Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Configuring Data Refresh

The Data Refresh capability watches jobs in BMC Server Automation (BSA) and BMC Network Automation (BNA) that can affect the status of vulnerabilities and regularly updates the data available in BladeLogic Portal.

There are two separate Data Refresh components—one for BSA and the other for BNA. Enabling Data Refresh is largely the same for both products, but there are some slight variations. To enable Data Refresh for BSA, you must provide a user and one or more roles that have all necessary permissions to read information from BMC Server Automation. For BNA, you only need to identify a user that has been assigned to a role with appropriate permissions for reading information.

standard installation of BladeLogic Portal lets you provide the minimum information needed to set up Data Refresh (a user in BNA, a user and one or more roles in BSA). However, depending on your deployment needs, you may want to identify multiple users that are assigned to one or more roles. To identify multiple users, you must use the manual configuration process described in this topic. Also, if you ever need to change information about Data Refresh users, you must use these manual configuration procedures to make those updates.

Note

If the BMC Server Automation or BMC Network Automation servers are restarted, you must restart the portal service (described below). Otherwise, the Data Refresh capability does not correctly obtain job information.

 

This topic includes the following sections that describe how to configure data refresh manually:

Different approaches to specifying users and roles

When selecting the users and roles needed for Data Refresh, you can take two approaches:

Configuring Data Refresh for BMC Server Automation

When manually configuring Data Refresh for BMC Server Automation, you must set up one or more roles with a minimum set of permissions and assign one or more users to those roles.

Minimum BSA authorizations

Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in BMC Server Automation.

BatchJob.Read
DeployJob.Read
JobFolder.Read
JobGroup.Read
NSHScriptJob.Read
PatchRemediationJob.Read
PatchWorkflowJob.Read (not available in BMC Server Automation 8.7)
PatchingJob.Read
Server.Read
 ServerGroup.Read

Setting up permissions in BMC Server Automation

If Data Refresh obtains information from BMC Server Automation by means of a user with a restricted set of permissions, you must perform the following procedure to ensure that data can be obtained from BSA.

Note

The roles you create or modify in this procedure can only obtain information for objects that are created  after  the roles are created or modified. The roles cannot retroactively obtain information from existing objects, such as jobs and target servers.

  1. In BMC Server Automation, use RBAC Manager to create a role with a name such as PortalDataRefresh_Role.
    No configuration is necessary for the role other than to assign it a name.
    CreateRole.gif 
  2. Use RBAC Manager to create an ACL Template.
    1. On page 2 of the wizard, when assigning authorizations to the Template Access Control List, for Role, select the role you created in the previous step.
    2. Using the System tab, assign permissions to the template. The permissions are shown below and also listed above in Minimum authorizations required.
      AuthsForDataRefreshTemplate.gif
  3. Take one of the following actions:
    • If you are assigning Data Refresh permissions to roles that do not have an ACL template assigned to them, use the following steps to assign the template you created in the previous step to every operator role in BMC Server Automation. 
      1. Using RBAC Manager, open an operator role.
      2. For Object Permissions Template, select the template you created in the previous step, as shown below for a role called WindowsAdmin.
        AssignTemplateToRole.gif
      3. Save the changes to the role.
    • If you are assigning Data Refresh permissions to one or more existing operator roles and those roles already have an ACL template assigned to them, perform the following steps for each role. The permissions you add are appended to the permissions already assigned to the role.
      1. Using RBAC Manager, open an operator role and identify the ACL template that is assigned to the role.
      2. Navigate to that ACL template, right-click, and select Open.
      3. Click the Template Access Control List sub-tab.
      4. Click the Add Entry icon. A dialog opens.
      5. Under Available Authorizations, move the following authorizations to the Selected Authorizations list at right.
        BatchJob.Read
        DeployJob.Read
        JobFolder.Read
        JobGroup.Read
        NSHScriptJob.Read
        PatchRemediationJob.Read
        PatchWorkflowJob.Read  (not available in BMC Server Automation 8.7)
        PatchingJob.Read
        Server.Read
        ServerGroup.Read
      6. Click OK to save the entries you have added to the Available Authorizations list.
      7. Save the changes to the role.
  4. In BMC Server Automation, update permissions on servers that are mapped to assets in BladeLogic Portal.

    1. Using the Servers node, right-click a server group that you want to update and select Update Permissions.
    2. Using the Update Permissions window, click the Use ACL Template icon. Then select the ACL template you created above. 
      UpdatePermissionsWithTemplate.gif
  2. In BMC Server Automation, update permissions for existing jobs that were created by running Remediation operations in BladeLogic Portal. 
    If you are doing an initial configuration of your system and have not yet run any Remediation operations, this step is not applicable. However, if you have successfully run Remediation operations in the portal, the operation has created one or more jobs in BMC Server Automation. For Data Refresh to obtain information in the future from those jobs, you must perform the following steps:
    1. Using the Jobs node, navigate to a job that was created by a Remediation operation in BladeLogic Portal.  Right-click the job and select Update Permissions.
      You can also select a job folder to update permissions for all the jobs contained in that folder.
    2. Using the Update Permissions window, click the the Use ACL Template icon. Then select the ACL template you created above.
  3. Specify the users and roles needed to enable Data Refresh. 
    If you are specifying a single user and one or more roles, you can use the installer for BladeLogic Portal or use the procedure described below in Modifying the portal's configuration for BSA Data Refresh.
    If you are specifying multiple users, you must modify the configuration file, as described below.

 

Modifying the portal's configuration for BSA Data Refresh

Use this procedure to modify the portal's configuration by specifying the BSA users and roles needed to obtain information for Data Refresh.

