Configuring a Data Refresh profile
To enable Data Refresh, an endpoint administrator must provide some information on the Service Accounts tab of the Administration page. For some types of connectors, you may also be required to perform additional configuration within the application to which you are connecting. See the following sections for instructions on how to set up Data Refresh for different types of connectors:
Configuring Data Refresh for TrueSight Server Automation
In TrueSight Server Automation, the Data Refresh capability watches jobs that can affect the status of vulnerabilities and regularly updates vulnerability data in TrueSight Vulnerability Management.
To enable Data Refresh, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Server Automation application server.
When selecting the users and roles needed for Data Refresh, you can take two approaches:
- Specify a superuser, such as BLAdmin. This approach gives Data Refresh access to all necessary information. For this approach, set up one user that belongs to one or more roles with the appropriate privileges, as described below in Configuring Data Refresh profiles for TrueSight Server Automation. No configuration of TrueSight Server Automation is necessary.
- Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users and roles with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform the entire procedure described in this section.
Minimum TrueSight Server Automation authorizations
Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in TrueSight Server Automation.
BatchJob.Read
DeployJob.Read
JobFolder.Read
JobGroup.Read
NSHScriptJob.Read
PatchRemediationJob.Read
PatchWorkflowJob.Read
PatchingJob.Read
Server.Read
ServerGroup.Read
Setting up permissions in TrueSight Server Automation
If Data Refresh obtains information from TrueSight Server Automation by means of a user with a restricted set of permissions, you must perform the following procedure to ensure that data can be obtained from TrueSight Server Automation.
- In TrueSight Server Automation, use RBAC Manager to create a role with a name such as PortalDataRefresh_Role.
No configuration is necessary for the role other than to assign it a name.
- Use RBAC Manager to create an ACL Template.
- On page 2 of the wizard, when assigning authorizations to the Template Access Control List, for Role, select the role you created in the previous step.
- Using the System tab, assign permissions to the template. The permissions are shown below and also listed above in Minimum authorizations required.
- Take one of the following actions:
- If you are assigning Data Refresh permissions to roles that do not have an ACL template assigned to them, use the following steps to assign the template you created in the previous step to every operator role in TrueSight Server Automation.
- Using RBAC Manager, open an operator role.
- For Object Permissions Template, select the template you created in the previous step, as shown below for a role called WindowsAdmin.
- Save the changes to the role.
- If you are assigning Data Refresh permissions to one or more existing operator roles and those roles already have an ACL template assigned to them, perform the following steps for each role. The permissions you add are appended to the permissions already assigned to the role.
- Using RBAC Manager, open an operator role and identify the ACL template that is assigned to the role.
- Navigate to that ACL template, right-click, and select Open.
- Click the Template Access Control List sub-tab.
- Click the Add Entry icon. A dialog opens.
- Under Available Authorizations, move the following authorizations to the Selected Authorizations list at right.
BatchJob.Read
DeployJob.Read
JobFolder.Read
JobGroup.Read
NSHScriptJob.Read
PatchRemediationJob.Read
PatchWorkflowJob.Read (not available in TrueSight Server Automation 8.7)
PatchingJob.Read
Server.Read
ServerGroup.Read - Click OK to save the entries you have added to the Available Authorizations list.
- Save the changes to the role.
- If you are assigning Data Refresh permissions to roles that do not have an ACL template assigned to them, use the following steps to assign the template you created in the previous step to every operator role in TrueSight Server Automation.
- In TrueSight Server Automation, update permissions on servers that are mapped to assets in TrueSight Vulnerability Management.
- Using the Servers node, right-click a server group that you want to update and select Update Permissions.
- Using the Update Permissions window, click the Use ACL Template icon. Then select the ACL template you created above.
- In TrueSight Server Automation, update permissions for existing jobs that were created by running Remediation operations in TrueSight Vulnerability Management.
If you are doing an initial configuration of your system and have not yet run any Remediation operations, this step is not applicable. However, if you have successfully run Remediation operations in TrueSight Vulnerability Management, the operation has created one or more jobs in TrueSight Server Automation. For Data Refresh to obtain information in the future from those jobs, you must perform the following steps:- Using the Jobs node, navigate to a job that was created by a Remediation operation in TrueSight Vulnerability Management. Right-click the job and select Update Permissions.
You can also select a job folder to update permissions for all the jobs contained in that folder. - Using the Update Permissions window, click the the Use ACL Template icon. Then select the ACL template you created above.
