User roles and permissions_2102

TrueSight Automation Console provides role-based access to functions in Automation Console. User roles and permissions to access the application are defined in the endpoint manager, TrueSight Server Automation, where access control is managed through role-based and object-based authorizations.

User roles in Server Automation appear as security groups in Automation Console. You access the application based on the role-based and system object-based permissions, and authorization policies configured for your role (security group) in Server Automation.

Changing security groups in Automation Console

When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If you are assigned multiple roles in Server Automation, you can change the security group to view the application as per your defined role. For instructions, see Accessing-and-navigating-the-Automation-Console-interface.

User roles and persona

At a high-level, there is an administrator role, which has access to all the functionalities and to the objects created in Automation Console by any user. An operator can perform most of the patch, vulnerability, and compliance management processes, but might not have access to perform administrative tasks such as importing catalogs, define service level agreement levels, or define operation templates in Automation Console.

The following table lists the functions that a user can perform based on the assigned role:

User role/persona	Tasks
Administrator	Manage security groups to provide role-based access to the application. Define Service Level Agreements that determine the period within which missing patches, vulnerabilities, and compliance violations must be remediated. Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets. Create exceptions for vulnerabilities or missing patches to exclude them from remediation. Configure and update connectors for Server Automation, TrueSight Orchestration, and BMC Discovery. Create operation templates for NSH and BLPackage Deploy jobs that can be used by operators for creating remediation operations.
Operator	Create patch policies that run according to a schedule to identify missing patches on assets. Import vulnerability scan files. Create compliance scan policies to scan assets for compliance rule violations. Monitor the list of missing patches, identified vulnerabilities, and compliance rule violations. Monitor assets with missing patches, vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities. Create operations for installing missing patches, remediating vulnerabilities, or remediating compliance violations on assets. Create operations for NSH and BLPackage Deploy jobs. Monitor the Patch, Vulnerability, and Compliance dashboards to view the patch, vulnerability, and compliance on assets, and other metrics in your environment. View details of exceptions created for vulnerabilities or missing patches.

User role/persona

Tasks

Administrator

Manage security groups to provide role-based access to the application.
Define Service Level Agreements that determine the period within which missing patches, vulnerabilities, and compliance violations must be remediated.
Import patch catalogs from Server Automation. These catalogs are used to create policies for scanning assets.
Create exceptions for vulnerabilities or missing patches to exclude them from remediation.
Configure and update connectors for Server Automation, TrueSight Orchestration, and BMC Discovery.
Create operation templates for NSH and BLPackage Deploy jobs that can be used by operators for creating remediation operations.

Operator

Create patch policies that run according to a schedule to identify missing patches on assets.
Import vulnerability scan files.
Create compliance scan policies to scan assets for compliance rule violations.
Monitor the list of missing patches, identified vulnerabilities, and compliance rule violations.
Monitor assets with missing patches, vulnerabilities, and assets that are discovered in your environment but are not scanned for vulnerabilities.
Create operations for installing missing patches, remediating vulnerabilities, or remediating compliance violations on assets.
Create operations for NSH and BLPackage Deploy jobs.
Monitor the Patch, Vulnerability, and Compliance dashboards to view the patch, vulnerability, and compliance on assets, and other metrics in your environment.
View details of exceptions created for vulnerabilities or missing patches.

Permissions in Automation Console

Security groups, or roles obtain access to objects in Automation Console based on the permissions assigned to the role in TrueSight Server Automation. For details about how access is managed in TrueSight Server Automation, see Managing access.

Role-based permissions

By default, the BLAdmins role in Server Automation has administrative permissions in Automation Console. Users in the BLAdmins role have access to any entity (such as policies, operations, and catalogs) created by other administrative or non-administrative users.

The BLAdmin user in Server Automation has administrative permissions to Automation Console.

When you create roles in TrueSight Server Automation, you

Object-based permissions for working with Automation Console

The following table lists the minimum permissions that must be assigned to a role if you want the users to access and work with Automation Console:

System objects	Permissions in TrueSight Server Automation
Servers	Server.*
Server groups	ServerGroup.* ServerSmartGroup.Write ServerSmartGroup.Read
Depot	DepotFolder.Read DepotFolder.Write DepotGroup.Read DepotGroup.Write DepotSmartGroup.Read DepotSmartGroup.Write
Job	JobGroup.Read JobSmartGroup.Read JobFolder.Write JobFolder.Read
ComponentTemplates	ComponentTemplateFolder.Write ComponentTemplate.Read
AgentConfigurationPolicy	ConfigurationPolicyFolder.* ConfigurationPolicy.Write ConfigurationPolicy.Read

Configuring ACL policies