance-Jobs).

    • AuditJob.*
    • BLPackage.*
    • Component.*
    • ComponentGroup.*
    • ComponentTemplate.*
    • ComponentTemplateFolder.*
    • ConfigurationObjectClass.Read
    • DepotFolder.*
    • DepotGroup.*
    • DiscoveryJob.*
    • ExtendedObject.*
    • JobFolder.*
    • JobGroup.*
    • PropertyClass.*
    • PropertyInstance.*
    • Server.*ServerGroup.*
    • (Depending on the parts in the component template) ExtendedObject.read
    • (Depending on the parts in the component template) ConfigurationObjectClass.read
  6. Click Finish.

ComplianceAuthProfile.png

2

Still logged on as the RBAC administrator, create a role for Compliance management. Assign the authorization profile you just created to the role.

  1. In the RBAC Manager folder, right-click Roles and select New > Role.
    The Role Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceRole.
  3. Make sure the Profile tab is selected at bottom. Then, in the list of authorization profiles, select Manage Compliance Job and move it to the right.
  4. Click Finish.

CompliancRole.png

3

Still logged on as the RBAC administrator, create a Compliance user. Assign this user to the role you just created.

  1. In the RBAC Manager folder, right-click Users and select New > User.
    The User Creation wizard opens. 
  2. For Name, enter a name, such as ComplianceUser.
  3. For SRP Authentication Options, enter a password and then confirm the password by typing it again.
    This option is only necessary if your organization uses SRP authentication, the default approach for BSA. 
  4. Click Next.
  5. In the list of roles, select ComplianceUser and move it to the right.
  6. Click Finish.

ComplianceUser1.png

ComplianceUser2.png

Wrapping it up

Congratulations. You have set up a role for Compliance officers and created a Compliance user.

Where to go from here

Now that you have restricted access to the Compliance officer, you can continue to the next tasks in preparation for performing compliance analyses.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*