Skip to Content
Information
Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Configuring a Change Automation profile

To configure a Change Automation profile, an endpoint administrator must provide some information on the Service Accounts tab of the Administration page. For some types of connectors, you may also be required to perform additional configuration within the application to which you are connecting. See the following sections for instructions on how to set up Change Automation profiles for different types of connectors:

Configuring a Change Automation profile for TrueSight Server Automation

To configure a Change Automation profile, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Server Automation application server.

When selecting the users and roles needed for the Change Automation profile, you can take two approaches:

  • Specify a superuser, such as BLAdmin, who has all the permissions assigned to the BLAdmins role. This approach gives the Change Automation profile access to all necessary information.
  • Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users and roles with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform the entire procedure described in this section.

Minimum TrueSight Server Automation authorizations

Any role that is used to obtain information through the Change Automation profile requires the following minimum authorizations in TrueSight Server Automation:

  • Manage Patching Jobs
  • DeployJob.*
  • NSHScript.*

Setting up permissions in TrueSight Server Automation

The roles you create or modify in this procedure can only obtain information for objects that are created after the roles are created or modified. The roles cannot retroactively obtain information from existing objects, such as jobs and target servers.

To set up permissions in TrueSight Server Automation, ensure that the following conditions are met:

  • Grant permissions on the artefacts owned by Patch Administrators to the Change Automation users.
  • Grant permissions on the artefacts modified by the Change Automation user to Patch Administrators.

In the following procedure, sample users are created and assigned permissions described in the above conditions. The following procedure uses the users with restricted access to a minimum set of read-only permissions. However, you can also use a superuser, for example, BLAdmin

To set up permissions in TrueSight Server Automation

  1. In TrueSight Server Automation, use RBAC Manager to create a role, for example, ChangeAutomationRole.

  2. Assign the following authorizations to ChangeAutomationRole:

    Authorization

    Type

    Manage Patching Jobs

    AuthProfile

    DeployJob.*

    Authorization

    NSHScript.*

    Authorization

    CreateCARole.png

  3. Ensure that ChangeAutomationRole has access to the following objects:
    • All patch catalogs being used
    • All other objects such servers, job folders that are required for patch administration.
  4. Using RBAC Manager, create a Patch Administrator role, for example, PatchAdminRole if it does not exist.

  5. Assign the following authorizations to PatchAdminRole:

    Authorization

    Type

    Manage Patching Jobs

    AuthProfile

    DeployJob.*

    Authorization

    NSHScript.*

    Authorization

    CreatePatchAdminRole.png

  6. Ensure that PatchAdminRole has access to the following objects:
    • All patch catalogs being used
    • All other objects such servers, job folders that are required for patch administration.
  7. Use RBAC Manager to create a user, for example, ChangeAutomationUser, and assign the ChangeAutomationRole to this user.
    This user will be configured as the Change Automation user in TrueSight Vulnerability Management.
    CreateCAUser.png
  8. Use RBAC Manager to create an ACL Policy, for example, ChangeAutomationToPatchACLPolicy.
    1. On page 2 of the wizard, when assigning authorizations to the Access Control List (ACL) Policy, for ChangeAutomationRole, select PatchAdmin role.
    2. Using the System tab, assign all permissions to the ACL Policy.

      CreatePatchtoCAPolicy.png
  9. Use RBAC Manager to create an ACL Template, for example, ChangeAutomationToPatchACLTemplate. While creating the template, On page 2 of the wizard, under ACL Policies, add the policy you created in a previous step (ChangeAutomationToPatchACLPolicy).
    CreateCAtoPatchTemplate.png
  10. Perform one of the following actions:
    • If you are assigning Change Automation account permissions to roles that do not have an ACL template assigned to them, use the following steps to assign the template you created in the previous step to every patch operator role in TrueSight Server Automation. 
      1. Using RBAC Manager, open a patch operator role.
      2. For Object Permissions Template, select the template you created in a previous step (ChangeAutomationToPatchACLTemplate), as shown below for a role called WinPatchOperator.
        AssignOPTtoPatchRoles.png
      3. Save the changes to the role.
    • If you are assigning Change Automation account permissions to one or more existing patch operator roles and those roles already have an ACL template assigned to them, perform the following steps for each role. The permissions you add are appended to the permissions already assigned to the role.
      1. Using RBAC Manager, open a patch operator role and identify the ACL template that is assigned to the role.
      2. Navigate to that ACL template, right-click, and select Open.
      3. Click the Template Access Control List sub-tab.
      4. Click the Add Entry icon. A dialog opens.
      5. Under Available Authorizations, move the following authorizations to the Selected Authorizations list at right.
        1. Manage Patching Jobs
        2. DeployJob.*
        3. NSHScript.*
      6. Click OK to save the entries you have added to the Available Authorizations list.
      7. Save the changes to the role.
  11. Create a Patch Administrator user, PatchAdminUser of role, PatchAdminRole. This user will create operations in TrueSight Vulnerability Management.

