User roles and permissions

BMC Helix Automation Console provides role-based access to the application.

You access Automation Console based on the role assigned to you in the endpoint manager, Server Automation. 

When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If you are assigned multiple roles in Server Automation, you can change the security group to view the application as per your defined role. For instructions about changing the security groups, see Working-with-security-groups.

Based on their roles, users can perform these tasks for an efficient and automated patch, vulnerability, and compliance management processes. These permissions are also needed if you want to work with operation templates:

User role

Permissions required in TrueSight Server Automation

Tasks

Server Automation Administrator

  • By default, the BLAdmins role in Server Automation has administrative permissions in the Automation Console. Users in the BLAdmins role have access to any entity (such as policies, operations, and catalogs) created by other administrative or non-administrative users.
  • The BLAdmin user in Server Automation has administrative permissions to Automation Console.
  • Manage security groups to provide role-based access to the application.
  • Define Service Level Agreements that determine the period within which missing patches, vulnerabilities, and compliance violations must be remediated.
  • Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets.
  • Create exceptions for vulnerabilities or missing patches to exclude them from remediation.
  • Configure and update connectors for Server Automation, TrueSight Orchestration, BMC Discovery.

Operator

(Non-administrative Server Automation user)

  • If using Authorization Profiles in Server Automation, users with roles that have access to the Manage Patching Job profile, with Roles.Read authorization have non-administrative access to the Automation Console.
  • If not using Authorization Profiles, ensure that Server Automation roles have access to the following authorizations:
    • BatchJob
    • BLPackage
    • DeployJob
    • DepotGroup
    • ExecutionTask
    • JobFolder
    • JobGroup
    • NSHScript
    • NSHScriptJob
    • PatchCatalog
    • PatchingJob
    • PatchSmartGroup
    • Server
    • ServerGroup
  • Provide permissions to the assets or catalogs to be used by the operator.

  • To ensure that operators have access to artifacts created in Server Automation, and administrators in the BLAdmins role have permissions to update or delete those artifacts created by operators, do this:

    1. Create an access control list (ACL) policy and assign BLAdmins permission to the policy.
    2. Create an ACL template using this policy.
    3. Assign the ACL template to the non-administrative or operator role.

    For details, see ACL template - Template Access Control List in TrueSight Server Automation documentation.

  • Create patch policies that run according to a schedule to identify missing patches on assets.
  • Import vulnerability scan files.
  • Create compliance scan policies to scan assets for compliance rule violations.
  • Monitor the list of missing patches, identified vulnerabilities, and compliance rule violations.
  • Monitor assets with missing patches, vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.
  • Create operations for installing missing patches, remediating vulnerabilities, or remediating compliance violations on assets.
  • Create operation templates and operations for NSH and BLPackage Deploy jobs.
  • Monitor the Patch, Vulnerability, and Compliance dashboards to view the patch and vulnerability compliance on assets, and other metrics in your environment.
  • View details of exceptions created for vulnerabilities or missing patches.

Operator

(Non-administrative user requiring permissions for using shared operation templates)

The following table lists the minimum set of permissions required for an operator to be able to create operations using the templates shared by the template owner: 

Depot:

  • AIXSoftware.Read
  • BLPackage.Read
  • CustomSoftware.Read
  • DepotFile.Read
  • DepotFolder.Read
  • DepotGroup.Read
  • HPUXSoftware.Read
  • LinuxSoftware.Read
  • SolarisSoftware.Read
  • WindowsSoftware.Read
  • NSHScript.Read

Job:

  • JobFolder.*
  • JobGroup.*
  • DeployJob.*
  • NSHScriptJob.*
  • ExecutionTask.*

Server:

  • Server.Deploy
  • Server.Read
  • ServerGroup.Read
  • Server.ExecuteNSHScript

BL_Administration

BL_Administration.Read 

JobPolicy

JobPolicy.Read

Create operations using operation templates shared with the security groups.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*