Important This documentation space contains information about the SaaS version of Automation Console. If you are using the on-premises version of Automation Console, see TrueSight Automation Console 24.3

User roles and permissions


BMC Helix Automation Console provides role-based access to the application.

You access Automation Console based on the role assigned to you in the endpoint manager, that is TrueSight Server Automation or TrueSight Network Automation. 

When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If you are assigned multiple roles in ​​​​​​the endpoint manager, you can change the security group to view the application according to your defined role. For instructions about changing the security groups, see Working with security groups.

Based on their roles, users can perform these tasks for efficient and automated patch, vulnerability, and compliance management processes. These permissions are also needed to work with operation templates:

User roles and permissions in TrueSight Server Automation

User role

Permissions required in TrueSight Server Automation

Tasks

Server Automation Administrator

  • By default, the BLAdmins role in Server Automation has administrative permissions in the Automation Console. Users in the BLAdmins role have access to any entity (such as policies, operations, and catalogs) created by other administrative or non-administrative users.
  • The BLAdmin user in Server Automation has administrative permissions to Automation Console.
  • Manage security groups to provide role-based access to the application.
  • Define Service Level Agreements that determine the period within which missing patches, vulnerabilities, and compliance violations must be remediated.
  • Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets.
  • Create exceptions for vulnerabilities or missing patches to exclude them from remediation.
  • Configure and update connectors for Server Automation, TrueSight Orchestration, BMC Discovery.

Operator

(Non-administrative Server Automation user)

  • If using Authorization Profiles in Server Automation, users with roles that have access to the Manage Patching Job profile, with Roles.Read authorization have non-administrative access to the Automation Console.
  • If not using Authorization Profiles, ensure that Server Automation roles have access to the following authorizations:
    • BatchJob
    • BLPackage
    • DeployJob
    • DepotGroup
    • ExecutionTask
    • JobFolder
    • JobGroup
    • NSHScript
    • NSHScriptJob
    • PatchCatalog
    • PatchingJob
    • PatchSmartGroup
    • Server
    • ServerGroup
  • Provide permissions to the assets or catalogs to be used by the operator.
  • To ensure that operators have access to artifacts created in Server Automation, and administrators in the BLAdmins role have permissions to update or delete those artifacts created by operators, do this:

    1. Create an access control list (ACL) policy and assign BLAdmins permission to the policy.
    2. Create an ACL template using this policy.
    3. Assign the ACL template to the non-administrative or operator role.

    For details, see ACL template - Template Access Control List in TrueSight Server Automation documentation.

  • Create patch policies that run according to a schedule to identify missing patches on assets.
  • Import vulnerability scan files.
  • Create compliance scan policies to scan assets for compliance rule violations.
  • Monitor the list of missing patches, identified vulnerabilities, and compliance rule violations.
  • Monitor assets with missing patches, vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.
  • Create operations for installing missing patches, remediating vulnerabilities, or remediating compliance violations on assets.
  • Create operation templates and operations for NSH and BLPackage Deploy jobs.
  • Monitor the Patch, Vulnerability, and Compliance dashboards to view the patch and vulnerability compliance on assets, and other metrics in your environment.
  • View details of exceptions created for vulnerabilities or missing patches.

Operator

(Non-administrative user requiring permissions for using shared operation templates)

The following table lists the minimum set of permissions required for an operator to be able to create operations using the templates shared by the template owner: 

Depot:

  • AIXSoftware.Read
  • BLPackage.Read
  • CustomSoftware.Read
  • DepotFile.Read
  • DepotFolder.Read
  • DepotGroup.Read
  • HPUXSoftware.Read
  • LinuxSoftware.Read
  • SolarisSoftware.Read
  • WindowsSoftware.Read
  • NSHScript.Read

Job:

  • JobFolder.*
  • JobGroup.*
  • DeployJob.*
  • NSHScriptJob.*
  • ExecutionTask.*

Server:

  • Server.Deploy
  • Server.Read
  • ServerGroup.Read
  • Server.ExecuteNSHScript

BL_Administration

BL_Administration.Read 

JobPolicy

JobPolicy.Read

Create operations using operation templates shared with the security groups.

User roles and permissions in TrueSight Network Automation

User role

Permissions required in TrueSight Network Automation

Tasks

Network Automation Administrator

The following lists the minimum set of permissions that must be granted in TrueSight Network Automation for any operator to be able to create and run remediation operations:

System Rights

  • Login
    • Login Using Web Services
  • Access Network Tab > Access Actions Menu > Access Jobs
    • Add Jobs
    • Approve Jobs
  • Access Network Tab > Access Scripts Menu
    • Access Rule Sets
    • Access Templates
  • Access Admin Tab > Access System Admin Menu
    • Access Dynamic Fields
    • Access Global Substitution Parameters

Network Rights

In the Network Rights section, click Selected Rights and then select the Realm for which you want to grant the rights.

  • Admin Tab > Network Admin Menu
    • Access Associated Device Security Profiles
  • Network Tab > Actions Menu > Access Associated Jobs > Actions
    • Run Associated Remediate Actions
  • Network Tab > Spans Menu
    • Access Associated Devices
    • Access Realm

For more information, see Managing role rights by selected rights.

  • Manage security groups to provide role-based access to the application.
  • Define Service Level Agreements that determine the period within which vulnerabilities must be remediated.
  • Configure and update connectors.
  • Monitor the Vulnerability dashboard to view the vulnerability compliance on assets and other metrics in your environment.
  • Create operations for remediating vulnerabilities.
  • Create exceptions for vulnerabilities to exclude them from remediation.
  • Import vulnerability scan files.
  • Monitor the list of identified vulnerabilities.
  • Monitor assets with vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*