Managing portal security groups

A portal security group (PSG) is a group of users that inherit a set of restrictions and permissions. In this release of BladeLogic Portal, a portal security group has a one-to-one mapping to a BMC Server Automation role. After a PSG is created in the portal and mapped to a role in BMC Server Automation, all users that are assigned to that role in BMC Server Automation can log on to the portal with their BMC Server Automation credentials.

This topic includes the following sections:

Predefined PSGs

The installation procedure automatically creates a portal security group for portal administration. This group, known as the portal administrator group, is mapped to the BLAdmins role in BMC Server Automation (or to any other role granted the same permissions as BLAdmins). Users assigned to the BLAdmins role in BMC Server Automation can log on to the portal and manage the portal environment.

Another PSG is created automatically when you add an additional site. This PSG is the site administrator group. Currently, the site administrator must belong to the same role as the portal administrator. Essentially, a site administrator group has authorizations to administer its own site, while the portal administrator group has authorizations to administer all sites. The following table explains the different capabilities of the portal administrator and the site administrator.

Type of administrative action

Portal administrator group

Site administrator group

Sites

Able to add, edit, or delete all sites, except deleting the primary site

Able to edit only their own site

Portal security groups

Able to edit or delete any PSG except the portal administrator's PSG.

Portal administrators can only add PSGs for the primary site.

Able to add, edit, and delete PSGs for their own site except their own site administrator PSG.

Operations

Authorized to perform all types of operations. Portal administrators can only see, edit, or delete operations created by a user that belongs to their own PSG.

Authorized to perform all types of operations. Can only see, edit, or delete operations created by a user that belongs to their own PSG.

Portal-level restrictions

Restrictions set at the portal level provide a thin layer of control that prevents members of portal security groups from accessing certain features and functions of the portal environment.

Portal-level restrictions are optional and do not supersede the underlying RBAC controls set up in your BMC Server Automation environment. For example, if a new portal security group maps to a role that does not have RBAC rights to create patch operations, selecting patch authorizations at the portal level when you define the security group would not mean that operators who are members of this security group would now be able to create patch operations.

The intent of portal-level restrictions is to provide a very simple security mechanism for those organizations who have not implemented or do not require the sophisticated RBAC controls available in BMC Server Automation.

Default values for portal security groups

To make it easier to create operations in the portal, you can define values for:

  • Default depot and job paths—When members of a portal security group perform an action that creates job or depot items, the items are placed in these default depot and job locations. Default values defined at the portal security group level take precedence over default locations defined at the site level in a portal. Setting default values for jobs and depot items means portal operators do not have to manually select a folder when they create operations, thus shielding them from some complexity. Advanced operators can be given the ability to override folder locations when they create new operations.
  • Deploy templates—When members of a portal security group set up a deploy operation or a patching or compliance operation (which automatically generate Deploy jobs for remediation purposes), the deploy operation can use the settings in a Deploy template. By specifying Deploy templates for a security group, you can provide a limited number of recommended Deploy templates that group members can choose from when they are defining an operation. When you run a remediation operation for a patching operation, you can use a Deploy template based on an advanced Deploy job, which enables you to schedule the Simulate, Stage, and Commit phases of the job individually. 

 

NoteWhen specifying a Deploy template, select a Deploy Job based on a BLPackage. You cannot use a Deploy Job based on an executable software package or a File Deploy Job.BMC recommends using a job specifically designed to define deployment options. If you choose to use a live Deploy Job as a Deploy template, scheduling for that job could be changed inadvertently in BMC Server Automation, which could cause operations in the portal to use incorrect scheduling.

SecurityGroupsOverview.png


Importing portal security groups

Before creating new portal security groups, the portal administrator must import roles and their associated users from BMC Server Automation. When you import a role, it is automatically converted into a portal security group in the portal.

When you import a role to create a portal security group, the security group is assigned a unique name. This automatic naming occurs for all portal sites except the primary site. At the primary site, the portal security group is given the same name as the role being imported. At all sites except the primary site, names are assigned by using this format:

ImportedRole@SiteName

where ImportedRole is the name of a role being imported and SiteName is the name of the site to which you are currently connected. 

After performing this procedure, you can still add new portal security groups in the future. You can also repeat this procedure to allow additional roles to use the portal.

If you want to create a set of roles with minimum permissions to perform actions in the portal, you can first import predefined roles into BMC Server Automation. Then you can import those roles into the portal.

