How to set up a security profile - Remote Control Administrator by Geo and Chassis Type

Knowledge Article

How to set up a security profile - Remote Control Administrator by Geo and Chassis Type
How to set up an account for an helpdesk administrator who is only allowed to take control of devices located in a specific geo and must not be required to have an acknowledgement on servers.
BMC Client Management
Client Management
Any version of BCM, although some options may exist or not yet in the version you are running.
BMC Client Management
Client Management
Any version of BCM, although some options may exist or not yet in the version you are running.
I need to set up an account for an helpdesk administrator who:
- is only allowed to take control of devices located in a specific geo
- is not required to have an acknowledgement on servers.
The KA 000147848 is a prerequisite to this KA, which focuses on setting up an administrator group Admins.Paris._By Geo.Support-1-BCM.local which members should only see and have access to devices from the OUs:
- Workstations.Computers.Paris._By Geo.Support-1-BCM.local
- Servers.Computers.Paris._By Geo.Support-1-BCM.local
Acknowledgement will not be required on Servers.Computers.Paris._By Geo.Support-1-BCM.local.

Warning:
- static/dynamic device groups on which you'll set different rights should not contain the same devices. If they do, the least restrictive rights will  apply on capabilities and the most restrictive will apply on static/dynamic objects
- make sure all the devices are in the proper device group. It is frequent that customers do not realize that they forgot to add a device group or the results of a query that lists some device group to the dynamic objects.

0- Create Organizational Units by Geo:
Refer to the KA 000147848.


1- Synchronize your Device Groups:
1.1 to 1.6 Refer to the KA 000147848 for detailed steps.
Once you will have gone through these steps for two different OUs at least, you will obtain something similar to this:

User-added image 


2- Synchronize your Administrator Groups:
2.1 to 1.7 Refer to the KA 000147848 for detailed steps.

Once you will have gone through these steps, you will obtain something similar to this:

User-added image
 
 
3- Create queries to list the device group(s):
The administrators from the administrator group Admins.Paris._By Geo.Support-1-BCM.local will not see the device group Workstations.Computers.Paris._By Geo.Support-1-BCM.local nor will it see the device group Servers.Computers.Paris._By Geo.Support-1-BCM.local if a query isn't set in the dynamic objects of the administrator security profile.
- Go to the node "Queries"
- Right click and click on "Create Query..."
- Create a query of the type "Device Group"
- Click on the attribute "Name" then set it to "Equal to" and finally set its value to "Workstations.Computers.Paris._By Geo.Support-1-BCM.local"

User-added image

- Create another query of the type "Device Group"
- Click on the attribute "Name" then set it to "Equal to" and finally set its value to "Servers.Computers.Paris._By Geo.Support-1-BCM.local"

User-added image

 
4- Configure the security profile:
There are three tabs to configure in the security profile settings of an administrator (group) :
 
4.1 Capabilities:
- Set the "View" capability to the objects "Device" and "Device Group", else your administrator will not be able to see any device (group)
- Set the "View" and "Manage" capabilities on the below objects:

User-added image
Notes: refer to the KA 000147848.


4.2 Static Objects:
For most cases, refining rights should be done in the dynamic objects, not in the static object tab. Basically, only top nodes should be set in the static objects tab of your administrator groups.

Here I had to add the device group folder "_By Geo" in addition to the top node "Device Group", else the device groups Workstations.Computers.Paris._By Geo.Support-1-BCM.local and Servers.Computers.Paris._By Geo.Support-1-BCM.local would not display:

User-added image

Note that only "Read Access" is set to these objects as the type of administrator this KA covers is not supposed to be able to create or edit existing device groups.


4.3 Dynamic Objects:
This is probably the most important section of a security profile as it will allow to fine-tune the objects that your administrators will be allowed to display and interact with. These objects will mostly be displayed from the results of your queries.

4.3.1 Workstations.Computers.Paris._By Geo.Support-1-BCM.local
- Right click then click on "Add Results of Query..." and select the queries you created in step 3: "Paris Device Group Computers"
This will display the Device Group Workstations.Computers.Paris._By Geo.Support-1-BCM.local
- Right click then click on "Add Members of Device Group..." and select Workstations.Computers.Paris._By Geo.Support-1-BCM.local
This will display the members of the Device Group of the same name in the console.


4.3.2 Servers.Computers.Paris._By Geo.Support-1-BCM.local
- Right click then click on "Add Results of Query..." and select the queries you created in step 3: "Paris Device Group Servers"
This will display the Device Group Servers.Computers.Paris._By Geo.Support-1-BCM.local in the console
- Right click then click on "Add Members of Device Group..." and select Servers.Computers.Paris._By Geo.Support-1-BCM.local
This will display the members of the Device Group of the same name in the console.

User-added image


 
5- Login as a member of this administrator group:
This screenshot shows which (sub)nodes the administrator should see:
 
User-added image

This screenshot shows the search results:
 
User-added image
 






 
BMC Client Management
Client Management
Any version of BCM, although some options may exist or not yet in the version you are running.
Attachment(s):