Minimum permissions for patching

There are four main patching operations in a TrueSight Server Automation environment. The patching operations and the corresponding activities that a role must perform for each operation is listed in the table below.

This topic lists the minimum permissions required by the role to perform the various patching operations. Some object-level permissions must also be granted to the role performing the patching operations.


You might want to create different roles to perform each of the patching operations or a combination of patching operations. If you want to create one role with all responsibilities for patch analysis and remediation, refer to the consolidated list of permissions. A consolidated list of object-level permissions accompanies the consolidated list of permissions.

Important

 If the Application Server is configured with an NSH proxy server, ensure that the user performing patching is assigned with NSH_Proxy.Connect permission in addition to the permissions mentioned below. The NSH_Proxy.Connect permission allows the user to acquire NSH proxy credentials that are required for patching. For more information, see Setting-up-a-Network-Shell-client-to-run-in-proxy-mode.

Patch catalog management

Permission

Description

ACLPolicy.*
or
ACLPolicy.Read 

Optional: Create access control list (ACL) policies to grant permissions to other roles that download patch objects.

If the ACL policies already exist, only ACLPolicy.Read is necessary.

ACLTemplate.*

Create an ACL template to other roles that download patch objects.

AIXPatchSoftware.*

AIX only: Manage AIX depot software

AIXSoftware.*

AIX only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

DepotFile.*

Optional: Manage offline patch catalog metadata content.

DepotFolder.Read
DepotFolder.Write

Create the patch catalog in a depot folder.

LinuxSoftware.*

Linux only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

PatchCatalog.*

Create and manage a patch catalog.

PatchDownloadJob.*

Run a job that downloads patches manually, rather than downloading them along with patch metadata.

PatchGlobalConfig.Modify

Optional: Manage global patch settings.

PatchSmartGroup.*

Create smart groups in the patch catalog.

Server.Browse
Server.Read

Create a patch repository on a helper server.

ServerGroup.Read

Optional: Allow user to browse to the helper server when selecting it.

SolarisSoftware.*

Solaris only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

WindowsSoftware.*

Windows only: Create depot objects for patches during downloads that occur during Catalog Update Jobs.

Object level permissions for patch catalog management

Object

Permissions

Description

Depot folders

DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 

Grant these permissions to the catalog management role on the depot folder where you create a patch catalog and to all depot folders and groups that are parents of the patch catalog folder.

Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the catalog management role on the server that functions as a patch repository.

Patch analysis

Permission

Description

AIXSoftware.Read

AIX only: Read the relevant type of software.

DepotFolder.Read

Read the patch catalog, which is stored in the Depot.

JobFolder.Read
JobFolder.Write 

Create Patch Analysis jobs in a job folder and browse any parent folders.

JobGroup.Read
JobGroup.Write 

Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.

LinuxSoftware.Read

Linux only: Read required software

PatchCatalog.Read
PatchCatalog.Modify 

Access patch catalogs.

PatchCatalog.Modify is only needed for Solaris and AIX.

Server.Read

Read contents of target servers.

ServerGroup.Read

Browse groups of target servers.

SolarisSoftware.Read
SolarisSoftware.Modify 

Solaris only: Read and interpret required software.

WindowsSoftware.Read
WindowsSoftware.Modify 

Windows only: Read and interpret required software.

PatchSmartGroup.Read

Allow user to open patch smart groups

PatchSmartGroup.Write

Allow user to add new objects into patch smart groups

Object level permissions for patch analysis

Object

Permissions

Description

Target servers

Server.Read

Grant these permissions to the patch analysis role on the target servers.

Target server groups

ServerGroup.Read

Grant these permissions to the patch analysis role on any target server groups that hold the target server.

Job folder containing the Patching Job

JobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 

Grant these permissions to the patch analysis role on the job folder where you create a Patching Job and to all parent job folders or groups.

Patching jobs

PatchingJob.Execute

Grant this permission on any Patching Jobs

Patch remediation

Permission

Description

ACLPolicy.*

Manage ACL policies

ACLTemplate.*

Manage ACL templates

AIXPatchSoftware.Read

AIX only: Read required software.

AIXSoftware.Read

AIX only: Read required software.

BatchJob.*

Create and execute Batch Jobs that run concatenated Deploy Jobs.

BLPackage.*

Create remediation packages.

CustomSoftware.*

Linux and Windows only: Create Linux and Windows remediation jobs.

DeployJob.*

Create Deploy Jobs for remediation purposes.

DepotFolder.Read
DepotFolder.Write 

Create packages in the depot and browse any parent groups.

DepotGroup.Read
DepotGroup.Write 

Navigate to the patch catalog or remediation objects in a depot group.

JobFolder.Read
JobFolder.Write

Create remediation jobs in job folders and browse any parent groups or folders.

JobGroup.Read
JobGroup.Write 

Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.

LinuxSoftware.Read

Linux only: Read required software.

PatchCatalog.Read

Read the patch catalog.

PatchDownloadJob.*

Manage patch download jobs.

PatchingJob.Read

Read contents of Patching Jobs.

PatchRemedationJob.*

Manage patch remediation jobs

PatchSmartGroup.Read

Read smart groups containing patch catalogs.

