Page tree
    Skip to end of metadata
    Go to start of metadata
    Role-based access (RBAC) to the features and components comprised in TrueSight Operations Management is enabled by persona-based authorization profiles. Each authorization profile is associated with one or more BMC Atrium Single Sign-On realms and comprises user groups, roles and permissions, and objects. Collectively, the authorization profile components determine the features and objects that users can access and monitor. You can use each default authorization profile as is, you can modify its attributes, or you can create your own authorization profiles. 

    This topic provides an overview of authorization profiles and the components that compose them.

    Overview of the RBAC process

    To configure access control, you must complete the following steps:

    StepTaskResource
    1Set up users and user groups in BMC Atrium Single Sign-On.

    Managing users and user groups

    2Create or modify the components that compose an authorization profile. You can create or modify these components in any order.

    Managing roles

    Specifying objects

    Creating, editing, and deleting PATROL Agent ACLs

    3Modify the default authorization profiles or create new ones.Managing authorization profiles

    Realms and tenants

    Realms segment users in BMC Atrium Single Sign-On and enable multitenancy support. In Operations Management, each realm represents a tenant.

    The BmcRealm, with default user groups and users, is created in BMC Atrium Single Sign-On when you install the Presentation Server component.

    For information about supported versions of BMC Atrium Single Sign-On, see Presentation Server system requirements.

    Authorization profile structure

    The following diagram illustrates the basic structure of an authorization profile. Each profile is associated with one or more realms and comprises user groups, roles and permissions, and objects. You can use each default authorization profile as is, you can modify any of its elements, or you can create your own authorization profiles. 

    The Superadmin in the BmcRealm can create and modify authorization profiles and apply them to multiple tenants. Authorization profiles created by tenant administrators apply to users of that tenant, and users from one tenant cannot access data from another. For more information about tenant user administration, see Access control for SaaS administrators.

    Authorization Profile components
    When creating an authorization profile, you must already know the user groups, roles, and objects required for the new profile. You cannot create or modify components during the creation of the authorization profile. 

    See the following topics for more information about modifying and creating the required elements:

    Default authorization profiles

    The following persona-based authorization profiles are created in the Presentation Server for the BmcRealm during the installation of the TrueSight Presentation Server component:

    • Solution Administrator
    • Technology Specialist
    • Application Specialist–Applications
    • Application Specialist–Services
    • Service Manager
    • IT Operations User
    • Executive
    Solution Administrator profile
    By default, users in the Solution Administrator profile are associated with the roles, permissions, and objects that enable those users to access all features in the products, including the ability to modify and create authorization profiles. 

    The Solution Administrator profile has unrestricted access to all realms and all features and objects in the Operations Management solution. The following table shows the user groups, roles and permissions, and objects the compose the Solution Administrator authorization profile. 

    Solution Administrator
    BmcRealm
    User GroupsRoles and PermissionsObjects
    Administrators



    Super Admin



    All Permissions Assigned



    CategoryTypesSourcesObjects
    TrueSight Presentation

    Monitoring Policy Configuration Types

    PATROL Solutions

    PATROL Agent ACLs

    Devices

    Groups

    Applications

    TrueSight Presentation ServerAll Object Access
    TrueSight Infrastructure

    Views

    Monitor Groups

    CIs

    Component Folders

    Event Folders

    Not applicableAll Object Access

    Predefined user groups and users

    When you install BMC TrueSight Presentation Server, the following default user groups and users are created in your BMC Atrium SSO server for the default BmcRealm tenant. Not all default user groups contain default users. 

    Default user groupsDefault users
    Administratorsadmin 
    bppmws_internal 
    csm_user
    Central Monitoring AdministratorsNone
    Model Administratorsservice_admin
    Monitoring Administratorsevent_admin
    Operatorsoper
    Supervisorsuser
    ViewersNone
    WS Full AccessNone

    For more information about default users and passwords, see Default users and user groups.

    Default authorization profiles and menu access

    The following table lists the default authorization profiles and the default user groups and roles that compose them. To help you determine whether the default authorization profiles meet the access requirements of your organization, the last column in the table shows the menu options available to users in each default authorization profile. 

    ProfileUser groupsRolesMenu access
    Solutions AdministratorAdministratorsSuper Admin

    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups

    Configuration

    • Applications
    • Groups
    • Synthetic Scripts
    • Application Discovery

    Administration

    • Components
    • Authorization Profiles
    • Integrations
    • PATROL Agent ACLs
    • Roles
    • User Accounts
    • App Visibility Agents
    • App Visibility Agent Policies

    Central Monitoring Administration

    Application Specialist–Services

    Central Monitoring Administrators

    Monitoring Administrators 

    Service Model Administrators

    Supervisors 

    WS Full Access 

    Blackout Administrator 

    Data Collection Administrator

    Deployment Administrator 

    Event Administrator 

    Event Supervisor 

    Monitoring Administrator

    Service Administrator 

    Service Supervisor 

    Web Services Access 


    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups

    Configuration

    • Applications
    • Groups
    • Synthetic Scripts
    • Application Discovery

    Administration

    • Components
    • App Visibility Agents
    • App Visibility Agent Policies

    Central Monitoring Administration

    Application Specialist–Applications

    Central Monitoring Administrators

    Monitoring Administrators 

    Service Model Administrators  

    Supervisors  

    WS Full Access  

     

    Application Operator 

    Application Supervisor 

    Blackout Administrator 

    Data Collection Administrator

    Deployment Administrator 

    Event Administrator 

    Event Supervisor  

    Monitoring Administrator

    Service Administrator 

    Service Supervisor  

    Web Services Access  

     

     

    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups

    Configuration

    • Applications
    • Groups
    • Synthetic Scripts
    • Application Discovery

    Administration

    • Components
    • App Visibility Agents
    • App Visibility Agent Policies

    Central Monitoring Administration

    Technology Specialist

    Central Monitoring Administrators

    Monitoring Administrators 

    Supervisors 

    WS Full Access 

    Blackout Administrator 

    Data Collection Administrator

    Deployment Administrator 

    Event Administrator 

    Event Supervisor 

    Monitoring Administrator

    Service Supervisor 

    Web Services Access 

     

    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups

    Configuration

    • Applications
    • Groups
    • Synthetic Scripts
    • Application Discovery

    Administration

    • Components
    • App Visibility Agents
    • App Visibility Agent Policies

    Central Monitoring Administration

    IT Operations UserOperators

    Application Operator

    Data Collection Operator 

    Event Operator 

    Service Operator

    Dashboards

    Monitoring

    • Devices
    • Events
    • Groups
    Service Manager

    Central Monitoring Administrators

    Model Administrators

    Monitoring Administrators 

    Supervisors 

    WS Full Access 

     

    Event Administrator 

    Service Administrator 

    Event Supervisor 

    Service Supervisor 

    Data Collection Administrator 

    Web Services Access 

    Blackout Administrator 

    Deployment Administrator 

    Monitoring Administrator

    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups

    Configuration

    • Applications
    • Groups
    • Synthetic Scripts
    • Application Discovery

    Administration

    • Components
    • App Visibility Agents
    • App Visibility Agent Policies

    Central Monitoring Administration

    ExecutiveViewersRead Only

    Dashboards

    Monitoring

    • Applications
    • Devices
    • Events
    • Groups