To import portal security groups

  1. Click Administration at top right.
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Click Import security groups ImportSecurityGroupsIcon.gif.
    The Import Security Groups page opens.

    ImportSecurityGroups.gif
  4. For Site, select the BMC Server Automation instance from which you want to import role and user information.
  6. Using the list of BMC Server Automation roles, check the roles you want to import. 
    Click select all to select all roles in the list, or click clear to deselect all roles. 
    To search for roles by name, enter a text string in the search box and click Filter the role names FilterIcon.gif. The portal lists only roles with names that include the string you entered.
  7. Click Import.
    The selected roles are imported into the portal and mapped to a portal security group with the same name. Users of BMC Server Automation who are assigned to a role that you have imported are now able to log on to the portal by using their BMC Server Automation credentials.

Adding new portal security groups

In addition to importing portal security groups, you can also create new groups.

Currently, only one portal security group can be mapped to a role in BMC Server Automation.

To add a new portal security group

  1. Click Administration at top right.
     The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select the Add a new security group icon AddNewIcon.gif.
    The Create Group page opens.
    CreateGroup.gif

  4. Enter the following information.

    Option

    Description

    Group Name

    Name of the portal security group.

    Group Description

    Optional descriptive text for the portal security group.

    Site

    The Site option specifies the BMC Server Automation Application Server to which this portal security group has access. See Managing-sites for more information.

    BSA Role Name

    The BSA Role Name option specifies the role in BMC Server Automation that determines user authorizations for this portal security group.

    Portal Level Permission

    The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field.

    Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal.

    Requirements for auto-selection

    When you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically. 

    Click here to see a list of the minimum permissions required.

    The following table shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically.

    Tip

    Press "f" to view the table in a full screen view.

