Configuring a Data Refresh profile

To enable Data Refresh, an endpoint administrator must provide some information on the Service Accounts tab of the Administration page. For some types of connectors, you may also be required to perform additional configuration within the application to which you are connecting. See the following sections for instructions on how to set up Data Refresh for different types of connectors:

Configuring Data Refresh for TrueSight Server Automation

In TrueSight Server Automation, the Data Refresh capability watches jobs that can affect the status of vulnerabilities and regularly updates vulnerability data in TrueSight Vulnerability Management.

To enable Data Refresh, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Server Automation application server. 

When selecting the users and roles needed for Data Refresh, you can take two approaches:

  • Specify a superuser, such as BLAdmin. This approach gives Data Refresh access to all necessary information. For this approach, set up one user that belongs to one or more roles with the appropriate privileges, as described below in Configuring Data Refresh profiles for TrueSight Server Automation. No configuration of TrueSight Server Automation is necessary.
  • Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users and roles with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform the entire procedure described in this section.

Minimum TrueSight Server Automation authorizations

Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in TrueSight Server Automation.

BatchJob.Read
DeployJob.Read
JobFolder.Read
JobGroup.Read
NSHScriptJob.Read
PatchRemediationJob.Read
PatchWorkflowJob.Read 
PatchingJob.Read
Server.Read
ServerGroup.Read

Setting up permissions in TrueSight Server Automation

If Data Refresh obtains information from TrueSight Server Automation by means of a user with a restricted set of permissions, you must perform the following procedure to ensure that data can be obtained from TrueSight Server Automation.

Note

The roles you create or modify in this procedure can only obtain information for objects that are created  after  the roles are created or modified. The roles cannot retroactively obtain information from existing objects, such as jobs and target servers.

  1. In TrueSight Server Automation, use RBAC Manager to create a role with a name such as PortalDataRefresh_Role.
    No configuration is necessary for the role other than to assign it a name.
     
  2. Use RBAC Manager to create an ACL Template.
    1. On page 2 of the wizard, when assigning authorizations to the Template Access Control List, for Role, select the role you created in the previous step.
    2. Using the System tab, assign permissions to the template. The permissions are shown below and also listed above in Minimum authorizations required.
  3. Take one of the following actions:
    • If you are assigning Data Refresh permissions to roles that do not have an ACL template assigned to them, use the following steps to assign the template you created in the previous step to every operator role in TrueSight Server Automation. 
      1. Using RBAC Manager, open an operator role.
      2. For Object Permissions Template, select the template you created in the previous step, as shown below for a role called WindowsAdmin.
      3. Save the changes to the role.
    • If you are assigning Data Refresh permissions to one or more existing operator roles and those roles already have an ACL template assigned to them, perform the following steps for each role. The permissions you add are appended to the permissions already assigned to the role.
      1. Using RBAC Manager, open an operator role and identify the ACL template that is assigned to the role.
      2. Navigate to that ACL template, right-click, and select Open.
      3. Click the Template Access Control List sub-tab.
      4. Click the Add Entry icon. A dialog opens.
      5. Under Available Authorizations, move the following authorizations to the Selected Authorizations list at right.
        BatchJob.Read
        DeployJob.Read
        JobFolder.Read
        JobGroup.Read
        NSHScriptJob.Read
        PatchRemediationJob.Read
        PatchWorkflowJob.Read  (not available in TrueSight Server Automation 8.7)
        PatchingJob.Read
        Server.Read
        ServerGroup.Read
      6. Click OK to save the entries you have added to the Available Authorizations list.
      7. Save the changes to the role.
  4. In TrueSight Server Automation, update permissions on servers that are mapped to assets in TrueSight Vulnerability Management.
    1. Using the Servers node, right-click a server group that you want to update and select Update Permissions.
    2. Using the Update Permissions window, click the Use ACL Template icon. Then select the ACL template you created above. 
  1. In TrueSight Server Automation, update permissions for existing jobs that were created by running Remediation operations in TrueSight Vulnerability Management. 
    If you are doing an initial configuration of your system and have not yet run any Remediation operations, this step is not applicable. However, if you have successfully run Remediation operations in TrueSight Vulnerability Management, the operation has created one or more jobs in TrueSight Server Automation. For Data Refresh to obtain information in the future from those jobs, you must perform the following steps:
    1. Using the Jobs node, navigate to a job that was created by a Remediation operation in TrueSight Vulnerability Management.  Right-click the job and select Update Permissions.
      You can also select a job folder to update permissions for all the jobs contained in that folder.
    2. Using the Update Permissions window, click the the Use ACL Template icon. Then select the ACL template you created above.
  2. Specify the users and roles needed to enable Data Refresh, as described below in Configuring Data Refresh profiles for TrueSight Server Automation.

