SA 9.0 Administration Guide
SA 9.0 Administration Guide
SA 9.0 Administration Guide
for the HP-UX, IBM AIX, Red Hat Enterprise Linux, Solaris, SUSE Linux Enterprise Server,
VMware, and Windows
operating systems
Software Version: 9.0
Administration Guide
Document Release Date: June 2010
Software Release Date: June 2010
2
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
Copyright Notices
Copyright 2000-2010 Hewlett-Packard Development Company, L.P.
Trademark Notices
Intel and Itanium are trademarks of Intel Corporation in the U.S. and other countries.
Java is a U.S. trademark of Sun Microsystems, Inc.
Microsoft, Windows, Windows XP are U.S. registered trademarks of Microsoft Corporation.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
UNIX is a registered trademark of The Open Group.
Adobe is a trademark of Adobe Systems Incorporated.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number, which indicates the software version.
Document Release Date, which changes each time the document is updated.
Software Release Date, which indicates the release date of this version of the software.
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
http://h20230.www2.hp.com/selfsolve/manuals
This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to:
http://h20229.www2.hp.com/passport-registration.html
Or click the New users - please register link on the HP Passport login page.
You will also receive updated or new editions if you subscribe to the appropriate product support service.
Contact your HP sales representative for details.
3
Support
Visit the HP Software Support Online web site at:
www.hp.com/go/hpsoftwaresupport
This web site provides contact information and details about the products, services, and support that HP
Software offers.
HP Software online support provides customer self-solve capabilities. It provides a fast and efficient way to
access interactive technical support tools needed to manage your business. As a valued support customer, you
can benefit by using the support web site to:
Search for knowledge documents of interest
Submit and track support cases and enhancement requests
Download software patches
Manage support contracts
Look up HP support contacts
Review information about available services
Enter into discussions with other software customers
Research and register for software training
Most of the support areas require that you register as an HP Passport user and sign in. Many also require a
support contract. To register for an HP Passport ID, go to:
http://h20229.www2.hp.com/passport-registration.html
To find more information about access levels, go to:
http://h20230.www2.hp.com/new_access_levels.jsp
4
5
Contents
1 User and User Group Setup and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Users, Groups, and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SA Users and User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SA Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SA Global File System Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Membership in Multiple Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
SAS Web Client Restricted Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Predefined User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Super Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Customer Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Process Overview for Security Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Private User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Managing Users and User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
User Group Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting Permissions on User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting the Customer Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting the Facility Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the Device Group Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the General Feature Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Setting the SA Client Features Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Setting the Other Features Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Setting Folder Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Adding OGFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Setting Private User Group Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing Super and Customer Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Viewing Super and Customer Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating a Super Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Deleting a Super Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Delegating User Group Management to a Customer Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Managing Passwords and Login Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Changing Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Specifying Password Character Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Resetting Initial Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Setting Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Specifying Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting the User Agreement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting the Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6
External LDAP Directory Service with SA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Imported Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
SSL and External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Supported External LDAP Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the nsswitch.conf File (Linux) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Using an LDAP Directory Server with SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Importing a Server Certificate from the LDAP into SA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the JAAS Login Module (loginModule.conf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Importing External LDAP Users and User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
RSA SecurID
/SA Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
RSA SecurID/SA Integration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
SecurID/SA Integration Platform Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configuring SA/SecurID Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Code Deployment Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Adding Members to a Code Deployment User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
User and Security Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2 SA Core and Component Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction to SA Core and Component Security Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enforcing Strict Control and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Stronger Controls and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Read-only, Digitally Signed Audit Trails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Signed MD5 Checksums for Packages in the Software Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Role-based Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Audit Logging of User Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Securing SA Internal Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Communication between Components in an SA Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Communication between Agents and SA Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Communication Between SA Cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
SA Satellite Architecture and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
The SA Network: Enabling Risk Mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
SA Compatibility with other Security Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
SA Core Recertification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Agent vs. Core Recertification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Upgrading after Core Recertification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Core Recertification Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Agent Recertification Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
SA Core Recertification Tool Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Core Recertification Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating the Core Recertification User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Removing a Core Recertification User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Core Recert Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Recertifying SA Cores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7
3 Multimaster Mesh Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Multimaster Facilities Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Modifying a Facilitys Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Adding or Modifying a Facilitys Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Multimaster Mesh Conflict Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Types of Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
SA Transaction Conflict Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Causes of Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
User Overlap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
User Duplication of Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Out of Order Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Best Practices for Preventing Multimaster Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Examining the State of the Multimaster Mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
System Diagnosis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Multimaster State Monitoring Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Best Practices for Resolving Database Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Types of Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Guidelines for Resolving Each Type of Conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Model Repository Multimaster Component Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Overview of Resolving Model Repository Multimaster Component Conflicts. . . . . . . . . . . . . . . . . . . . 99
Resolving a Conflict by Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Resolving a Conflict by Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Network Administration for Multimaster Mesh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Multimaster Alert Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4 Satellite Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Overview of the SA Satellite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Management Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Facilities and Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Satellite Information and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Permissions Required for Managing Satellites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Viewing Satellite Facilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Enabling the Display of Realm Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Viewing the Realm of a Satellite Managed Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Viewing and Managing Satellite Gateway Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Satellite Software Repository Cache Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Availability of Satellite Software Repository Cache Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Updating Software in the Satellite Software Repository Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Creating Software Repository Cache Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Staging Files to a Software Repository Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Microsoft Utility Uploads and Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5 SA Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
SA Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
SA Component Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
System Diagnosis Testing Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Core Components Tested by the System Diagnosis Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
8
Data Access Engine Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Software Repository Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Web Services Data Access Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Command Engine Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Model Repository Multimaster Component Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Running an SA Core Component System Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
