• Spaces
  • People
  • Help
    • BMC Support Central BMC Communities BMC.com
    ×
    Server Automation Documentation

    Page tree
    Skip to end of metadata
    Go to start of metadata

    This topic walks you through the process of setting up a patching administrator and limiting permissions so that administrator cannot perform other types of actions in BMC Server Automation. Although this process is not essential for patch management, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a patching administrator with a limited set of permissions, a superuser such as the BLAdmins role must perform patch management.

    This topic includes the following sections:

    Introduction

    This topic is intended for system administrators who manage data center authorizations and access to physical assets such as servers. The goal of this topic is to grant the minimum set of permissions to the role and user who perform patch management, as well as granting the minimum level of access to any servers where you will be setting up patching infrastructure.

    What are roles and users?

    BMC Server Automation (BSA) manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

    What does this walkthrough show?

    This walkthrough shows how to:

    • Create an authorization profile, which is a collection of authorizations to perform certain tasks–in this case to perform patch management.
    • Create a role for a patching administrator
    • Create a patching user who is assigned to the patching administrator role and thus is granted the permissions available to the patching administrator.
    • Grant the patching administrator access to the server that is used as a patch repository.  This requires you to set permissions for server within the BSA console and also to push an access control list (ACL) to the server. The ACL controls access at the server level.

    What do I need to do before I get started?

    • For this walkthrough, you need you need to log in as the RBAC administrator for BSA (typically RBACAdmin or a user with equivalent permissions)
    • Later in the walkthrough you have to log in as BLAdmin, the superuser, or a user with equivalent permissions.
    • You must also know which server you want to use as a patch repository so you can restrict access to it.

    How to restrict permissions for a patching administrator

     StepExample screen
    1

    Create an authorization profile for patching. An authorization profile is a collection of all authorizations needed to perform all patching tasks.

    1. Log on to BSA as the RBAC administrator (typically RBACAdmin or a user with equivalent permissions).
    2. Expand the RBAC Manager folder.
    3. Right-click Authorization Profiles and select New > Authorization Profile.
      The Authorization Profile Creation wizard opens. 
    4. For Name, enter a name, such as Manage Patching Job.
    5. In the list of authorizations, move the following authorizations to the list at right:
      ACLPolicy.*
      AIXSoftware.*
      BatchJob.*
      BLPackage.*
      CustomSoftware.* (for Linux only)
      DeployJob.*
      DepotFile.*
      DepotFolder.*
      DepotGroup.*
      ExtendedObject.*
      JobFolder.*
      JobGroup.*
      LinuxSoftware.*
      PatchCatalog.*
      PatchDownloadJob.*
      PatchingJob.*
      PatchRemediationJob.*
      PatchSmartGroup.*
      Server.*
      ServerGroup.*
      SolarisSoftware.*
      WindowsSoftware.* 
    6. Click Finish.
    2

    Still logged on as the RBAC administrator, create a role for patch administration. Assign the authorization profile you just created to the role.

    1. In the RBAC Manager folder, right-click Roles and select New > Role.
      The Role Creation wizard opens. 
    2. For Name, enter a name, such as PatchingUser.
    3. Make sure the Profile tab is selected at bottom. Then, in the list of authorization profiles, select Manage Patching Job and move it to the right.
     
    1. Click Next.
      The Agent ACLs page opens.
    2. For User Map, select Map to and enter root
      You need to map to a user that has authorizations to make changes to the repository where you will be storing patching information. For a UNIX server, this user is often root. 
    3. Click the Windows tab. Select Map to and enter Administrator.
    4. Click Finish.
    3

    Still logged on as the RBAC administrator, create a patching user. Assign this user to the role you just created.

    1. In the RBAC Manager folder, right-click Users and select New > User.
      The User Creation wizard opens. 
    2. For Name, enter a name, such as PatchingUser.
    3. For SRP Authentication Options, enter a password and then confirm the password by typing it again.
      This option is only necessary if your organization uses SRP authentication, the default approach for BSA. 
    4. Click Next.
    5. In the list of roles, select PatchingUser and move it to the right.
    6. Click Finish.

    4
    1. In the Servers folder, navigate to the server you want to use as a patch repository.
    2. Select the server and in the Properties, Permissions, and Audit Trail view, select the Permissions tab.

     

    5
    1. Click Add one or more ACL entries .
      The Permissions dialog box opens.
    2. For Role, select PatchingUser, the role we created earlier. 
    3. Under Available Permissions, select Server.* and move it to the list at right.
    4. Click OK.
     
    1. In the Jobs folder, navigate to a subfolder where the PatchingUser can create a job. Using the procedure described in the previous steps, grant the PatchingUser role the JobFolder.* permission. This action gives PatchingUser the ability to create and modify the contents of this folder.
    2. Repeat the same process for any higher level subfolders in the Jobs folder hierarchy. In other words, if the PatchingUser should be working in the Workspace/Automation Academy subfolder within the Jobs folder hierarchy, you must grant permissions to both the Workspace folder and the Automation Academy folder.

     

    6
    1. Log off as the RBAC administrator and log in as the BLAdmin superuser or a user with equivalent permissions.
    2. Right-click the server you want to use as a patch repository and select Administration Task > Agent ACLs.
      The Agent ACL Preview dialog box opens.
    3. Click Push to push the revised ACLs to the server you have selected. 
      The system prompts you for a confirmation.
      The ACLs you are pushing include the new patching user who now should have access to the server. 
    4. Click OK

     

    Wrapping it up

    Congratulations. You have set up a role for patching administrators, created a patching user, and granted that user access to the patch repository server.

    Where to go from here

    Now that you have restricted access to the patching administrator, you can now set up patch catalogs. See Walkthrough: Setting up and managing an online patch catalog for Windows and Walkthrough: Setting up and managing an online patch catalog for Linux.

    © Copyright 2005-2019 BMC Software, Inc.