Server.Browse
Server.Deploy
Server.Read 

Read the contents of the patch repository.

ServerGroup.Read

Find servers.

SolarisSoftware.Read
SolarisSoftware.Modify 

Solaris only: Read and interpret required software.

WindowsSoftware.Read
WindowsSoftware.Modify 

Windows only: Read and interpret required software.

Object level permissions for patch remediation

Object

Permissions

Description

Patching jobs

PatchingJob.Read

Grant this permission to the patch remediation role on any Patching Jobs used for remediation purposes.

Server functioning as a patch repository 

Server.Browse
Server.Read

Grant these permissions to the patch remediation role on the server used as a patch repository.

Job folder containing the Patching Job

JobGroup.Read
JobGroup.Write 
JobFolder.Read
JobFolder.Write 

Grant these permissions to the patch remediation role on the job folder where you create a remediation Job and to all parent job folders or groups.

Depot groups where packages are created in the depot.

DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 

Grant these permissions to the patch remediation role on the depot folder where you create a remediation package and to all parent depot folders and groups.

Patch deployment

Permission

Description

BLPackage.Read

Read remediation packages.

CustomSoftware.Read

Linux only: Read Linux remediation jobs.

BatchJob.Execute
BatchJob.Read 

Read and execute Batch Jobs that run concatenated Deploy Jobs.

DeployJob.Execute
DeployJob.Read 

Read and execute jobs that deploy patch packages.

Server.Deploy
Server.Read 

Deploy patches to target servers.

ServerGroup.Read

Browse groups of target servers to which patches are deployed.

Object level permissions for patch deployment

Object

Permissions

Description

Target servers

Server.Deploy
Server.Read 

Grant this permission to the patch deployment role on any target servers where patches are deployed.

Target server groups 

ServerGroup.Read

Grant these permissions to the patch deployment role on any groups of target servers.

Consolidated list of minimum permissions for patching

Permission

Description

ACLPolicy.*

Create ACL policies to grant permissions to other roles that download patch objects.

ACLTemplate.*

Create ACL templates to grant permissions to other roles that download patch objects.

AIXPatchSoftware.*

AIX only: Create and read patch software.

AIXSoftware.*

AIX only: Create and read software.

BatchJob.*

Create and execute Batch Jobs that run concatenated Deploy Jobs

BLPackage.*

Create remediation packages and read their contents.

CustomSoftware.*

Linux and Windows only: Create Linux remediation jobs and read their contents.

DeployJob.*

Read and execute jobs that deploy patch packages.

DepotFile.*

Optional: Manage offline patch catalog metadata content.

DepotFolder.Read
DepotFolder.Write

Create the patch catalog in a depot folder or create remediation objects in a depot folder.

DepotGroup.Read
DepotGroup.Write 

Navigate to the patch catalog or remediation objects in a depot group.

JobFolder.Read
JobFolder.Write

Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.

JobGroup.Read
JobGroup.Write 

Create Patch Analysis jobs and remediation jobs in a folder or navigate to them in a group.

LinuxSoftware.*

Linux only: Create and read software.

PatchCatalog.*

Create and manage a patch catalog

PatchDownloadJob.*

Manage patch downloads.

PatchGlobalConfig.Modify

Optional: Manage global patch settings.

PatchingJob.Read

Read the jobs used as the basis of remediation.

PatchRemedationJob.*

Manage patch remediation jobs.

PatchSmartGroup.*

Create smart groups in the patch catalog.

Server.Browse
Server.Deploy
Server.Read
Server.Write 

Create a patch repository on a helper server, read the contents of the repository, read contents of target servers, deploy patches to target servers.

ServerGroup.Read

Allow user to browse to the helper server when selecting it and to browse to target servers.

SolarisSoftware.*

Solaris only: Create and read software.

WindowsSoftware.*

Windows only: Create and read software.

PatchSmartGroup.Read

Allow user to open patch smart groups

PatchSmartGroup.Write

Allow user to add new objects into patch smart groups

Consolidated list of object level permissions for patching

Object

Permissions

Description

Depot folders

DepotFolder.Read
DepotFolder.Write
DepotGroup.Read
DepotGroup.Write 

Grant these permissions on the depot folder where you create a patch catalog and to all depot folders that are parents of the patch catalog folder.

Also grant these permissions on the depot folder where you create any remediation packages and to all parent job folders or groups.

Server functioning as a patch repository

Server.Read
Server.Browse

Grant these permissions to the server used as a patch repository.

Target servers

Server.Deploy
Server.Read

Grant these permissions on target servers.

Target server groups

ServerGroup.Read

Grant these permissions on any target server groups that hold the target server.

Job folder containing Patching and remediation jobs

JobGroup.Read
JobGroup.Write
JobFolder.Read
JobFolder.Write

Grant these permissions on the job folder where you create a Patching Job and to all parent job folders or groups.

Also grant these permissions on the job folder where you create any remediation jobs and to all parent job folders or groups.

Patching jobs

PatchingJob.Read

PatchingJob.Execute

Grant this permission on any Patching Jobs.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*