The SA Core Health Check Monitor (HCM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Overview of HCM Local Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Overview of HCM Global Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Extensibility of the Health Check Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Requirements for Extensions to HCM Local Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Categories and Local Test Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Directory Layout for HCM Local Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
HCM Local Test Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Requirements for Extensions to HCM Global Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
HCM Global Test Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Directory Layout for HCM Global Tests: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
HCM Global Test Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
SA Components Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Boot Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Build Manager Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Command Engine Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Data Access Engine Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
HP Live Network (HPLN) Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Media Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Model Repository Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Model Repository Multimaster Component Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Agents Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SAS Web Client Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Software Repository Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Web Services Data Access Engine Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Gateway Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Global File System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
HTTPS Server Proxy Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Global Shell Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Shell Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Shell Stream Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Shell Script Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Example of Monitoring Global Shell Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Digital Signatures in the Global Shell Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Storage Management for the Global Shell Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configuring the Global Shell Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Start Script for SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Syntax of the Start Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Starting an SA Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Starting a Multiple-Server SA Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Starting an SA Core Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
9
SA Core Component Internal Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Mass Deletion of Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Syntax of Backup Deletion Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting Backup Files with the Mass Deletion Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Multiple Data Access Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Overview of Multiple Data Access Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Reassigning the Data Access Engine to a Secondary Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Designating the Multimaster Central Data Access Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Scheduling Audit Result and Snapshot Removal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Web Services Data Access Engine Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Changing a Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Web Services Data Access Engine Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Increasing the Web Services Data Access Engine Maximum Heap Memory Allocation . . . . . . . . . . 167
Changing Software Repository Mirroring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Changing a Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Software Repository Mirroring Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
6 Monitoring SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Overview of SA Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Agent Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Agent Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Monitoring Processes for Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Agent URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Agent Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Agent Cache Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Agent Cache Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Monitoring Processes for the Agent Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Agent Cache Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Command Center Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Command Center Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Monitoring Processes for the Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Command Center URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Command Center Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Load Balancing Gateway Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Load Balancing Gateway Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Monitoring Processes for the Load Balancing Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Load Balancing Gateway Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Data Access Engine Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Data Access Engine Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Multimaster Central Data Access Engine Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Monitoring Processes for the Data Access Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Data Access Engine URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Data Access Engine Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Web Services Data Access Engine Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Web Services Data Access Engine Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Monitoring Processes for the Web Services Data Access Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Web Services Data Access Engine URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
10
Web Services Data Access Engine Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Command Engine Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Command Engine Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Monitoring Processes for the Command Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Command Engine URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Command Engine Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Software Repository Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Software Repository Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Monitoring Processes for the Software Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Software Repository URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Software Repository Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Software Repository Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Model Repository Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Model Repository Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Monitoring Processes for the Model Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Model Repository Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table Space Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Multimaster Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Model Repository Multimaster Component Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Model Repository Multimaster Component Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Monitoring Processes for the Model Repository Multimaster Component . . . . . . . . . . . . . . . . . . . . . 183
Model Repository Multimaster Component Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Global File System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Monitoring Process for the Global File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Spoke Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Spoke Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Monitoring Processes for the Spoke. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Gateway Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
OS Build Manager Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
OS Boot Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
OS Boot Server Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
OS Boot Server Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
OS Media Server Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
OS Media Server Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
OS Media Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
7 SA Notification Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configuring SA Administrator Contact Information in SA Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configuring the Mail Server for a Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring the Command Engine Notification Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Setting Email Alert Addresses for an SA Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring Email Alert Addresses for a Multimaster Mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Configuring Email Notification Addresses for Code Deployment and Rollback (CDR) . . . . . . . . . . . . . . 196
8 Global Shell: Windows Subauthentication Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Microsoft Windows Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Microsoft Windows Subauthentication Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
11
SA Subauthentication Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
SA Agent Installation Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
SA Agent Uninstallation Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
A Permissions Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Permissions Required for the SAS Web Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Storage Visibility and Automation Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Permissions Required for the SA Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
More Information for Security Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Application Configuration Management Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Device Group Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
SA Discovery and Agent Deployment Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Job Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Patch Management for Windows - Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Patch Management for Solaris - Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Solaris Patch Policy Management - Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Patch Management for Other Unix - Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Software Management Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Script Execution Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Audit and Remediation Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Service Automation Visualizer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Virtual Server Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
OS Provisioning Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Compliance View Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Server Property and Reboot Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Server Objects Permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Predefined User Group Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Private User Groups (PUG) Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Code Deployment User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
12
13
1 User and User Group Setup and Security
Users, Groups, and Permissions
SA enforces a role-based security policy that allows only authorized users to perform specific
operations on specific servers. Intended for security administrators, this chapter explains how
to set up a role-based security structure for SA.
