A standard TrueSight Server Automation installation provides the following built-in roles:
- RBACAdmins
- BLAdmins
- GlobalReportAdmins
- GlobalReportViewers
- ITManagers
- Level1HelpDesk
- LinuxAdmins
- PatchingUser
- QAEngineers
- SCAPAdmins
- SCAPJobOperator
- SecurityAdmins
- SoftwareEngineers
- UNIXAdmins
- WindowsAdmins
The RBACAdmins and BLAdmins roles are granted a combination of built-in and out-of-box authorizations. All other roles are only granted out-of-box authorizations.
Built-in authorizations are intrinsic to a role. You cannot delete a built-in authorization. When you look at the definition of a role, you do not see built-in authorizations explicitly listed.
Out-of-box authorizations are permissions that are automatically assigned to roles when you initially perform a standard installation of TrueSight Server Automation. Unlike built-in authorizations, out-of-box authorizations are visible in RBAC. You can modify and delete out-of-box authorizations.
The following table summarizes the authorizations granted to the built-in roles:
| | Out-of-box Authorizations |
|---|
| - Granted Read authorization on all objects in TrueSight Server Automation (for example, BLPackage.Read).
- Granted ModifyACL authorization on all objects in TrueSight Server Automation (for example, BLPackage.ModifyACL).
The above authorizations are built-in and cannot be modified.
| - Granted * authorization for all system objects relating to RBAC (for example, Role.* and ACLTemplate.*).
- Granted Server.PushACL to push ACLs to servers.
The above authorizations can be modified as necessary.
|
| Granted Read authorization on all system objects within TrueSight Server Automation. The Read authorization is built-in and cannot be modified. | - Granted * authorization on all classes of system objects within TrueSight Server Automation except the following:
- Role.Read (grants read-only access to roles)
- AuthProfile.Read (grants read-only access to authorization profiles)
- PatchAnalysisConfig.Modify (used for modifying the download locations for Windows patch analysis configurations)
The above authorizations can be modified as necessary.
|
| | - Granted all reports-related authorizations in RBAC which allows the role to manage TrueSight Server Automation - Data Warehouse.
|
| | - Granted all reports-related authorizations in RBAC.
|
| | - Granted authorizations for performing the following tasks:
- Manage compliance risks using exceptions
- Promote objects between roles
- Set up and manage ACL templates and workspaces
- View all objects except security objects, view audit results, view server and component inventory and view snapshot results
The above authorizations can be modified as necessary.
|
| | - Granted authorizations for performing the following tasks:
- Audit servers and components
- Browse components and servers
- Deploy software and BLPackages to servers
- Execute custom and third-party scripts and existing Jobs
- Perform live browse related ad-hoc activities like file updates, operations on virtual machines, stop and start services
- Promote objects between roles
- Take snapshot of servers and components
The above authorizations can be modified as necessary.
|
| | - Granted authorizations for performing the following tasks:
- Audit servers and components
- Multi-step execution of batch jobs
- Browse components and servers
- Build bare-metal system packages
- Create and manage components and component templates
- Deploy software and BLPackages to servers
- Discover components
- Enroll and decommission servers
- Execute custom and third-party scripts and existing Jobs
- Package single file for deployment, custom and third-party scripts, custom software and patches, custom software using BLPackages, linux software and patches
- Perform live browse related ad-hoc activities like file updates, operations on virtual machines, stop and start services
- Promote objects between roles
- Provision servers
- Refresh server properties
- Remediate compliance and patch analysis results
- Roll back or undo changes
- Set up and manage config files, custom commands, extended objects, job schedules, properties and provision infrastructure
- Take snapshot of servers and components
- Synchronize a server with audit results
The above authorizations can be modified as necessary.
|
| | - Granted all authorizations to manage a patching job.