Configuring Data Refresh profiles for TrueSight Server Automation

Endpoint administrators perform this procedure to specify the TrueSight Server Automation users and roles needed to obtain information for Data Refresh.

  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
    The Administration page opens.
  2. Click the Service Accounts tab.
    A list shows connectors for which data refresh or change automation profile has been configured.
  3. Take one of the following actions:
    • To modify an existing Data Refresh profile, select an existing connector and click Edit the service account .
      The Update Service Account page opens.
    • To create a new Data Refresh profile, select the Add the service account icon 
      The Create Service Account page opens.
  4. From Connectors, select the TrueSight Server Automation application server for which Data Refresh is being configured.

  5. NEW IN 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.

  6. Enter the following user information for a connecting profile.
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Server Automation.
    OptionDescription
    Profile Type

    Type of profile you want to create:

    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username

    Name of a TrueSight Server Automation user with credentials that can be used for obtaining data from TrueSight Server Automation.

    PasswordPassword for the user.
    Roles

    One or more roles with at least read-level access to TrueSight Server Automation. When entering multiple roles, use a comma-separated list.

    Authentication Method

    Method for authenticating the user with TrueSight Server Automation. Possible choices are Secure Remote PasswordDomain Authentication, and LDAP Authentication. RSA SecurID is also supported if you are using a fixed passcode.



  7. To enter a connecting profile for another user, click Add and enter information for that user.
    When you click Add, a Remove button appears, which allows you to delete an existing set of credentials.
    If you specified a superuser in the previous step, you can skip this step; no additional connecting profiles are necessary.
  8. When you have finished entering connecting profiles, click Create Service Account or Update Service Account.

Configuring Data Refresh for TrueSight Network Automation

In TrueSight Network Automation, the Data Refresh capability watches jobs that can affect the status of vulnerabilities and regularly updates vulnerability data in TrueSight Vulnerability Management.

To enable Data Refresh, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Network Automation application server. 

When selecting the users needed for Data Refresh, you can take two approaches:

  • Specify a superuser, such as sysadmin. This approach gives Data Refresh access to all necessary information. For this approach, set up one user with the appropriate privileges, as described below in Configuring Data Refresh profiles for TrueSight Network Automation. No configuration of TrueSight Network Automation is necessary.
  • Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform all of the procedures described in this section.

Minimum TrueSight Network Automation authorizations

Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in TrueSight Network Automation.

System Rights
     Access Network Tab
          Access Actions Menu
               Access Jobs
          Access Scripts Menu
               Access Rule Sets
               Access Templates
          Access Spans Menu
               Access Combo Groups
               Access Devices
               Access Groups
               Access Realms
     Login
          Login Using GUI
          Login Using Web Services 

Network Rights
     (assigned to every realm
          Network Tab
               Actions Menu
                    Access Associated Jobs
                         Actions
                            Run Associated Remediate Actions 

               Spans Menu 
                    Access Associated Combo Groups 
                    Access Associated Devices
                    Access Associated Groups
                    Access Realm

Setting up permissions in TrueSight Network Automation

If Data Refresh obtains information from TrueSight Network Automation by means of a user with a restricted set of permissions, use TrueSight Network Automation to create a role with a limited set of permissions and then assign a user to the role. 

Note

The roles you create or modify in this procedure can only obtain information for objects that are created after the roles are created or modified. The roles cannot retroactively obtain information from existing objects.

  1. In TrueSight Network Automation, open the Admin tab, select Roles, and click + Add.
    A window for defining a role opens. 
  2. Assign a name to the role, such as ReadOnlyRole.
  3. Click the System Rights tab and assign, at minimum, the permissions shown below:
  4. Click the Network Rights tab.
  5. For Realm, select the first realm in the list and assign, at minimum, the permissions shown below:
  6. Using the Realm option, repeat the previous step for every realm that appears in the list.

    Note

    If a new realm is created in TrueSight Network Automation, the previous step must be repeated for the new realm.