SA Users and User Groups
When you log in to the SA Client or the SAS Web Client, you are prompted for an SA user
name and password. Everyone in your organization who logs on to SA must have a unique SA
user name and password.
SA user names are stored in the Model Repository. You can create user names by using the
SAS Web Client, or you can import them into the Model Repository from an external
Lightweight Directory Access Protocol (LDAP) system. SA user names are not case sensitive.
An SA user group represents a role, or group of tasks, performed by the members of that
group. All users should belong to one or more SA user groups. The tasks that a user is
authorized to perform depend on user groups membership.
SA Permissions
The permissions that you specify for a user group determine what an SA user groups
members can do.
Feature permissions specify the actions users can perform
Resource permissions specify the objects (typically servers) users can perform these
actions on
For example, Jane Doe could belong to a user group called London Windows Administrators.
This user group has the feature permission to install patches, and the resource permission to
Read & Write on the device group named London Windows Servers.
Feature Permissions
With feature permissions, you define the tasks that can be performed by the users of a group.
A feature permission is either on or off: The user can either perform a task or not. In the SAS
Web Client, you specify feature permissions on the Features, Client Features, and Others
tabs of the Edit Group page.
14 Chapter 1
Resource Permissions
A resource is usually a set of managed servers. A resource permission determines if the users
in a user group can view or modify a resource. Resource permissions specify the following
types of access:
Read: Users can view the resource only.
Read & Write: Users can view, create, modify or delete the resource.
None: The resource does not appear in the SA Client or the SAS Web Client. Users cannot
view or modify the resource.
The SAS Web Client organizes resources into the following categories:
Customers: The servers associated with a customer.
Facilities: The servers associated with an SA Facility.
Device Groups: The servers belonging to a specified public device group.
Each of the preceding resource categories corresponds to a tab on the Edit Group page of the
SAS Web Client.
Managed servers are the most common resources. Other types of resources are
Application configurations
Hardware definitions
Realms
OS installation profiles
Each of these resources can be associated with customers.
Folders can also be associated with customers, but access to folders is controlled in a different
way. (See Folder Permissions on page 15.)
Server Access and Resource Permissions
Access to a server depends on the servers association with a customer, association with a
Facility, and optionally, the servers membership in a public device group. For example,
suppose that a server is associated with the Widget, Inc. customer, resides in the Fresno
facility, and belongs to the Accounting device group. To modify the server, the user group must
have the permissions listed in Table 1. (The Read & Write permission for Accounting is
required only if user group permissions are specified for public device groups.)
If the permissions for the customer, facility, or device group do not match, then the most
restrictive permissions are enforced. For example, if the permission for the customer is Read
& Write, but the permission for the facility is Read, then the Read permission is enforced. If
the permission for the customer is None, then the server cannot be viewed, even if the other
permissions for the user group specify Read (or Read & Write).
Table 1 Example of Resource Permissions
Resource group permission
Customer: Widget, Inc. Read & Write
Facility: Fresno Read & Write
Device Group: Accounting Read & Write
User and User Group Setup and Security 15
Feature and Resource Permissions Combined
To use a feature on a resource, the user must belong to a group that has the necessary
permissions for both the feature and resource. For example, suppose that a server is
associated with these resources: the Widget, Inc. customer and the Fresno facility. To install
a patch on this server, the user must belong to a group with the permissions listed in Table 2.
Folder Permissions
Folder permissions control access to the contents of the folder, such as software policies, OS
sequences, server scripts, and subfolders. A folders permissions apply only to the items
directly under the folder. They do not apply to items lower down in the hierarchy, such as the
subfolders of subfolders (grandchildren).
Types of Folder Permissions
In the Folders Properties window of the SA Client, you can assign the following permissions to
an individual user or a user group:
List Contents of Folder: Navigate to the folder in the hierarchy, click on the folder, view
the folders properties, see the name and type of the folders children (but not the
attributes of the children).
