Skip to Content

Minimum authorizations for synchronizing users

Synchronizing RBAC with an LDAP server is typically performed by the RBACAdmins role but you can take this action with a minimum set of permissions.

To perform this procedure with a minimum set of authorizations, you must set up a role with the permissions described below. For the objects you are acting on, you must define authorizations as described below.

Role-level authorizations

  • Role.read
  • Role.modify
  • Role.Manageusers
  • User.*
  • AutomationPrincipal.read
  • LdapConnection.read

Object-level authorizations

Type of object

Authorization required

Additional information

LDAP connection object

LdapConnection.read

Required for Active Directory synchronization.
Currently, you can only manage LDAP connection objects using the BLCLI.

LDAP query object

LdapQuery.read

Required for LDAP server synchronization

Automation Principal

AutomationPrincipal.read

Required for Active Directory synchronization.

Role

Role.Read
Role.Modify
Role.ManageUsers

Required for Active Directory synchronization.

User

User.*

Required for ongoing maintenance of each user created by the Active Directory synchronization process.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.2