Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Change automation

This section provides an overview and process flow to enable creating and approving change requests in an IT service management system for remediation operations. 

Overview

TrueSight Automation Console supports creating and approving change requests in BMC Remedy IT Service Management and ServiceNow ITSM systems for the following endpoint managers:  TrueSight Server Automation and TrueSight Network AutomationWhen operational changes such as installing patches or remediating vulnerabilities are implemented, administrators need to keep a track of these changes in a change management system. Organizations may use an approval process, where a change is not implemented unless it is approved. To automate the process of creating a change request, approving it, and then ensuring that the change is implemented, change automation is enabled.

You can create a change request for a vulnerability or a patch remediation operation. This is done by integrating with TrueSight Orchestration – ITSM Automation runbook. This runbook supports creating change requests in both BMC Remedy IT Service Management and ServiceNow ITSM systems.

When you create an operation in Automation Console, you can create a change request, with approval settings as configured in the ITSM system of your choice. The change request ID appears against the operation on the Operations page. After a change is approved, based on the schedule, the operation runs and remediates the missing patches or vulnerabilities. 

For a patch remediation operation, a configuration item (CI) is not associated with the change request. For a vulnerability operation, a CI gets associated with the change request. 

Change automation ensures continuous compliance to the change process without introducing labor intensive activities. The integration reduces the risk of unauthorized and unplanned changes through enforced change tracking.

Change automation process flow

The following figure shows the end-to-end process flow for a vulnerability operation with a change approval configured.

change_automation_tsac.png

Change automation considerations

As administrators, when you implement change automation, consider the following: 

  • A single change request is created for a single operation.
  • Change request creation is only available if you have selected Execute Now or defined a schedule for the operation.
    If you select the Maintenance Schedule as I will do it later, you do not see the option to create a change request.  
  • If you update the schedule for an operation in the task associated with the change request, the updated schedule is reflected for the operation. After approval, the operation runs according to the new schedule. Note that you must update the Schedule Start Date or the Schedule End Date for the task and not the change request. 
  • If the operation schedule expires before the change request is approved, the operation and the job are cancelled, and the status is shown as Cancelled due to schedule timeout.
  • If the change request is cancelled or not approved, the operation and the job are cancelled. 
  • If using change templates in BMC Remedy ITSM, ensure that the Scheduled for Approval stage is enabled in the template.

  • (For TrueSight Network Automation endpoint manager) On the TrueSight Network Automation application, configure a new job approval type as follows:

    1. Log in to the TrueSight Network Automation as a network administrator.
    2. Navigate to Network > Network Admin > Job Approval Types.
    3. Click Add.
      1. On the Details tab, enter the following name for the approval type: TSAC_NONE
      2. On the Approvers tab, select None from the Approvals list.
    4. Save the changes.

    For more information, see Job approval types.

  • Important

    (For TrueSight Network Automation endpoint manager) If you have already configured change approval flow in TrueSight Network Automation, you must disable it to ensure that the change approval flow configured in TrueSight Automation Console works. Both the flows should not coexist as they use different workflows in TrueSight Orchestration and refer different forms in IT Service Management.

Consult the following table to understand the correlation between the change request status and the operation status and the impact on the vulnerabilities and assets state. 

Change request status

Operation status

Vulnerabilities and assets state

Not applicable yet

Awaiting attention

Awaiting attention

New

Awaiting approval

Awaiting approval

Ready to Execute

Awaiting execution

Success (After the operation completes successfully)

Awaiting execution

Closed (After the operation completes successfully)

Ready to execute

Cancelled due to schedule timeout

Awaiting attention

Cancelled

Cancelled due to approval rejection

Awaiting attention

Where to go from here

To install and configure the ITSM runbook, and to set up a change request creation, see Enabling-change-automation.   

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*