Read Objects Within Folder: View all attributes of the folders children, open object
browsers on folders children, use folders children in actions.
For example, if the folder contains a software policy, users can open (view) the policy and
use the policy to remediate a server. However, users cannot modify the policy. (For
remediation, feature and server permissions are required, as well.)
Selecting this permission automatically adds the List Contents of Folder permission.
Write Objects Within Folder: View, use, and modify the folders children.
This permission permits actions such as New Folder and New Software Policy. To perform
most actions, client features are required as well.
Selecting this permission automatically adds the List Contents of Folder and the Read
Objects Within Folder permissions.
Execute Objects Within Folder: Run the scripts contained in the folder and view the
names of the folders children.
This permission allows users to run scripts, but not to read or write them. To view the
contents of scripts, users need the Read Objects Within Folder permission and the
appropriate feature permission. To create scripts, they need the Write Objects Within
Folder permission and the appropriate feature permission.
Selecting the Execute Objects Within Folder permission automatically adds the List
Contents of Folder permission.
Table 2 Example of Permissions Resources and Features
Resource or feature group permission
Customer: Widget, Inc. Read & Write
Facility: Fresno Read & Write
Feature: Install Patch Yes
16 Chapter 1
Edit Folder Permissions: Modify the permissions or add customers to the folder.
This permission enables users to delegate the permissions management of a folder (and
its children) to another user group.
Selecting this permission automatically adds the List Contents of Folder permission.
Client Feature Permissions and Folders
Client feature permissions determine what actions users can perform with the SA Client.
Folder permissions specify which folders users have access to.
To perform most actions on folders and the items they contain, users need both folder and
client feature permissions. For example, to add a software policy to a folder, users must belong
to a group that has the Write Objects Within Folder permission and the Manage Software
Policy permission (Read & Write).
Customer Constraints, Folders, and Software Policies
If a customer is assigned to a folder, the customer constrains some of the actions on the
software policies contained in the folder. These constraints are enforced through filtering: The
objects that can be associated with the software policies must have a matching customer.
For example, suppose that you want to add the quota.rpm package to a software policy. The
package and the software policy reside in different folders. The customer of the policys parent
folder is Widget and the customer of the packages parent folder is Acme. When you perform
the Add Package action on the policy, the packages that you can choose will not include
quota.rpm. The customer of the policys parent folder (Widget) acts as a filter, restricting the
objects that can be added to the policy. If you add the Widget customer to the parent folder of
quota.rpm, then you can add quota.rpm to the policy.
The following list summarizes the customer constraints for software policy actions. These
constraints are invoked only if the software policys parent folder has one or more customers.
Software policy actions not listed here, such as New Folder, do not have customer constraints.
Add Package: The customers of the package's parent folder must be a subset of the
customers of the software policy's parent folder.
Add Application Configuration: The customers of the application configuration must
be a subset of the customers of the software policy's parent folder.
Add Software Policy: If software policy A is added to software policy B, then the
customers of A's parent folder must be a subset of the customers of B's parent folder.
Attach Software Policy: The customer of the server being attached must be one of the
customers of the software policy's parent folder.
Install Software Policy Template: The customer of the server must be one of the
customers of the parent folder of each software policy contained in the template.
Default Folder Permissions
When SA is first installed, the predefined user groups are assigned permissions to the
top-level folders such as Package Repository. When you create a new folder, it has the same
permissions and customer as its parent.
User and User Group Setup and Security 17
SA Global File System Permissions
The SA Global File System (OGFS) underlies many SA Client actions, such as browsing
managed server file systems and scanning servers for compliance. To perform actions that
access the OGFS, you must belong to a user group that has certain OGFS permissions. Table 3
lists the operations you control with OGFS permissions.
When setting an OGFS permission, in addition to specifying an operation such as Write
Server File System, you also specify which managed servers the operation can be applied to.
You specify the managed servers by selecting a resource, either a customer, facility, or device
group. You also specify the login name of the managed server where the operation runs. (The
Launch Global Shell operation is an exception, as explained later in this section.)
For example, suppose you specify the Read Server File System permission. For the servers,
you select a device group named Sunnyvale Servers. For the login name, you select the SA
user name. Later on, in the SA Client, the SA user jdoe opens a server belonging to the
Sunnyvale Servers device group in the Device Explorer. In the Views pane, the string jdoe
appears in parentheses next to the File System label. When the user drills down into the file
system, the Device Explorer displays the files and directories that the Unix user jdoe has
access to.
Table 3 OGFS Permissions
ogfs permission task allowed by this permission
Launch Global Shell Launch the Global Shell.
Log In To Server Open a shell session on a Unix server. In the SA Client,
open a Remote Terminal. In the Global Shell, you can use
the rosh command.
