Skip to Content
Information

This site will undergo a brief period of maintenance on Thursday, 23 April at 2:30 AM Central/1:00 PM IST. During a 30 minute window, site availability may be intermittent.

Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Establishing role-based permissions for SCAP

To import Security Content Automation Protocol (SCAP) content, create and run SCAP Compliance Jobs, and view results, administrators must be assigned a role that includes the necessary permissions.

To facilitate division of responsibilities, you can assign all required permissions to one role or divide them between several roles. See Managing-access for more details.

Warning

Note

The blcontent.exe script included with BMC Server Automation includes sample roles and authorization profiles for SCAP-specific activities. For more information about blcontent.exe, see Loading-prepackaged-content.

The following permissions control SCAP activities:

Define permissions for

Controls the ability to

ScapContentFile.*

Import SCAP benchmarks and access the CPE and OVAL files after import.

XccdfBenchmark.*

Access the XccdfBenchmark file after import. (This permission set is a subset of ScapContentFile.* permissions.)

Warning

Note

The permission set for XccdfBenchmark should be equal to OR a subset of the SCAPContentFile permission set.

SCAPComplianceJob.*
Jobfolder.*

Create, Edit, Modify Targets, Modify Schedules, Modify Properties, Execute Job permissions for SCAP Compliance Jobs.

Server.Read, Server.Audit
ServerGroup.*

Create SCAP Jobs against servers.

DepotFolder.*
DepotGroup.*

Import objects into the Depot and access objects after import.

Sample Permission Sets

A role with the following permissions has full SCAP abilities:

BatchJob.*
DepotFolder.*
DepotGroup.*
ExecutionTask.*
JobFolder.*
JobGroup.*
SCAPComplianceJob.*
SCAPContentFile.*
Server.Read
Server.Audit
ServerGroup.*
XCCDFBenchmark.*

A role with the following permissions can import and view SCAP benchmarks but not delete them, and it does not have the ability to create SCAP Compliance Jobs:

DepotFolder.*
DepotGroup.*
XccdfBenchMark.Read
XccdfBenchmark.Create
ScapContentFile.Create
ScapContentFile.Read

A role with the following permissions can create SCAP Compliance Jobs:

DepotFolder.Read
DepotGroup.Read
XccdfBenchmark.*
SCAPContentFile.*
Server.Read
Server.Audit
ServerGroup.*
JobFolder.*
ScapComplianceJob.*

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.3