Page tree

Skip to end of metadata
Go to start of metadata

This section contains an overview of the configuration item (CI)-based access control mechanism. It also explains the concepts of roles and access control used in CI-based access control.

About CI-based access control

CI-based access control was introduced to help align access control with long term Enterprise Services Management goals. CIs are entities that uniquely represent an asset in a computing infrastructure environment and typically reside in BMC Atrium CMDB.

CIs can be of different classes; for example, Computer System CI (CSCI), Business Service CI (BSCI), Application CI, and so on. CIs represent a component in an infrastructure. CI-based access control leverages access control definitions made in BMC Atrium CMDB and helps drive the control from a centralized data store when Infrastructure Management is integrated with BMC Atrium CMDB. If Infrastructure Management is not integrated with BMC Atrium CMDB, CI-based access control can be used in a standalone version of Infrastructure Management, but must be set up explicitly in Infrastructure Management.

The CI-based access control mechanism consists of two parts:

  • Access control
  • Role

Access control

Access control defines access to a CI and its associated monitors as well as Infrastructure Management components such as Infrastructure Management reports, views, Service Level Objectives (SLOs), detailed diagnostics, and so on. Access control is specified through Access Control Lists (ACLs) defined in a CI. ACLs of a CI control which user groups have access to the CI.

An ACL comprises the WriteLevelSecurity (WLS) and ReadLevelSecurity (RLS) fields of BMC Atrium CMDB and Infrastructure Management. In BMC Atrium CMDB, these attributes are termed as CMDBReadLevelSecurity and CMDBWriteLevelSecurity. In effect, there are four attributes that define ACLs for a CI: two that can be defined in BMC Atrium CMDB, and two that can be defined in Infrastructure Management. These attributes define the two types of access: read and write.

The type of access granted to a user group determines the permissions that are enabled for that user group. Write access activates the permissions that are listed in the Permissions affected by access control section. Read access allows you to view CIs and related objects.

ACLs defined in Infrastructure Management for a CI may define access in addition to access defined in BMC Atrium CMDB. Monitors associated with a CI inherit access types from the CI. Access to other Infrastructure Management components such as reports, views, and so on are defined by access lists defined in the user group in Infrastructure Management.

Role

A role can be assigned to a user group and is a set of permissions that controls the operations that can be performed on accessible entities. Permissions may be classified into two types:

  • Permissions independent of access control
  • Permissions affected by access control

Permissions independent of access control

Permissions independent of access control include:

  • Access Operations Console/Service Level Objective (SLO) Console
  • Access Administration Console
  • Perform an operation on an event
  • View Other Cells drawer

Permissions affected by access control

Permissions affected by access control include:

  • Edit thresholds
  • Manage data collection
  • Edit manual status for component
  • Edit component in service tab