Read COM+ Database Read COM Plus objects as a specific login. In the
SA Client, use the Device Explorer to browse these
objects on a Windows server.
Read Server File System Read a managed server as a specific login. In the
SA Client, use the Device Explorer to browse the file sys-
tem of a managed server.
Read IIS Metabase Read IIS Metabase objects as a specific login. In the
SA Client, use the Device Explorer to browse these
objects on a Windows server.
Read Server Registry Read registry files as a specific login. In the SA Client,
use the Device Explorer to view the Windows Registry.
Relay RDP Session To Server Open an RDP session on a Windows server. In the
SA Client, this is the Remote Terminal feature that opens
an RDP client window for a Windows server.
Run Command On Server Run a command or script on a managed server using the
rosh utility, where that command or script already exists.
In the SA Client, this is used for Windows
Services accessed by the Device Explorer.
Write Server File System Modify files on a managed server as a specific login. In
the SA Client, you can use the Device Explorer to modify
the file system of a managed server.
18 Chapter 1
If you specify root for the login name, make sure that the resource you select allows access to
the correct set of servers. For root, you should limit access to servers by customer or device
group, not by facility.
For the Launch Global Shell permission, you do not specify the managed servers because a
Global Shell session is not associated with a particular server. Also, you do not specify the
login user for this permission. If you open a Global Shell session with the SA Client, you do so
as your current SA login. If you open it with the ssh command, you are prompted for an SA
login (user name).
Membership in Multiple Groups
If a user belongs to more than one user group, the users permissions are derived from the
resource and feature permissions of the groups. The way the permissions are derived depends
on whether or not the resources are folders.
If the resources are not folders, then the derived permissions are a cross-product of the
resource and feature permissions of all groups that the user belongs to. With a cross product,
all feature permissions apply to all resource permissions. For example, Jane Doe belongs to
both of the Atlanta and Portland groups, which have the permissions listed in Table 4.
Because the derived permissions are a cross-product, Jane can perform the System Diagnosis
task on the managed servers associated with the Widget Inc. customer, even though neither
the Atlanta nor Portland group has this capability.
If the resources are folders (or their contents), then the derived permissions for the user are
cumulative, but do not cross user groups. For example, Joe Smith belongs to both the
Sunnyvale and Dallas groups shown in Table 5. Joe can create packages under the Webster
folder because the Sunnyvale group has Read & Write permissions for that folder and for the
Table 4 Example of Cross-Product Permissions
Resource or feature
Atlanta user group
permission
Portland user group
permission
Resource:
Customer Widget, Inc.
Read & Write None
Resource:
Customer Acme Corp.
None Read & Write
Feature:
System Diagnosis
No Yes
User and User Group Setup and Security 19
Manage Package feature. However, Joe cannot create packages under the Kiley folder,
because neither user group can do so. Joe can create OS Sequences under the Kiley folder, but
not under the Webster folder.
SAS Web Client Restricted Views
The SAS Web Client displays only those features and resources that the users group has Read
(or Read & Write) permissions.
For example, John Smith belongs to the Basic Users group, which has the permissions listed
in Table 6. When John logs in, the SAS Web Client displays only the servers for Widget Inc.,
but not those of Acme Corp. In the navigation panel of the SAS Web Client, the Operating
Systems link appears, but not the Scripts link.
To locate or view a server, a user must belong to a group that has Read (or Read & Write)
permission to both the customer and facility associated with the server. If the server also
belongs to a device group with set permissions, then the user group must also have Read (or
Read & Write) access to the device group. Otherwise, the user cannot locate the server in the
SAS Web Client.
Predefined User Groups
During an SA installation or upgrade, certain predefined user groups are created. You must
grant read and/or write permissions to the first Facility and other appropriate permissions to
these user groups. Use of the predefined user groups is optional. You can modify the
permissions of the predefined user groups and you can also delete or copy these groups to
create new groups. Changes or deletions of the predefined user groups are not affected by SA
upgrades.
Table 5 Example of Cumulative Permissions
Resource or feature
Sunnyvale user group
permission
dallas user group
permission
Resource:
Folder Webster
Read & Write None
Resource:
Folder Kiley
None Read & Write
Feature:
Manage Packages
Read & Write None
Feature:
Manage OS Sequences
None Read & Write
Table 6 Example of Permissions and Restricted Views
Resource or feature Basic group permission
Customer: Widget, Inc. Read & Write
Customer: Acme Corp. None
Wizard: Prepare OS Yes
Wizard: Run Scripts No
20 Chapter 1
Predefined User Group Feature Permissions
Table 7 shows the Predefined User Groups:
Pre-Defined User Groups Permissions
SA provides an extended set of role-based, pre-defined user groups. If you plan to use these
groups, you must grant the appropriate permissions to the groups. For more information
about predefined user groups and permissions, see Appendix A: Permissions Reference in
this guide.