During installation of the portal, you must specify at least one user and role. However, you can optionally use this procedure to specify multiple users, each belonging to one or more role. 

The video at right demonstrates how to use the portal's maintenance tool to add users and roles for Data Refresh.


icon-play2x.png https://youtu.be/UPYFRDOfS7E

  1. Navigate to <Portal_install_location>/bladelogicportal.
  2. Invoke the BladeLogic Portal Maintenance Tool:
    • (Windows): BladeLogicPortalMaintenanceTool
    • (Linux):  BladeLogicPortalMaintenanceTool.sh
  3. When the tool opens, click OK.
  4. Click the BSA Data Refresh tab.
    DataRefresher.gif

  5. To add a user with one or more roles, provide the following information:

    Field

    Description

    User Name

    Name of a BMC Server Automation user with credentials that can be used for obtaining data from BMC Server Automation. 

    Password

    Password for the user.

    Auth Method

    Method for authenticating the user with BMC Server Automation. Possible choices are Secure Remote Password Domain Authentication , and  LDAP Authentication . Other forms of authentication such as RSA are not compatible with Data Refresh.

    Role Name(s)

    One or more roles with at least read-level access to BMC Server Automation. When entering multiple roles, use a comma-separated list. See above for more information on setting up permissions for Data Refresh.

  6. Click Add
    The user and roles you added appears in the list below. 
  7. If necessary add more users and roles. To delete a user from the list, select the user and click Delete.
  8. Click Save.
  9. Restart the portal service:
    • (Windows): From the Windows Control Panel on the portal server, select  Administrative Tools > Services. Find and right-click the BladeLogic Portal service, and then select Restart
    • (Linux): On the portal server, enter the following commands:
      /etc/init.d/BladeLogic_Portal stop
      /etc/init.d/BladeLogic_Portal start

Configuring Data Refresh for BMC Network Automation

When manually configuring Data Refresh for BMC Network Automation, you must set up one or more roles with a minimum set of permissions and assign one or more users to those roles.

 

Minimum BNA authorizations

Any role that is used to obtain information through Data Refresh requires the following minimum authorizations in BMC Network Automation.

System Rights
     Access Network Tab
          Access Actions Menu
               Access Jobs
          Access Scripts Menu
               Access Rule Sets
               Access Templates
          Access Spans Menu
               Access Combo Groups
               Access Devices
               Access Groups
               Access Realms
     Login
          Login Using GUI
          Login Using Web Services 

Network Rights
     (assigned to every realm
          Network Tab
               Actions Menu
                    Access Associated Jobs
                         Actions
                            Run Associated Remediate Actions 

               Spans Menu 
                    Access Associated Combo Groups 
                    Access Associated Devices
                    Access Associated Groups
                    Access Realm

Setting up permissions in BMC Network Automation

If Data Refresh obtains information from BMC Network Automation by means of a user with a restricted set of permissions, use BNA to create a role with a limited set of permissions and then assign a user to the role. 

Note

The roles you create or modify in this procedure can only obtain information for objects that are created after the roles are created or modified. The roles cannot retroactively obtain information from existing objects.

  1. In BMC Network Automation, open the Admin tab, select Roles, and click + Add.
    A window for defining a role opens. 
  2. Assign a name to the role, such as ReadOnlyRole.
  3. Click the System Rights tab and assign, at minimum, the permissions shown below:
    Role_SystemRights.PNG 
  4. Click the Network Rights tab.
  5. For Realm, select the first realm in the list and assign, at minimum, the permissions shown below:
    ReadOnlyRole_NetworkRights.png

  6. Using the Realm option, repeat the previous step for every realm that appears in the list.

    Note

    If a new realm is created in BMC Network Automation, the previous step must be repeated for the new realm.

     

  7. Click Save.
  8. Select Users and click + Add.
    A window for defining a user opens. 
  9. Provide a name for the user, such as ReadUser, and provide all other information needed to create a user.
    BNADataRefreshUserDetails.gif 
  10. Click the Roles tab. Find the role you created earlier and move it to the Selected Roles list.
    BNADataRefreshUserRoles.gif 
  11. Click Save.
    If necessary you can repeat this process to create additional users.
  12. Specify the users needed to enable Data Refresh. 

Modifying the portal's configuration for Data Refresh

Use this procedure to modify the portal's configuration by specifying the BNA users and roles needed to obtain information for Data Refresh.

During installation of the portal, you must specify at least one user and role. However, you can optionally use this procedure to specify multiple users, each belonging to one or more role. 

  1. Navigate to <Portal_install_location>/bladelogicportal.
  2. Invoke the BladeLogic Portal Maintenance Tool:
    • (Windows): BladeLogicPortalMaintenanceTool
    • (Linux):  BladeLogicPortalMaintenanceTool.sh
  3. When the tool opens, click OK.
  4. Click the BNA Data Refresh tab.
    DataRefreshUtilityBNA.gif 

  5. To add a user with one or more roles, provide the following information:

    Field

    Description

    User Name

    Name of a BMC Network Automation user with credentials that can be used for obtaining data from BMC Network Automation. 

    Password

    Password for the user.

  6. Click Add
    The user you added appears in the list below. 
  7. If necessary add more users. To delete a user from the list, select the user and click Delete.
  8. Click Save.
  9. Restart the portal service:
    • (Windows): From the Windows Control Panel on the portal server, select  Administrative Tools > Services. Find and right-click the BladeLogic Portal service, and then select Restart
    • (Linux): On the portal server, enter the following commands:
      /etc/init.d/BladeLogic_Portal stop
      /etc/init.d/BladeLogic_Portal start

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*