    Batch

     Compliance

    Deploy

    NSH Script

    Patch

    BatchJob.Read 

    AuditJob.Read 

    DeployJob.Read 

    NSHScriptJob.Read 

    PatchingJob.Read 

    BatchJob.Create 

    Audit.Create 

    DeployJob.Create 

    NSHScriptJob.Create 

    PatchingJob.Create 

    BatchJob.Modify 

    AuditJob.Modify 

    DeployJob.Modify 

    NSHScriptJob.Modify 

    PatchingJob.Modify 

    BatchJob.ModifySchedule 

    AuditJob.ModifySchedule 

    DeployJob.ModifySchedule 

    NSHScriptJob.ModifySchedule 

    PatchingJob.ModifySchedule 

    BatchJob.ModifyTargets 

    AuditJob.ModifyTargets 

    DeployJob.ModifyProperties 

    NSHScriptJob.ModifyTargets 

    PatchingJob.ModifyTargets 

    BatchJob.Execute

    AuditJob.Execute

    DeployJob.ModifyTargets 

    NSHScriptJob.Execute

    PatchingJob.Execute

    BLPackage.Read 

    DiscoveryJob.Read 

    DeployJob.Execute

    BLPackage.Read 

    PatchRemediationJob.Read 

    BLPackage.Write 

    DiscoveryJob.Modify 

    BLPackage.Read 

    BLPackage.Write 

    PatchRemediationJob.Create 

    BLPackage.Modify 

    DiscoveryJob.Modify 

    BLPackage.Write 

    BLPackage.Modify 

    PatchRemediationJob.Modify 

    BLPackage.ModifyProperties

    DiscoveryJob.ModifyTargets 

    BLPackage.Modify 

    BLPackage.ModifyProperties

    PatchRemediationJob.ModifySchedule 

    ApplicationDiscoveryJob.*

    DiscoveryJob.Execute 

    BLPackage.ModifyProperties

    ApplicationDiscoveryJob.*

    PatchRemediationJob.ModifyTargets 

    AuditJob.Read 

    DiscoveryJob.Delete

    ApplicationDiscoveryJob.*

    JobFolder.Read 

    PatchRemediationJob.Execute

    Audit.Create 

    Component.Read 

    JobFolder.Read 

    JobFolder.Write

    PatchDownloadJob.Read 

    AuditJob.Modify 

    Component.Audit 

    JobFolder.Write

    JobGroup.Read 

    PatchDownloadJob.Create 

    AuditJob.ModifySchedule 

    Component.Create 

    JobGroup.Read 

    JobGroup.Write

    PatchDownloadJob.Modify 

    AuditJob.ModifyTargets 

    Component.ModifyExceptions

    JobGroup.Write

    DepotFolder.Read 

    PatchDownloadJob.ModifySchedule 

    AuditJob.Execute

    ComponentGroup.Read 

    DepotFolder.Read 

    DepotFolder.Write

    PatchDownloadJob.ModifyTargets 

    DeployJob.Read 

    ComponentGroup.Write 

    DepotFolder.Write

    ComponentTemplateFolder.Read

    PatchDownloadJob.Execute

    DeployJob.Create 

    ComponentGroup.Modify

    ComponentTemplateFolder.Read

    ComponentTemplateGroup.Read

    PatchCatalog.Read 

    DeployJob.Modify 

    ComponentTemplate.Read

    ComponentTemplateGroup.Read

    ComponentGroup.Read

    PatchCatalog.Write

    DeployJob.ModifySchedule 

    ComponentTemplateFolder.Read 

    ComponentGroup.Read

    DepotFolder.Read 

    PatchSmartGroup.Read

    DeployJob.ModifyProperties 

    ComponentTemplateFolder.Write

    DepotFolder.Read 

    DepotFolder.Write 

    ComponentTemplate.Read

    DeployJob.ModifyTargets 

    ComponentTemplateGroup.Read 

    DepotFolder.Write 

    DepotFolder.Modify

    ComponentTemplateGroup.Read

    DeployJob.Execute

    ComponentTemplateGroup.Write

    DepotFolder.Modify

    DepotGroup.Read 

    Component.Read

    PatchingJob.Read 

    DepotFolder.Read 

    DepotGroup.Read 

    DepotGroup.Write 

    ComponentGroup.Read

    PatchingJob.Create 

    DepotFolder.Write 

    DepotGroup.Write 

    DepotGroup.Modify

    Server.Read

    PatchingJob.Modify 

    DepotFolder.Modify

    DepotGroup.Modify

    ComponentTemplate.Read

    DeployJob.*

    PatchingJob.ModifySchedule 

    JobFolder.Read 

    ComponentTemplate.Read

    Component.Read

    BatchJob.*

    PatchingJob.ModifyTargets 

    JobFolder.Write

    Component.Read

    DepotFile.*

    ACLTemplate.*

    PatchingJob.Execute

    JobGroup.Read 

    DepotFile.*"

    ConfigFile.*

    BLPackage.Read 

    PatchRemediationJob.Read 

    JobGroup.Write

    ConfigFile.*

    ConfigurationObjectClass.*

    BLPackage.Write 

    PatchRemediationJob.Create 

    Server.Read 

    ConfigurationObjectClass.*

    DeregisterConfigurationObjects.*

    BLPackage.Modify

    PatchRemediationJob.Modify 

    Server.Discover

    DeregisterConfigurationObjects.*

    DistributeConfigurationObjects.*

    JobFolder.Read 

    PatchRemediationJob.ModifySchedule 

    ServerGroup.Read

    DistributeConfigurationObjects.*

    ExecutionTask.*

    JobFolder.Write

    PatchRemediationJob.ModifyTargets 

     

    ExecutionTask.*

    NSHScript.*

    DepotFolder.Read 

    PatchRemediationJob.Execute

     

    NSHScript.*

    PropertyClass.*

    DepotFolder.Write 

    PatchDownloadJob.Read 

     

    PropertyClass

    PropertyInstance.*

    DepotFolder.Modify

    PatchDownloadJob.Create 

     

    PropertyInstance.*

    Repeater.*

    DepotGroup.Read 

    PatchDownloadJob.Modify 

     

    Repeater.*

    Server.Read

    DepotGroup.Write 

    PatchDownloadJob.ModifySchedule 

     

    Server.Read

    ServerGroup.*

    DepotGroup.Modify

    PatchDownloadJob.ModifyTargets 

     

    ServerGroup.*

    DiscoveryJob.*

    JobFolder.Read 

    PatchDownloadJob.Execute

     

    DiscoveryJob.*

    CustomCommand.Read 

    JobFolder.Write

    NSHScriptJob.Read

     

    CustomCommand.Read 

    CustomCommand.Create 

    JobGroup.Read 

    NSHScriptJob.Create 

     

    CustomCommand.Create 

    CustomCommand.Modify

    JobGroup.Write

    NSHScriptJob.Modify 

     

    CustomCommand.Modify

    CustomSoftware.Read 

    ServerGroup.Read 

    NSHScriptJob.ModifySchedule 

     

    CustomSoftware.Read 

    CustomSoftware.Create 

    ServerGroup.Write

    NSHScriptJob.ModifyTargets 

     