Table 7 Predefined User Group Feature Permissions
User Group Description
System Administrators Access to administer the SA application.
Superusers Complete access to all SA-managed objects and
operations.
Viewers Read-only access to all features.
Reporters Access to reporting only.
OS Policy Setters Access to import & define OS build plans.
OS Deployers Access to provision servers.
Patch Policy Setters Access to set patching policy.
Patch Deployers Access to install patches.
Software Policy Setters Access to set software policy.
Software Deployers Access to install software.
Compliance Policy Setters Access to define compliance policies.
Compliance Auditors Access to execute compliance scans.
Compliance Enforcers Access to remediate compliance failures.
Hypervisor Managers Access to create, delete and register VMs.
Virtual Machine Managers Access to start and stop VMs.
Command Line Administrators Shell access to servers.
Server Storage Managers Access to manage server storage.
Users Description
Storage System Managers Access to manage storage systems.
Storage Fabric Managers Access to manage storage fabrics.
User and User Group Setup and Security 21
Super Administrators
A super administrator is an SA user who manages SAs security structure. Super
administrators create users and groups, specify permissions for groups, and assign users to
groups. Super administrators can also manage customers and facilities, as well as set folder
permissions. To perform most of the tasks described in this chapter, you must log in to the
SAS Web Client as a user with super administrator privileges.
The HP BSA Installer creates a single default user: the super administrator named admin.
The password for admin is specified during the installation and should be changed
immediately afterwards.
As a best practice, you should not add the admin user to other user groups.
Customer Administrators
The super administrator delegates the management of specific user groups to a customer
administrator. Like a super administrator, a customer administrator can assign users and
permissions to user groups. However, a customer administrator cannot create users. The user
groups that a customer administrator can manage depend on the relationships between
several objects, including customer permissions and customer groups.
For example, suppose that the user Joe Smith is a customer administrator who can manage
the user group named Sunnyvale Admins. The users who belong to the Sunnyvale Admins
group are responsible for managing servers owned by the Widget, Inc. customer. Figure 1
shows the relationships required between various objects. In order for Joe Smith to manage
the Sunnyvale Admins user group, the following relationships must exist:
The R & W customer permission Widget, Inc. is assigned to the Sunnyvale Admins.
The Widget, Inc. customer belongs to the customer group named Widget Admins.
The user Joe Smith is assigned to the Widget Admins customer group.
For instructions on setting up the relationships shown in Figure 1, see Delegating User Group
Management to a Customer Administrator on page 34.
Figure 1 Relationships Required for a Customer Administrator
User:
Joe Smith
User Group:
Sunnyvale Admins
Customer
Permission:
R & W
Customer:
Widget, Inc.
Customer Group:
Widgets, Inc. Admins
can manage
is assigned to
is assigned to
belongs to
is a resource
permission of
22 Chapter 1
Process Overview for Security Administration
The person responsible for the security of SA creates and maintains users, groups, and
permissions. This person must be able to log in to the SAS Web Client as a user who is a super
administrator. The default super administrator is the admin user.
The following steps provide an overview of security administration for SA:
1 Identify the people in your organization who will manage SA security.
2 For each user identified in the preceding step, create a super administrator.
For instructions, see Creating a Super Administrator on page 34.
3 Note the facility that the managed servers belong to.
A facility is an SA object that represents a data center or physical location. Depending on
your organization, you may want to name the facility after the city, building, or room
where the servers reside. The person who installs SA specifies a default facility for the
core.
4 Associate customers with managed servers.
In SA, a customer is an object that represents a business organization, such as a division
or a corporation. Typically, a server is associated with a customer because it runs
applications for that customer.
5 (Optional) Create device groups and assign servers to the groups.
For more information, see the Device Groups section of the SA User Guide: Server
Automation.
6 Plan your user groups.
Decide which SA tasks specific groups of users will perform and on which servers. Usually,
a user group represents a role or a job category. Examples of user groups are: Unix System
Admins, Windows Admins, DBAs, Policy Setters, Patch Admins, and so forth.
7 Create the user groups.
For instructions, see Creating a User Group on page 26.
8 Set the resource permissions on the user groups.
These permissions specify read and write access to servers associated with facilities,
customers, and device groups. Resource permissions control which servers the members of
a user group can access.
For instructions, see Setting the Customer Permissions on page 27 and the adjacent
sections.
9 (Optional) Delegate the management of user groups to other users.