- Using the Jobs node, navigate to a job that was created by a Remediation operation in TrueSight Vulnerability Management. Right-click the job and select Update Permissions.
- Specify the users and roles needed to enable Data Refresh, as described below in Configuring Data Refresh profiles for TrueSight Server Automation.
Configuring Data Refresh profiles for TrueSight Server Automation
Endpoint administrators perform this procedure to specify the TrueSight Server Automation users and roles needed to obtain information for Data Refresh.
- As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
The Administration page opens. - Click the Service Accounts tab.
A list shows connectors for which data refresh or change automation profile has been configured. - Take one of the following actions:
- To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
.
The Update Service Account page opens. - To create a new Data Refresh profile, select the Add the service account icon
.
The Create Service Account page opens.
- To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
- From Connectors, select the TrueSight Server Automation application server for which Data Refresh is being configured.
- New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
- Enter the following user information for a connecting profile.
The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Server Automation.OptionDescriptionProfile TypeType of profile you want to create:- Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
- Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
- Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
UsernameName of a TrueSight Server Automation user with credentials that can be used for obtaining data from TrueSight Server Automation.PasswordPassword for the user.RolesOne or more roles with at least read-level access to TrueSight Server Automation. When entering multiple roles, use a comma-separated list.Authentication MethodMethod for authenticating the user with TrueSight Server Automation. Possible choices are Secure Remote Password, Domain Authentication, and LDAP Authentication. RSA SecurID is also supported if you are using a fixed passcode. - To enter a connecting profile for another user, click Add and enter information for that user.
When you click Add, a Remove button appears, which allows you to delete an existing set of credentials.
If you specified a superuser in the previous step, you can skip this step; no additional connecting profiles are necessary. - When you have finished entering connecting profiles, click Create Service Account or Update Service Account.
Configuring Data Refresh for TrueSight Network Automation
In TrueSight Network Automation, the Data Refresh capability watches jobs that can affect the status of vulnerabilities and regularly updates vulnerability data in TrueSight Vulnerability Management.
To enable Data Refresh, you must identify at least one user and one or more roles that have all necessary permissions to read information from the TrueSight Network Automation application server.
When selecting the users needed for Data Refresh, you can take two approaches:
- Specify a superuser, such as sysadmin. This approach gives Data Refresh access to all necessary information. For this approach, set up one user with the appropriate privileges, as described below in Configuring Data Refresh profiles for TrueSight Network Automation. No configuration of TrueSight Network Automation is necessary.
- Many security-conscious organizations are reluctant to employ superuser capabilities. If that is true for you, specify one or more users with restricted access to a minimum set of read-only permissions. One example of why organizations might need multiple users is to restrict one user's access to development data and another user to production data. When setting up users with restricted privileges, perform all of the procedures described in this section.
Minimum TrueSight Network Automation authorizations
Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in TrueSight Network Automation.
System Rights
Access Network Tab
Access Actions Menu
Access Jobs
Access Scripts Menu
Access Rule Sets
Access Templates
Access Spans Menu
Access Combo Groups
Access Devices
Access Groups
Access Realms
Login
Login Using GUI
Login Using Web Services
Network Rights
(assigned to every realm)
Network Tab
Actions Menu
Access Associated Jobs
Actions
Run Associated Remediate Actions
Spans Menu
Access Associated Combo Groups
Access Associated Devices
Access Associated Groups
Access Realm
Setting up permissions in TrueSight Network Automation
If Data Refresh obtains information from TrueSight Network Automation by means of a user with a restricted set of permissions, use TrueSight Network Automation to create a role with a limited set of permissions and then assign a user to the role.
- In TrueSight Network Automation, open the Admin tab, select Roles, and click + Add.
A window for defining a role opens. - Assign a name to the role, such as ReadOnlyRole.
- Click the System Rights tab and assign, at minimum, the permissions shown below:
- Click the Network Rights tab.
- For Realm, select the first realm in the list and assign, at minimum, the permissions shown below:
Using the Realm option, repeat the previous step for every realm that appears in the list.
- Click Save.
- Select Users and click + Add.
A window for defining a user opens. - Provide a name for the user, such as ReadUser, and provide all other information needed to create a user.
- Click the Roles tab. Find the role you created earlier and move it to the Selected Roles list.
- Click Save.
If necessary you can repeat this process to create additional users. - Specify the users needed to enable Data Refresh by creating Data Refresh profiles for each user.