    CustomSoftware.Create 

    CustomSoftware.Modify

    CustomSoftware.Read 

    NSHScriptJob.Execute

     

    CustomSoftware.Modify

    HPUXSoftware.Read 

    CustomSoftware.Create 

    DiscoveryJob.Read 

     

    HPUXSoftware.Read 

    HPUXSoftware.Create 

    CustomSoftware.Modify

    DiscoveryJob.Modify 

     

    HPUXSoftware.Create 

    HPUXSoftware.Modify

    LinuxSoftware.Read 

    DiscoveryJob.Modify 

     

    HPUXSoftware.Modify

    LinuxSoftware.Read 

    LinuxSoftware.Create 

    DiscoveryJob.ModifyTargets 

     

    LinuxSoftware.Read 

    LinuxSoftware.Create 

    LinuxSoftware.Modify

    DiscoveryJob.Execute 

     

    LinuxSoftware.Create 

    LinuxSoftware.Modify

    AIXPatchSoftware.Read 

    DiscoveryJob.Delete

     

    LinuxSoftware.Modify

    AIXSoftware.Read 

    AIXPatchSoftware.Create 

    JobFolder.Read 

     

    AIXSoftware.Read 

    AIXSoftware.Create 

    AIXPatchSoftware.Modify

    JobFolder.Write

     

    AIXSoftware.Create 

    AIXSoftware.Modify

    SolarisSoftware.Read 

    JobGroup.Read 

     

    AIXSoftware.Modify

    AIXPatchSoftware.Read 

    SolarisSoftware.Create 

    JobGroup.Write

     

    AIXPatchSoftware.Read 

    AIXPatchSoftware.Create 

    SolarisSoftware.Modify

    DepotFolder.Read 

     

    AIXPatchSoftware.Create 

    AIXPatchSoftware.Modify

    WindowsSoftware.Read 

    DepotFolder.Write

     

    AIXPatchSoftware.Modify

    SolarisSoftware.Read 

    WindowsSoftware.Create 

    ComponentTemplateFolder.Read

     

    SolarisSoftware.Read 

    SolarisSoftware.Create 

    WindowsSoftware.Modify

    ComponentTemplateGroup.Read

     

    SolarisSoftware.Create 

    SolarisSoftware.Modify

     

    ComponentGroup.Read

     

    SolarisSoftware.Modify

    WindowsSoftware.Read 

     

    DepotFolder.Read 

     

    WindowsSoftware.Read 

    WindowsSoftware.Create 

     

    DepotFolder.Write 

     

    WindowsSoftware.Create 

    WindowsSoftware.Modify

     

    DepotFolder.Modify

     

    WindowsSoftware.Modify

     

     

    DepotGroup.Read 

     

     

     

     

    DepotGroup.Write 

     

     

     

     

    DepotGroup.Modify

     

     

     

     

    ComponentTemplate.Read

     

     

     

     

    Component.Read

     

     

     

     

    DepotFile.*

     

     

     

     

    ConfigFile.*

     

     

     

     

    ConfigurationObjectClass.*

     

     

     

     

    DeregisterConfigurationObjects.*

     

     

     

     

    DistributeConfigurationObjects.*

     

     

     

     

    ExecutionTask.*

     

     

     

     

    NSHScript.*

     

     

     

     

    PropertyClass.*

     

     

     

     

    PropertyInstance.*

     

     

     

     

    Repeater.*

     

     

     

     

    Server.Read 

     

     

     

     

    Server.Discover

     

     

     

     

    ServerGroup.*

     

     

     

     

    DiscoveryJob.*

     

     

     

     

    CustomCommand.Read 

     

     

     

     

    CustomCommand.Create 

     

     

     

     

    CustomCommand.Modify

     

     

     

     

    CustomSoftware.Read 

     

     

     

     

    CustomSoftware.Create 

     

     

     

     

    CustomSoftware.Modify

     

     

     

     

    HPUXSoftware.Read 

     

     

     

     

    HPUXSoftware.Create 

     

     

     

     

    HPUXSoftware.Modify

     

     

     

     

    LinuxSoftware.Read 

     

     

     

     

    LinuxSoftware.Create 

     

     

     

     

    LinuxSoftware.Modify

     

     

     

     

    AIXSoftware.Read 

     

     

     

     

    AIXSoftware.Create 

     

     

     

     

    AIXSoftware.Modify

     

     

     

     

    AIXPatchSoftware.Read 

     

     

     

     

    AIXPatchSoftware.Create 

     

     

     

     

    AIXPatchSoftware.Modify

     

     

     

     

    SolarisSoftware.Read

     

     

     

     

    SolarisSoftware.Create 

     

     

     

     

    SolarisSoftware.Modify

     

     

     

     

    WindowsSoftware.Read 

     

     

     

     

    WindowsSoftware.Create 

     

     

     

     

    WindowsSoftware.Modify

     

     

     


    Partial permissions

    If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation. 