For instructions, see Delegating User Group Management to a Customer Administrator
on page 34.
10 Set the feature (action) permissions on the user groups.
To determine which feature permissions are required to perform a specific task, see the
tables in Permissions Required for the SA Client on page 207. For example, if you have a
user group named Policy Setters, see Software Management Permissions Required for
User Actions on page 227.
For instructions, see Setting the SA Client Features Permissions on page 30 and the
adjacent sections.
User and User Group Setup and Security 23
11 Set the OGFS permissions on the user groups.
OGFS permissions are required for some actions. The OGFS permissions are included in
the tables in Permissions Required for the SA Client on page 207.
For instructions, see Adding OGFS Permissions on page 32.
12 Create the folder hierarchy in the Library of the SA Client.
For information on folders, see the Software Management Setup chapter of the
SA Policy Setter Guide.
13 Set the folder permissions.
Again, see Permissions Required for the SA Client on page 207. In general, you need read
permission on a folder to use its contents in an operation, write permission to create folder
contents, and execute permission to run scripts that reside in a folder.
For instructions, see Setting Folder Permissions on page 31.
14 (Optional) Delegate the management of folder permissions to other user groups,
individual users, or customer administrators.
For instructions, see Setting Folder Permissions on page 31.
15 Create new users in SA or import existing users from an external LDAP.
For instructions, see Creating a User on page 24 or External LDAP Directory Service with
SA on page 38.
16 Assign users to the appropriate groups.
For instructions, see Assigning a User to a Group on page 27.
Private User Group
When an SA administrator creates a new user, SA automatically creates a private user group
for the new user and assigns the new user to the private user group. The name of the private
user group is the user name.
A private user group can contain only one SA user and every SA user can belong to only one
private user group. The SA administrator can then assign feature and resource permissions to
the private user group. The permissions that you specify for a private user group determines
what the user can do with SA. Feature permissions specify what actions the user can perform;
resource permissions indicate which objects (typically servers) the user can perform the
actions on. OGFS permissions cannot be assigned to a private group.
For example, when an SA Administrator creates a new user with user name John, a private
user group John is also created and a default folder called John is created in the Home
directory. The SA Administrator can then assign feature and resource permissions to the
private user group John.
An SA user can be a member of multiple user groups and belong to the users private group.
But then the derived permissions of the private user group is not a cross-product of the
resource and feature permissions of all groups that the user belongs to.
When an user is deleted, SA automatically deletes the corresponding private user group and
the default folder for that user is moved the location: /Home/deleted_users.
To access a private user group see Setting Private User Group Permissions on page 33. After
accessing a private user group, the SA administrator may assign the following permissions:
1 Set the resource permissions on the private user group.
24 Chapter 1
These permissions specify read and write access to servers associated with facilities,
customers, and device groups. Resource permissions control which servers the user can
access.
For instructions, See Setting the Customer Permissions on page 27. and See Setting
the Facility Permissions on page 28.
2 Set the feature (action) permissions on the private user group.
To determine which feature permissions are required to perform a specific task, See
Setting the SA Client Features Permissions on page 30. and See Setting the General
Feature Permissions on page 30.
3 Set the folder permissions on the default home folder of the user. When an SA
Administrator creates a new user, a private user group is also created for the user in the
following location: /Home/user_name. By default, the user has Read and Write
permissions to this folder and the SA administrator has List and Edit permissions to this
folder.
For instructions, See Setting Folder Permissions on page 31.
Managing Users and User Groups
To manage users, you must log in to the SAS Web Client as a super administrator (admin).
User Management
You can create, modify, delete, suspend, users and view user permissions.
Creating a User
You can create SA users with the SAS Web Client, or you can import users from an external
LDAP directory. See External LDAP Directory Service with SA on page 38 in this chapter for
more information.
To create a user with the SAS Web Client, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
The Users tab appears. (See Figure 2.)
Figure 2 Users Tab
2 Click New User.
User and User Group Setup and Security 25
3 On the Profile Editor page, fill in the required fields, which are labelled in bold font.
The Login User Name may be different than the first, last, and full names. The Login
User Name is not case sensitive and cannot be changed after the user is created.
4 (Optional) If both SA and HP Network Automation (NA) are installed, and you want the
user to authenticate with NA, then select NA for the Credential Store.
The Credential Store field can be either SA (the default), Network Automation (NA),
External, or RSA 2-factor. The value NA specifies that the user was configured on a
TACACS+/RADIUS server connected to NA, not a native NA user. The value External
indicates that the user was imported from an external LDAP directory. The value RSA
2-factor specifies that the user was configured on an RSA server connected to SA. You can
change the user password in the SAS Web Client only if the Credential Store is SA.