  7. Click Save.
  8. Select Users and click + Add.
    A window for defining a user opens. 
  9. Provide a name for the user, such as ReadUser, and provide all other information needed to create a user.
  10. Click the Roles tab. Find the role you created earlier and move it to the Selected Roles list.
  11. Click Save.
    If necessary you can repeat this process to create additional users.
  12. Specify the users needed to enable Data Refresh by creating Data Refresh profiles for each user. 

Configuring Data Refresh profiles for TrueSight Network Automation

Endpoint administrators perform this procedure to specify one or more TrueSight Network Automation users who should obtain information for Data Refresh.

  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
    The Administration page opens.
  2. Click the Service Accounts tab. 
    A list shows connectors for which data refresh or change automation profile has been configured.
  3. Take one of the following actions:
    • To modify an existing Data Refresh profile, select an existing connector and click Edit the service account.
      The Update Service Account page opens.
    • To create a new Data Refresh profile, select the Add the service account icon 
      The Create Service Account page opens.
  4. From Connectors, select the TrueSight Network Automation server for which Data Refresh is being configured.

  5. NEW IN 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
  6. Enter the following user information for a connecting profile. 
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Network Automation.
    OptionDescription
    Profile Type

    Type of profile you want to create:

    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username

    Name of a TrueSight Network Automation user with credentials that can be used for obtaining data from TrueSight Network Automation.

    PasswordPassword for the user.


  7. Click Create Service Account or Update Service Account.

Configuring Data Refresh for SCCM

Endpoint administrators perform this procedure to specify the SCCM user who should obtain information for Data Refresh.

Note

If you do not want to specify a user with broad administrative permissions, identify a user who belongs to an Active Directory group that is associated with the Read-only Analyst security role. In SCCM, the Read-only Analyst role must have a security scope set to Default and a collection set to All Systems.

  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration
    The Administration page opens.
  2. Click the Service Accounts tab. 
    A list shows connectors for which data refresh or change automation profile has been configured. 
  3. Take one of the following actions:
    • To create a new Data Refresh profile, select the Add the service account icon 
      The Create Service Account page opens. 
    • To modify an existing Data Refresh profile, select an existing connector and click Edit the service account .
      The Update Service Account page opens.
  4. From Connectors, select the SCCM server for which Data Refresh is being configured.

  5. NEW IN 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
  6. Enter the following user information for a connecting profile. 
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from SCCM.
    OptionDescription
    Profile Type

    Type of profile you want to create:

    • Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
    • Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
    • Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
    Username

    Name of a user with credentials that can be used for obtaining data from SCCM. Although you can specify a user with broad administrative privileges in SCCM, at minimum, this user must belong to an Active Directory group that is associated with the Read-only Analyst security role.

    PasswordPassword for the user.


  7. Click Create Service Account or Update Service Account.

Configuring Data Refresh for BMC Discovery

Endpoint administrators perform this procedure to specify a user who obtains the latest information from BMC Discovery.

  1. As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration
    The Administration page opens.
  2. Click the Service Accounts tab.
    A list shows connectors for which data refresh or change automation profile has been configured. 
  3. Take one of the following actions:
    • To create a new Data Refresh profile, select the Add the service account icon 
      The Create Service Account page opens. 
    • To modify an existing Data Refresh profile, select an existing connector and click Edit the service account .
      The Update Service Account page opens. 
  4. From Connectors, select the Discovery server for which Data Refresh is being configured. 

  5. NEW IN 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
  6. Enter the following user information for a connecting profile. 
    The connecting profile identifies the user whose credentials are needed to obtain the latest information from BMC Discovery.
    OptionDescription
    Profile Type

    Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.

    Username

    Name of the Discovery user required to connect to the Discovery instance.

    Password

    Password required to connect to the Discovery instance.




  7. Click Create Service Account or Update Service Account.

Deleting a Data Refresh profile

  1. At top right, click the drop-down menu by your user name. Then, select Administration
    The Administration page opens.
  2. Click the Service Accounts tab.
    A list shows the connectors for which Data Refresh or Change Automation profile has been configured.
  3. Take one of the following actions:
    1. To delete all the Data Refresh profiles as well as the Change Automation profile for a connector, select the connector and click Delete the service account 
    2. To delete only the Data Refresh profiles for a connector:
      1. Select the connector and click Edit the Service Account .
      2. Click Remove against the Data Refresh profile that you want to delete. 
  4. A confirmation dialog box appears.Click Yes to confirm the deletion.
Was this page helpful? Yes No Submitting... Thank you

Comments