    For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal.

    You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions.

    Default Depot Path

    The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Default Job Path

    The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.

    Deploy Templates

    The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates. To choose a template, click Add and browse to a job. Select it and click OK. Ctrl-click to select multiple jobs and then click OK.

     If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job.

  5. Click Create Group.
     The portal security group is created. Users of BMC Server Automation who are assigned to the role to which this group is mapped are now able to log on to the portal by using their BMC Server Automation credentials.

Modifying portal security groups

  1. Click Administration at top right.
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select a portal security group and click Edit the current security group EditSecurityGroupIcon.gif.
    The Update Group page opens.
  4. Modify the settings for the portal security group by changing any of the following options:
    Option
    Description
    Group Name
    Name of the portal security group.
    Group Description
    Optional descriptive text for the portal security group.
    Site

    The Site option specifies the BMC Server Automation Application Server to which this portal security group has access. See Managing-sites for more information.
    BSA Role Name

    The BSA Role Name option specifies the role in BMC Server Automation that determines user authorizations for this portal security group.
    Portal Level Permission

    The Portal Level Permissions option specifies the types of operations this portal security group can perform. The authorizations that are selected reflect the authorizations granted to the role specified in the BSA Role Name field.Removing an authorization at the portal level takes precedence over permissions granted to a role in BMC Server Automation. In other words, if a role is granted an authorization in BMC Server Automation but the corresponding check box is not selected here at the portal level, the role cannot perform that operation in the portal.Requirements for auto-selectionWhen you select a role in the BSA Role Name field, the portal examines the permissions granted to that role in BMC Server Automation. If the role has been granted a minimum set of permissions needed to perform a type of operation in the portal, such as Compliance operations, the check box for that type of operation is selected automatically.
    Click here to see a list of the minimum permissions required.
    The following table shows the minimum BMC Server Automation permissions that must be granted to a role for a check box to be selected automatically.
    TipPress "f" to view the table in a full screen view.
    Batch
     Compliance
    Deploy
    NSH Script
    Patch
    BatchJob.Read 
    AuditJob.Read 
    DeployJob.Read 
    NSHScriptJob.Read 
    PatchingJob.Read 
    BatchJob.Create 
    Audit.Create 
    DeployJob.Create 
    NSHScriptJob.Create 
    PatchingJob.Create 
    BatchJob.Modify 
    AuditJob.Modify 
    DeployJob.Modify 
    NSHScriptJob.Modify 
    PatchingJob.Modify 
    BatchJob.ModifySchedule 
    AuditJob.ModifySchedule 
    DeployJob.ModifySchedule 
    NSHScriptJob.ModifySchedule 
    PatchingJob.ModifySchedule 
    BatchJob.ModifyTargets 
    AuditJob.ModifyTargets 
    DeployJob.ModifyProperties 
    NSHScriptJob.ModifyTargets 
    PatchingJob.ModifyTargets 
    BatchJob.Execute
    AuditJob.Execute
    DeployJob.ModifyTargets 
    NSHScriptJob.Execute
    PatchingJob.Execute
    BLPackage.Read 
    DiscoveryJob.Read 
    DeployJob.Execute
    BLPackage.Read 
    PatchRemediationJob.Read 
    BLPackage.Write 
    DiscoveryJob.Modify 
    BLPackage.Read 
    BLPackage.Write 
    PatchRemediationJob.Create 