    CreatePatchAdminUser.png

  12. Use RBAC Manager to create an ACL Policy, for example, PatchToChangeAutomationACLPolicy.

    1. On page 2 of the wizard, when assigning authorizations to the Access Control List Policy, for Role, select the role you created in a previous step (ChangeAutomationRole).
    2. Using the System tab, assign all permissions to the ACL Policy.

    CreateCAtoPatchPolicy.png

  13. Use RBAC Manager to create an ACL Template, for example, PatchToChangeAutomationACLTemplate. While creating the template, On page 2 of the wizard, under ACL Policies, add the policy you created in a previous step (PatchToChangeAutomationACLPolicy).
    CreatePatchToCAACLTemplate.png
  14. Assign the template you created in the previous step (PatchToChangeAutomationACLTemplate) to ChangeAutomationRole:
    1. Using RBAC Manager, open ChangeAutomationRole.
    2. For Object Permissions Template, select PatchToChangeAutomationACLTemplate.
      AssignOPTtoCARoles.png
  15. Run ACL Push Job on all the servers for the policy to be applied.
  16. Specify the users and roles needed to enable the Change Automation profile, as described below in Configuring Change Automation profiles for TrueSight Server Automation.

Configuring Change Automation profiles for TrueSight Server Automation

Endpoint administrators perform this procedure to specify the TrueSight Server Automation users and roles needed to obtain information for the Change Automation profile.

Warning

Note

  • You can configure only one Change Automation profile for one type of endpoint manager.
  • You can configure the same profile as the Data Refresh profile and the Change Automation profile.


  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
    The Administration page opens.
  2. Click the Service Accounts tab. 
  3. Take one of the following actions:
    • To create a new Change Automation profile, click Add the Service AccountAddNewIcon.png
      The Create Service Account page opens.
    • To modify an existing Change Automation profile, select an existing connector and click Edit the Service AccountEditIcon.gif.
      The Update Service Account page opens.
  4. From Connectors, select the TrueSight Server Automation application server for which Change Automation profile is being configured.

  5. From Profile Type, select Change Automation or Data Refresh and Change Automation.

    Warning

    Important

    If you want to configure a single profile as the Data Refresh as well as the Change Automation profile, user in this profile must be granted authorizations for the Data Refresh profile as well as the Change Automation profile.

  6. New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed for a change ticket. Default is 60. Minimum value is 5 and maximum value is 1080.
  7. Enter the following user information for a connecting profile.
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Server Automation.
    Option
    Description
    Profile Type
    Type of profile you want to create:
    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username
    Name of a TrueSight Server Automation user with credentials that can be used for obtaining data from TrueSight Server Automation.
    Password
    Password for the user.
    Roles
    One or more roles with at least read-level access to TrueSight Server Automation. When entering multiple roles, use a comma-separated list.
    Authentication Method
    Method for authenticating the user with TrueSight Server Automation. Possible choices are Secure Remote PasswordDomain Authentication, and LDAP Authentication. RSA SecurID is also supported if you are using a fixed passcode.

    TSSA_CreateCAUser.png

  8. To enter a connecting profile for another user, click Add and enter information for that user.
    When you click Add, a Remove button appears, which allows you to delete an existing set of credentials.
    If you specified a superuser in the previous step, you can skip this step; no additional connecting profiles are necessary. 
  9. When you have finished entering connecting profiles, click Create Service Account or Update Service Account.

Configuring Change Automation profile for TrueSight Network Automation

To enable a Change Automation account, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Network Automation application server. 

When selecting the users needed for Change Automation profile, you can take two approaches:

  • Specify a superuser, such as sysadmin. This approach gives Change Automation profile access to all necessary information. For this approach, set up one user with the appropriate privileges, as described below in Configuring Change Automation profiles for TrueSight Network Automation.
  • Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform all of the procedures described in this section.

Minimum TrueSight Network Automation authorizations

Any role that is used to obtain information through the Change Automation profile requires the following minimum authorizations in TrueSight Network Automation.

System Rights
     Access Admin Tab
     Access Network Tab
          Access Actions Menu
               Access Jobs
                    Edit Jobs
          Access Spans Menu
                Access Realms
     Login
          Login Using GUI
          Login Using Web Services

Network Rights
     Full Network Rights

Setting up permissions in TrueSight Network Automation

If the Change Automation profile obtains information from TrueSight Network Automation by means of a user with a restricted set of permissions, use TrueSight Network Automation to create a role with a limited set of permissions and then assign a user to the role.

Warning

Note

The roles you create or modify in this procedure can only obtain information for objects that are created after the roles are created or modified. The roles cannot retroactively obtain information from existing objects.

  1. In TrueSight Network Automation, open the Admin tab, select Roles, and click + Add.
    A window for defining a role opens.
  2. Assign a name to the role, such as CA_Role.
  3. Click the System Rights tab and assign, at minimum, the permissions shown below:
    AddCARole_SystemRights.png
  4. Click the Network Rights tab and assign the permissions shown below.

