Maintenance outage for upgrade on Sunday, September 22

This site, docs.bmc.com, will be inaccessible for two hours starting at 9 AM CDT, Sunday, September 22, for a platform upgrade.

    Page tree
    Skip to end of metadata
    Go to start of metadata

    When creating or modifying authorization profiles, in addition to restricting access to specific features, you can also restrict access to specific PATROL Agents, Computer System Configuration Items (CSCI), devices, and other objects. You specify this granular level of access through the selection of objects on the Objects tab of the Profile Details page.

    This topic describes the following information about specifying objects: 

     

    Overview of the Objects tab

    The Objects tab is where you specify the object restrictions for the authorization profile, as shown in the following image and described the table that follows. 

     ItemDescription
    1Associated Objects

    Action menu that enables you to provide unrestricted access to selected object types

    When you specify unrestricted access to an object type, you cannot also specify restricted access.

    2Categories
    • TrueSight Presentation: Objects that you can access in the TrueSight Presentation Server, which includes Configuration Monitoring Administration. 
    • TrueSight Infrastructure: Objects that you can access in the BMC TrueSight Infrastructure Management product. The data providers registered with the Presentation Server determines the list of objects in this category.
    3Types       

    Type of object available in the selected category

    Selecting a type filters the list of available objects.

    4SourceHost name of the Presentation Server or Infrastructure object.
    5Objects

    List of selected objects

    To select objects, select the Objects action menu , and select Edit.

    Object filtering

    For each category, the Objects tab always displays the available types of objects for each category. The data sources determine the objects that exist for a selected type. When you select a category, type, and source, you can then specify individual objects available to the user groups in the authorization profile. The following table lists the types, sources, and objects available for each category.

    CategoriesTypesSourceAccessible objects
    TrueSight Presentation





    ApplicationsHost name or IP address of the Presentation Server




    Applications
    DevicesDevices
    Event GroupsEvent groups
    Groups

    Groups

    BMC recommends that as solution administrator when you specify a group type object in an authorization profile, ensure that you include group objects belonging to the same tenant in the authorization profile. For example, there are two objects device-A1 and device-A2 under tenant-A. As a solution administrator, if you want to create a group GA to include device-A1 and device-A2, ensure that the group GA belongs to tenant-A. 

    Monitoring Policy Configuration Types

    Any combination of the following  monitoring policy configuration types:

    • Agent Configuration
    • Configuration Variables
    • Solution Configuration
    PATROL Agent ACLsPATROL Agents specified in a PATROL Agent ACL
    PATROL SolutionsSolutions that can be configured by creating Infrastructure Management policies
    TrueSight Infrastructure




    CIsHost name or IP address of Infrastructure Management servers



    Computer System Configuration Items (CSCIs)
    Component Folders Component folders on the infrastructure device
    Event Folders Event folders on the infrastructure device
    Monitor Groups Groups in the TrueSight Infrastructure Management server
    Views Views in the TrueSight Infrastructure Management server

    How object hierarchy affects monitoring permissions

    Providing access to an object enables access to objects that are subordinate to it, as detailed in the following table:

    Object typeSubordinate objects
    ApplicationsDevices and groups in the application
    DevicesMonitor instances under the device
    Event GroupsChild event groups, and events in the event group and child event groups

    Groups

    Sub-groups, devices, and monitor instances in the group

    The following example illustrates how the event group hierarchy affects the monitoring permissions of the users in the authorization profile:

    Event group hierarchy:

      By_Location
    	   America
        	North America
        	South America
    	   Asia
        	India
        	  Metro
        		Delhi
        		Mumbai
        	  Non Metro
        		Pune
        		Chandigarh
        	China

    If America is the selected object, then users have access to America and its child event groups: North America and South America. If the selected object is China, which has no child event groups, then users have access to it. When child event groups will be added under China, users will have access to them as well.

    Note

    You cannot specify monitor-level permission in authorization profiles. To provide access to a specific monitor instance under a device, you must create a group, add those monitor instances to the group, and add the group to the authorization profile. 

    To illustrate how the object hierarchy affects the monitoring permissions of the users in the authorization profile, observe how the objects listed under Selected objects map to the objects listed in Monitoring permissions, which lists the objects that users could access in the TrueSight console.

    Selected objects

    Devices

    D1

    D2

    D3

    Groups

    Group G1, which contains:

    Device D1

    Device D4

    Group G2, which contains:

    Device D5

    Device D6

    Monitoring instance M1 (from Device D8)

    Monitoring instance M2 (from Device D9)

    Applications

    Application A1, which contains:

    Group G1

    Device D5

    Application A2, which contains:

    Group G3

    Device D10

    Device D7

    Monitoring permissions

    Console pageAccessible objects
    Applications

    Application A1
    Application A2

    Devices

    Device D1 (direct permission)
    Device D2 (direct permission)
    Device D3 (direct permission)
    Device D4 (inherited from Group G1)
    Device D5 (inherited from Group G2)
    Device D6 (inherited from Group G2)
    Device D7 (inherited from Application A2)
    Device D10 (inherited from Group G3, which is part of Application A2)

    Events

    Device D1 (direct permission)
    Device D2 (direct permission)
    Device D3 (direct permission)
    Device D4 (inherited from Group G1)
    Device D5 (inherited from Group G2)
    Device D6 (inherited from Group G2)
    Device D7 (inherited from Application A2)
    Device D10 (inherited from Group G3, which is part of Application A2)
    Monitor instance M1 (inherited from Group G2; cannot view other events from Device D8)
    Monitor instance M2 (inherited from Group G2; cannot view other events from Device D9

    Groups

    Group G1
    Group G2
    Group G3 (inherited from Application A2)