Configuring Data Refresh profiles for TrueSight Network Automation
Endpoint administrators perform this procedure to specify one or more TrueSight Network Automation users who should obtain information for Data Refresh.
- As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
The Administration page opens. - Click the Service Accounts tab.
A list shows connectors for which data refresh or change automation profile has been configured. - Take one of the following actions:
- To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
.
The Update Service Account page opens. - To create a new Data Refresh profile, select the Add the service account icon
.
The Create Service Account page opens.
- To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
- From Connectors, select the TrueSight Network Automation server for which Data Refresh is being configured.
- New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
- Enter the following user information for a connecting profile.
The connecting profile identifies the user whose credentials are needed to obtain the latest information from TrueSight Network Automation.OptionDescriptionProfile TypeType of profile you want to create:- Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
- Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
- Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
UsernameName of a TrueSight Network Automation user with credentials that can be used for obtaining data from TrueSight Network Automation.PasswordPassword for the user. - Click Create Service Account or Update Service Account.
Configuring Data Refresh for SCCM
Endpoint administrators perform this procedure to specify the SCCM user who should obtain information for Data Refresh.
- As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
The Administration page opens. - Click the Service Accounts tab.
A list shows connectors for which data refresh or change automation profile has been configured. - Take one of the following actions:
- To create a new Data Refresh profile, select the Add the service account icon
.
The Create Service Account page opens. - To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
.
The Update Service Account page opens.
- To create a new Data Refresh profile, select the Add the service account icon
- From Connectors, select the SCCM server for which Data Refresh is being configured.
- New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
- Enter the following user information for a connecting profile.
The connecting profile identifies the user whose credentials are needed to obtain the latest information from SCCM.OptionDescriptionProfile TypeType of profile you want to create:- Data Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.
- Change Automation: Updates a job with schedule on the endpoint manager if the change record is approved by the change management system while executing the Change Automation use case.
- Data Refresh and Change Automation: Watches the connectors as well as updates a job with schedule. If you choose this option, the same user account will be configured as the Data Refresh as well as the Change Automation profile.
UsernameName of a user with credentials that can be used for obtaining data from SCCM. Although you can specify a user with broad administrative privileges in SCCM, at minimum, this user must belong to an Active Directory group that is associated with the Read-only Analyst security role.PasswordPassword for the user. - Click Create Service Account or Update Service Account.
Configuring Data Refresh for BMC Discovery
Endpoint administrators perform this procedure to specify a user who obtains the latest information from BMC Discovery.
- As an endpoint administrator, at top right, click the drop-down menu by your user name. Then, select Administration.
The Administration page opens. - Click the Service Accounts tab.
A list shows connectors for which data refresh or change automation profile has been configured. - Take one of the following actions:
- To create a new Data Refresh profile, select the Add the service account icon
.
The Create Service Account page opens. - To modify an existing Data Refresh profile, select an existing connector and click Edit the service account
.
The Update Service Account page opens.
- To create a new Data Refresh profile, select the Add the service account icon
- From Connectors, select the Discovery server for which Data Refresh is being configured.
- New in 3.1 In Refresh Interval, enter the time interval (in minutes) at which you want the data to be refreshed. Default is 60. Minimum value is 5 and maximum value is 1080.
- Enter the following user information for a connecting profile.
The connecting profile identifies the user whose credentials are needed to obtain the latest information from BMC Discovery.OptionDescriptionProfile TypeData Refresh: Watches the connectors that you specify and regularly updates their data as it appears in TrueSight Vulnerability Management.UsernameName of the Discovery user required to connect to the Discovery instance.PasswordPassword required to connect to the Discovery instance. - Click Create Service Account or Update Service Account.
Deleting a Data Refresh profile
- At top right, click the drop-down menu by your user name. Then, select Administration.
The Administration page opens. - Click the Service Accounts tab.
A list shows the connectors for which Data Refresh or Change Automation profile has been configured. - Take one of the following actions:
- To delete all the Data Refresh profiles as well as the Change Automation profile for a connector, select the connector and click Delete the service account
.
- To delete only the Data Refresh profiles for a connector:
- Select the connector and click Edit the Service Account
.
- Click Remove against the Data Refresh profile that you want to delete.
- Select the connector and click Edit the Service Account
- To delete all the Data Refresh profiles as well as the Change Automation profile for a connector, select the connector and click Delete the service account
- A confirmation dialog box appears.Click Yes to confirm the deletion.