    AddCARole_NetworkRights.png
  5. Click Save.
  6. Select Users and click + Add.
    A window for defining a user opens. 
  7. Provide a name for the user, such as CA_User, and provide all other information needed to create a user.
    TSNAServiceAccount_User.png
  8. Click the Roles tab. Find the role you created earlier and move it to the Selected Roles list.
    TSNAServiceAccount_AssignRole.png
  9. Click Save.
    If necessary you can repeat this process to create additional users.
  10. Specify the users needed to enable Change Automation account by configuring Change Automation profiles for each user. 

Configuring Change Automation profiles for TrueSight Network Automation

Endpoint administrators perform this procedure to specify one or more TrueSight Network Automation users who should obtain information for Change Automation profile.

Warning

Note

  • You can configure only one Change Automation profile for one type of endpoint manager.
  • You can configure the same profile as the Data Refresh profile and the Change Automation profile.
  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
    The Administration page opens.
  2. Click the Service Accounts tab. 
  3. Take one of the following actions:
    • To create a new Change Automation profile, click Add the Service Account AddNewIcon.png.
      The Create Service Account page opens.
    • To modify an existing Change Automation profile, select an existing connector and click Edit the Service Account EditIcon.gif.
      The Update Service Account page opens.
      UpdateServiceAccount_TSNA.png
  4. From Connectors, select the TrueSight Network Automation application server for which Change Automation profile is being configured.

  5. From Profile Type, select Change Automation or Data Refresh and Change Automation.

    Warning

    Important

    If you want to configure a single profile as the Data Refresh as well as the Change Automation profile, user in this profile must be granted authorizations for the Data Refresh profile as well as the Change Automation profile.

  6. New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
  7. Enter the following user information for a connecting profile. 
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Network Automation.
    Option
    Description
    Profile Type
    Type of profile you want to create:
    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username
    Name of a TrueSight Network Automation user with credentials that can be used for obtaining data from TrueSight Network Automation.
    Password
    Password for the user.

    TSNA_CreateServiceAccount.png

  8. Click Create Service Account or Update Service Account.

Configuring a Change Automation profile for SCCM

To configure a Change Automation profile, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Server Automation application server.

When selecting the users and roles needed for the Change Automation profile, you can take two approaches:

  • Specify a superuser, such as Administrator. This approach gives the Change Automation profile access to all necessary information.
  • Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users and roles with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform the entire procedure described in this section.

Minimum SCCM security roles

Any role that is used to obtain information through the Change Automation profile requires the following minimum security roles in TrueSight Server Automation:

Job type

Security role

Software Update Deployment Job

Software Update Manager

Application Deployment Job

Application Administrator

Package Deployment Job

Application Administrator

Setting up security roles in SCCM

If the Change Automation profile obtains information from SCCM by means of a user with a restricted set of permissions, use SCCM to create a role with a limited set of permissions and then assign a user to the role.

Warning

Note

The roles you create or modify in this procedure can only obtain information for objects that are created after the roles are created or modified. The roles cannot retroactively obtain information from existing objects.

Create a user, for example, CA_User and groups as described in Configuring-SCCM-for-Active-Directory. While adding the group to Administrative Users, add the security roles as described in Minimum SCCM security roles.

Configuring Change Automation profiles for SCCM

Endpoint administrators perform this procedure to specify one or more SCCM users who should obtain information for Change Automation profile.

Warning

Note

  • You can configure only one Change Automation profile for one type of endpoint manager.
  • You can configure the same profile as the Data Refresh profile and the Change Automation profile.
  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
    The Administration page opens.
  2. Click the Service Accounts tab. 
  3. Take one of the following actions:
    • To create a new Change Automation profile, select the Add the Service Account AddNewIcon.png.
      The Create Service Account page opens.
    • To modify an existing Change Automation profile, select an existing connector and click Edit the Service Account EditIcon.gif.
      The Update Service Account page opens.
  4. From Connectors, select the SCCM server for which Change Automation profile is being configured.

  5. From Profile Type, select Change Automation or Data Refresh and Change Automation.

    Warning

    Important

    If you want to configure a single profile as the Data Refresh as well as the Change Automation profile, user in this profile must be granted authorizations for the Data Refresh profile as well as the Change Automation profile.

  6. New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
  7. Enter the following user information for a connecting profile. 
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Network Automation.
    Option
    Description
    Profile Type
    Type of profile you want to create:
    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username
    Name of a TrueSight Network Automation user with credentials that can be used for obtaining data from TrueSight Network Automation.
    Password
    Password for the user.

    SCCM_CreateCa.png

  8. Click Create Service Account or Update Service Account.

Deleting a Change Automation profile

  1. At top right, click the drop-down menu by your user name. Then, select Administration
    The Administration page opens.
  2. Click the Service Accounts tab.
    A list shows the connectors for which Data Refresh or Change Automation profile has been configured.
  3. Take one of the following actions:
    1. To delete the Change Automation profile as well as the Data Refresh profiles for a connector, select the connector and click Delete the service account DeleteIcon.gif
    2. To delete only the Change Automation profile for a connector:
      1. Select the connector and click Edit the Service Account EditIcon.gif.
      2. Click Remove against the Change Automation profile that you want to delete. 
  4. A confirmation dialog box appears.Click Yes to confirm the deletion.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Vulnerability Management 3.1