|
| | - Granted authorizations for performing the following tasks:
- Audit servers and components
- Multi-step execution of batch jobs
- Browse components and servers
- Deploy software and BLPackages to servers
- Discover components
- Execute custom and third-party scripts and existing Jobs
- Promote objects between roles
- Remediate compliance and patch analysis results
- Roll back or undo changes
- Set up and manage job schedules
- Take snapshot of servers and components
- Synchronize a server with audit results
The above authorizations can be modified as necessary.
|
| | - Granted all administration related authorizations for SCAP compliance.
|
| | - Granted all job operation related authorizations for SCAP Compliance.
|
| | - Granted authorizations to set up and manage ACL templates, authorizations, permissions on all objects, roles, user accounts and workspaces
|
| | - Granted authorizations for performing the following tasks:
- Audit servers and components
- Multi-step execution of batch jobs
- Browse components and servers
- Create and manage components and component templates
- Deploy software and BLPackages to servers
- Discover components
- Execute custom and third-party scripts and existing Jobs
- Package single file for deployment, custom and third-party scripts, custom software and patches, custom software using BLPackages
- Promote objects between roles
- Remediate compliance and patch analysis results
- Roll back or undo changes
- Set up and manage config files, extended objects, job schedules and properties
- Take snapshot of servers and components
- Synchronize a server with audit results
The above authorizations can be modified as necessary.
|
| | Granted authorizations for performing the following tasks: - Audit servers and components
- Multi-step execution of batch jobs
- Browse components and servers
- Build bare-metal system packages
- Create and manage components and component templates
- Deploy ACLs to managed servers, software and BLPackages to servers
- Discover components
- Enroll and decommission servers
- Execute custom and third-party scripts and existing Jobs
- Package AIX software and patches, single file for deployment, custom and third-party scripts, custom software using BLPackages, HP-UX software and patches, Solaris software and patches
- Perform live browse related ad-hoc activities like file updates, stop and start services
- Promote objects between roles
- Refresh server properties
- Remediate compliance and patch analysis results
- Roll back or undo changes
- Set up and manage config files, custom commands, extended objects, job schedules, properties and provision infrastructure
- Take snapshot of servers and components
- Synchronize a server with audit results
The above authorizations can be modified as necessary.
|
| | Granted authorizations for performing the following tasks: - Analyzing patch compliance
- Audit servers and components
- Multi-step execution of batch jobs
- Browse components and servers
- Build bare-metal system packages
- Create and manage components and component templates
- Deploy ACLs to managed servers, software and BLPackages to servers
- Discover components
- Enroll and decommission servers
- Execute custom and third-party scripts and existing Jobs
- Package single file for deployment, custom and third-party scripts, custom software and patches, custom software using BLPackages, Windows software and patches
- Perform live browse related ad-hoc activities like file updates, stop and start services
- Promote objects between roles
- Provision servers
- Refresh server properties
- Remediate compliance and patch analysis results
- Roll back or undo changes
- Set up and manage config files, custom commands, extended objects, job schedules, properties and provision infrastructure
- Take snapshot of servers and components
- Synchronize a server with audit results
The above authorizations can be modified as necessary.
|
TrueSight Server Automation provides built-in and out-of-box authorizations so you can manage access permissions with no further modifications. However, for a more granular system of permissions, you can modify the out-of-box authorizations granted to the built-in roles. You can create additional roles to develop sets of authorizations, and you can use object-based permissions to further restrict access throughout the TrueSight Server Automation system.
In addition to the built-in roles, TrueSight Server Automation provides two other roles that are used for special purposes:
- Everyone — A role that is available when assigning object-based permissions. Granting permissions to the Everyone role is an easy way to make an object publicly available. For more information, see Defining-permissions-for-a-system-object.
- Current Role — A role that is available when creating an ACL template. This role grants permissions to the current role when that role creates an object. Using Current Role permissions in an ACL template is an easy way to give the creator of an object permission to use the object without having to revise an ACL template for each different role. For more information, see Creating-an-ACL-template.