    BLPackage.Modify 
    DiscoveryJob.Modify 
    BLPackage.Write 
    BLPackage.Modify 
    PatchRemediationJob.Modify 
    BLPackage.ModifyProperties
    DiscoveryJob.ModifyTargets 
    BLPackage.Modify 
    BLPackage.ModifyProperties
    PatchRemediationJob.ModifySchedule 
    ApplicationDiscoveryJob.*
    DiscoveryJob.Execute 
    BLPackage.ModifyProperties
    ApplicationDiscoveryJob.*
    PatchRemediationJob.ModifyTargets 
    AuditJob.Read 
    DiscoveryJob.Delete
    ApplicationDiscoveryJob.*
    JobFolder.Read 
    PatchRemediationJob.Execute
    Audit.Create 
    Component.Read 
    JobFolder.Read 
    JobFolder.Write
    PatchDownloadJob.Read 
    AuditJob.Modify 
    Component.Audit 
    JobFolder.Write
    JobGroup.Read 
    PatchDownloadJob.Create 
    AuditJob.ModifySchedule 
    Component.Create 
    JobGroup.Read 
    JobGroup.Write
    PatchDownloadJob.Modify 
    AuditJob.ModifyTargets 
    Component.ModifyExceptions
    JobGroup.Write
    DepotFolder.Read 
    PatchDownloadJob.ModifySchedule 
    AuditJob.Execute
    ComponentGroup.Read 
    DepotFolder.Read 
    DepotFolder.Write
    PatchDownloadJob.ModifyTargets 
    DeployJob.Read 
    ComponentGroup.Write 
    DepotFolder.Write
    ComponentTemplateFolder.Read
    PatchDownloadJob.Execute
    DeployJob.Create 
    ComponentGroup.Modify
    ComponentTemplateFolder.Read
    ComponentTemplateGroup.Read
    PatchCatalog.Read 
    DeployJob.Modify 
    ComponentTemplate.Read
    ComponentTemplateGroup.Read
    ComponentGroup.Read
    PatchCatalog.Write
    DeployJob.ModifySchedule 
    ComponentTemplateFolder.Read 
    ComponentGroup.Read
    DepotFolder.Read 
    PatchSmartGroup.Read
    DeployJob.ModifyProperties 
    ComponentTemplateFolder.Write
    DepotFolder.Read 
    DepotFolder.Write 
    ComponentTemplate.Read
    DeployJob.ModifyTargets 
    ComponentTemplateGroup.Read 
    DepotFolder.Write 
    DepotFolder.Modify
    ComponentTemplateGroup.Read
    DeployJob.Execute
    ComponentTemplateGroup.Write
    DepotFolder.Modify
    DepotGroup.Read 
    Component.Read
    PatchingJob.Read 
    DepotFolder.Read 
    DepotGroup.Read 
    DepotGroup.Write 
    ComponentGroup.Read
    PatchingJob.Create 
    DepotFolder.Write 
    DepotGroup.Write 
    DepotGroup.Modify
    Server.Read
    PatchingJob.Modify 
    DepotFolder.Modify
    DepotGroup.Modify
    ComponentTemplate.Read
    DeployJob.*
    PatchingJob.ModifySchedule 
    JobFolder.Read 
    ComponentTemplate.Read
    Component.Read
    BatchJob.*
    PatchingJob.ModifyTargets 
    JobFolder.Write
    Component.Read
    DepotFile.*
    ACLTemplate.*
    PatchingJob.Execute
    JobGroup.Read 
    DepotFile.*"
    ConfigFile.*
    BLPackage.Read 
    PatchRemediationJob.Read 
    JobGroup.Write
    ConfigFile.*
    ConfigurationObjectClass.*
    BLPackage.Write 
    PatchRemediationJob.Create 
    Server.Read 
    ConfigurationObjectClass.*
    DeregisterConfigurationObjects.*
    BLPackage.Modify
    PatchRemediationJob.Modify 
    Server.Discover
    DeregisterConfigurationObjects.*
    DistributeConfigurationObjects.*
    JobFolder.Read 
    PatchRemediationJob.ModifySchedule 
    ServerGroup.Read
    DistributeConfigurationObjects.*
    ExecutionTask.*
    JobFolder.Write
    PatchRemediationJob.ModifyTargets 
     
    ExecutionTask.*
    NSHScript.*
    DepotFolder.Read 
    PatchRemediationJob.Execute
     
    NSHScript.*
    PropertyClass.*
    DepotFolder.Write 
    PatchDownloadJob.Read 
     
    PropertyClass
    PropertyInstance.*
    DepotFolder.Modify
    PatchDownloadJob.Create 
     
    PropertyInstance.*
    Repeater.*
    DepotGroup.Read 
    PatchDownloadJob.Modify 
     
    Repeater.*
    Server.Read
    DepotGroup.Write 
    PatchDownloadJob.ModifySchedule 
     
    Server.Read
    ServerGroup.*
    DepotGroup.Modify
    PatchDownloadJob.ModifyTargets 
     
    ServerGroup.*
    DiscoveryJob.*
    JobFolder.Read 
    PatchDownloadJob.Execute
     
