Walkthrough: Restricting permissions for a patching administrator

This topic walks you through the process of setting up a patching administrator and limiting permissions so that administrator cannot perform other types of actions in TrueSight Server Automation. Although this process is not essential for patch management, BMC always recommends that you grant users the minimum set of permissions needed to perform actions. If you do not set up a patching administrator with a limited set of permissions, a superuser such as the BLAdmins role must perform patch management.

This topic includes the following sections:

Introduction

This topic is intended for system administrators who manage data center authorizations and access to physical assets such as servers. The goal of this topic is to grant the minimum set of permissions to the role and user who perform patch management, as well as granting the minimum level of access to any servers where you will be setting up patching infrastructure.

What are roles and users?

TrueSight Server Automation manages data center access through a system of role-based access controls (RBAC). Each role defines a set of permissions. Typically roles correspond to jobs performed in an organization, such as QA testers or application developers. A user can be assigned to one or more roles, but a user can only assume one role at a time.

What does this walkthrough show?

This walkthrough shows how to:

  • Create an authorization profile, which is a collection of authorizations to perform certain tasks–in this case to perform patch management.
  • Create a role for a patching administrator
  • Create a patching user who is assigned to the patching administrator role and thus is granted the permissions available to the patching administrator.
  • Grant the patching administrator access to the server that is used as a patch repository.  This requires you to set permissions for server within the console and also to push an access control list (ACL) to the server. The ACL controls access at the server level.

What do I need to do before I get started?

  • For this walkthrough, you need to log in as the RBAC administrator for TrueSight Server Automation (typically RBACAdmin or a user with equivalent permissions)
  • Later in the walkthrough you have to log in as BLAdmin, the superuser, or a user with equivalent permissions.
  • You must also know which server you want to use as a patch repository so you can restrict access to it. The server you select must have ample free space. For the latest sizing and scalability recommendations, refer to the TrueSight Server Automation Sizing Guide in BMC Communities. 

How to restrict permissions for a patching administrator



Wrapping it up

Congratulations. You have set up a role for patching administrators, created a patching user, and granted that user access to the patch repository server.

Where to go from here

Now that you have restricted access to the patching administrator, you can now set up patch catalogs. See Walkthrough-Setting-up-and-managing-an-online-patch-catalog-for-Windows and Walkthrough: Setting up and managing a patch catalog for Linux.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*