    DiscoveryJob.*
    CustomCommand.Read 
    JobFolder.Write
    NSHScriptJob.Read
     
    CustomCommand.Read 
    CustomCommand.Create 
    JobGroup.Read 
    NSHScriptJob.Create 
     
    CustomCommand.Create 
    CustomCommand.Modify
    JobGroup.Write
    NSHScriptJob.Modify 
     
    CustomCommand.Modify
    CustomSoftware.Read 
    ServerGroup.Read 
    NSHScriptJob.ModifySchedule 
     
    CustomSoftware.Read 
    CustomSoftware.Create 
    ServerGroup.Write
    NSHScriptJob.ModifyTargets 
     
    CustomSoftware.Create 
    CustomSoftware.Modify
    CustomSoftware.Read 
    NSHScriptJob.Execute
     
    CustomSoftware.Modify
    HPUXSoftware.Read 
    CustomSoftware.Create 
    DiscoveryJob.Read 
     
    HPUXSoftware.Read 
    HPUXSoftware.Create 
    CustomSoftware.Modify
    DiscoveryJob.Modify 
     
    HPUXSoftware.Create 
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    DiscoveryJob.Modify 
     
    HPUXSoftware.Modify
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    DiscoveryJob.ModifyTargets 
     
    LinuxSoftware.Read 
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    DiscoveryJob.Execute 
     
    LinuxSoftware.Create 
    LinuxSoftware.Modify
    AIXPatchSoftware.Read 
    DiscoveryJob.Delete
     
    LinuxSoftware.Modify
    AIXSoftware.Read 
    AIXPatchSoftware.Create 
    JobFolder.Read 
     
    AIXSoftware.Read 
    AIXSoftware.Create 
    AIXPatchSoftware.Modify
    JobFolder.Write
     
    AIXSoftware.Create 
    AIXSoftware.Modify
    SolarisSoftware.Read 
    JobGroup.Read 
     
    AIXSoftware.Modify
    AIXPatchSoftware.Read 
    SolarisSoftware.Create 
    JobGroup.Write
     
    AIXPatchSoftware.Read 
    AIXPatchSoftware.Create 
    SolarisSoftware.Modify
    DepotFolder.Read 
     
    AIXPatchSoftware.Create 
    AIXPatchSoftware.Modify
    WindowsSoftware.Read 
    DepotFolder.Write
     
    AIXPatchSoftware.Modify
    SolarisSoftware.Read 
    WindowsSoftware.Create 
    ComponentTemplateFolder.Read
     
    SolarisSoftware.Read 
    SolarisSoftware.Create 
    WindowsSoftware.Modify
    ComponentTemplateGroup.Read
     
    SolarisSoftware.Create 
    SolarisSoftware.Modify
     
    ComponentGroup.Read
     
    SolarisSoftware.Modify
    WindowsSoftware.Read 
     
    DepotFolder.Read 
     
    WindowsSoftware.Read 
    WindowsSoftware.Create 
     
    DepotFolder.Write 
     
    WindowsSoftware.Create 
    WindowsSoftware.Modify
     
    DepotFolder.Modify
     
    WindowsSoftware.Modify
     
     
    DepotGroup.Read 
     
     
     
     
    DepotGroup.Write 
     
     
     
     
    DepotGroup.Modify
     
     
     
     
    ComponentTemplate.Read
     
     
     
     
    Component.Read
     
     
     
     
    DepotFile.*
     
     
     
     
    ConfigFile.*
     
     
     
     
    ConfigurationObjectClass.*
     
     
     
     
    DeregisterConfigurationObjects.*
     
     
     
     
    DistributeConfigurationObjects.*
     
     
     
     
    ExecutionTask.*
     
     
     
     
    NSHScript.*
     
     
     
     
    PropertyClass.*
     
     
     
     
    PropertyInstance.*
     
     
     
     
    Repeater.*
     
     
     
     
    Server.Read 
     
     
     
     
    Server.Discover
     
     
     
     
    ServerGroup.*
     
     
     
     
    DiscoveryJob.*
     
     
     
     
    CustomCommand.Read 
     
     
     
     
    CustomCommand.Create 
     
     
     
     
    CustomCommand.Modify
     
     
     
     
    CustomSoftware.Read 
     
     
     
     
    CustomSoftware.Create 
     
     
     
     
    CustomSoftware.Modify
     
     
     
     
    HPUXSoftware.Read 
     
     
     
     
    HPUXSoftware.Create 
     
     
     
     
    HPUXSoftware.Modify
     
     
     
     
    LinuxSoftware.Read 
     
     
     
     
    LinuxSoftware.Create 
     
     
     
     
    LinuxSoftware.Modify
     
     
     
     
    AIXSoftware.Read 
     
     
     
     
    AIXSoftware.Create 
     
     
     
     
    AIXSoftware.Modify
     
     
     
     
    AIXPatchSoftware.Read 
     
     
     
     
    AIXPatchSoftware.Create 
     
     
     
     
    AIXPatchSoftware.Modify
     
     
     
     
    SolarisSoftware.Read
     
     
     
     
    SolarisSoftware.Create 
     
     
     
     
    SolarisSoftware.Modify
     
     
     
     
    WindowsSoftware.Read 
     
     
     
     
    WindowsSoftware.Create 
     
     
     
     
    WindowsSoftware.Modify
     
     
     

    Partial permissions    If a checkbox is not automatically selected, the role you have designated in the BSA Role Name field does not have all the permissions necessary to perform all the capabilities associated with a particular type of operation. You can still select the check box to grant this security group permission to perform the operation, but the security group will be limited by the permissions granted in BMC Server Automation. For example, you may specify a role that has permissions to run Compliance jobs in BMC Server Automation but does not have permissions to run remediation operations when a compliance failure is detected. In this situation, the check box for Compliance is not selected automatically. You should select the check box to grant this portal security group the same set of compliance functionality available in BMC Server Automation. If you do not select the check box, this portal security group cannot run any Compliance operations in the portal.You can view a spreadsheet that lists recommended minimum BMC Server Automation permissions needed to perform certain types of actions, such as Compliance job execution or patch remediation. The list of permissions are recommendations only. You may discover situations that require additional permissions.
    Default Depot Path

    The Default Depot Path option specifies the location in BMC Server Automation where the portal stores depot items it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a depot item, the item is stored by default in this location. To specify a depot folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
    Default Job Path

    The Default Job Path option specifies a location in BMC Server Automation where the portal stores jobs it creates automatically. When any portal user who belongs to this portal security group performs an operation that generates a job, the job is stored in this location by default. To specify a job folder, click Browse and use the folder graphic to navigate to a location. Then click OK.
    Deploy Templates

    The Deploy Templates options specifies Deploy jobs in BMC Server Automation that can be used to define settings for any Deploy jobs that the portal creates. To choose a template, click Add and browse to a job. Select it and click OK. Ctrl-click to select multiple jobs and then click OK. If you want to create Deploy operations that run advanced Deploy jobs in BMC Server Automation, use a deploy template that references an existing advanced Deploy job.
  5. Click Update Group.

Deleting portal security groups

  1. Click Administration at top right.
    The portal displays the Administration page.
  2. Click the Security Groups tab, if it is not already selected.
    A list of portal security groups opens.
  3. Select a portal security group and click Delete the current security group DeleteIcon.gif.
    A dialog box asks you to confirm the deletion.

Importing predefined roles into BMC Server Automation

You can import predefined roles into BMC Server Automation. Each of these roles has a minimum set of permissions to perform actions. For example, the Compliance role has a minimum set of permissions to run Compliance Jobs.

After importing these roles into BMC Server Automation, you can create security groups based on those roles. Each security group has the minimum permissions for performing a certain type of action. You can view a spreadsheet that lists the minimum BMC Server Automation permissions granted to the roles you are importing, such as Compliance job execution or patch remediation. The list of permissions are BMC recommendations only. You may discover situations that require additional permissions.

To import predefined roles

  1. Copy the attached JSON file to the server where the BMC Server Automation Application Server is installed. Note the location where you store the JSON file.
  2. Ensure that the BMC Server Automation Application Server is started.
  3. On the server where the BMC Server Automation Application Server is installed, open a command line.
  4. Cd to one of the following locations:
    • (Windows): C:\Program Files\BMC Software\BladeLogic\NSH\bin
    • (UNIX): /opt/bmc/bladelogic/NSH/bin
  5. Enter one of the following commands:
    • (Windows): blcontent READ_JSON "<location_of_json_file>\portal_roles.json"
    • (UNIX): ./blcontent READ_JSON "<location_of_json_file>/portal_roles.json" 

      The blcontent utility imports predefined roles from the JSON file. You can now import those roles into BladeLogic Portal to create security groups with minimum permissions for performing certain actions.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*