5 (Optional) Assign the user to one or more of the groups listed at the bottom of the page.
You can also assign the user to a group at a later time. If a user does not belong to a group,
the user cannot view servers or perform tasks with the SA Client.
6 Click Save to create the user.
Editing User Profile Information
Each SA user can edit the profile information for his or her own login user. If you log in as a
super administrator (admin), you may view or edit the information of any SA user. To do so,
perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Users tab, select an entry in the User Name column.
3 In the Profile Editor, modify the information as appropriate.
4 Click Save.
Viewing a Users Permissions
You do not assign permissions directly to a user. Instead, you set the permissions on a user
group and then assign a user to a group. To view the permissions of a user, perform the
following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Users tab, select an entry in the User Name column.
3 If the user belongs to more than one group, on the Edit User page, select a user group in
the View as field. The permissions displayed depend on the user group you select.
4 View the permissions on the Resource Privileges and Action Privileges tabs.
Deleting a User
When you delete a user, the users login and logout history is permanently stored, and the
user is unassigned from user groups. After a user is deleted, you can create another user with
the same name.
To delete an SA user, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Users tab, select the check box next to the user to be deleted.
26 Chapter 1
3 Click Delete.
Suspending a User
A suspended user cannot log in to SA, but has not been deleted from the Model Repository. A
suspended user is indicated by the lock icon on the Users tab of the SAS Web Client. A user
can be suspended in the following ways:
Login Failure: If you specify Login Failure on the Security Settings tab, and someone
tries to log in with the wrong password a specified number of times, the user account is
suspended. For instructions on accessing the Security Settings tab, see the first two steps
of Resetting Initial Passwords on page 36.
Account Inactivity: If you specify Account Inactivity on the Security Settings tab, and
the user has not logged on for the specified number of days, the user account is suspended.
Expired Password: A user can be suspended if the password has expired and the
expiration count is full.
Suspend: To suspend the users account immediately, go to the Users tab, select the
users check box, and click Suspend.
To activate a suspended user, go to the Users tab, select the users check box, and click
Activate.
User Group Management Tasks
You can create, copy and delete user groups and assign users to user groups.
Figure 3 User Group Page
Creating a User Group
To create an SA user group, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Groups tab, click New Group.
3 On the New Group page, enter a role in the Group name field.
4 At this point, you can select the check boxes under the Feature column to assign
permissions to the group. The New Group page, however, does not display all available
permissions.
5 Click Save.
User and User Group Setup and Security 27
Copying a User Group
To copy (clone) an existing user group to create a new group with the same configuration,
perform the following tasks:
1 Select the checkbox next to the user group you want to copy (clone).
2 Click the Copy button.
3 The Copy User Group page appears. Specify a name for the new user group and,
optionally, a description.
4 Press the Copy button. When the copy completes, the new group appears in the User
Groups list.
Deleting a User Group
To delete an existing user group, perform the following tasks:
1 Select the checkbox next to the user group(s) you want to delete.
2 Click the Delete button.
Assigning a User to a Group
You should assign each SA user to a group reflecting the users role in your organization. To
assign an SA user to a user group, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Group tab, select a user group from the Name column.
3 On the Users tab, in the Unassigned Members box, select the user name.
4 Click the right arrow.
5 To unassign a user, click the name in the Assigned Members box and click the left arrow.
6 Click Save.
Setting Permissions on User Groups
To perform the tasks in this section, you must log in to the SAS Web Client as a super or
customer administrator. (The default super administrator is admin.)
If you change permissions while a user is logged on to the SAS Web Client or SA Client, the
user must log out and log in again for the changes to take effect.
Setting the Customer Permissions
In SA, you can associate a customer with a number of resources, including servers, folders,
application configurations, and OS installation profiles. By setting the customer permission,
you control the access that the users of a group have to the resources associated with the
customer. For example, if you want the users of a group to be able to view (but not modify) the
servers associated with the Widget Inc. customer, set the permission to Read.
28 Chapter 1
The customer permissions also control access to the customer object itself. For example, to add
a custom attribute to a customer, a user must belong to a group that has Read & Write
permission to the specific customer, as well as permission for the Customers feature.
To control the access to the resources associated with a customer, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Groups tab, select an entry in the Name column. Another set of tabs appears,
including the Customers tab.
3 On the Customers tab, for each customer listed, select Read, Read & Write, or None.
4 Click Save.
Setting the Facility Permissions
In SA, a facility can be associated with resources such as servers and IP ranges. To modify a
server of a particular facility, a user must belong to a group that has Read & Write permission
for the facility.
The facility permissions also control access to the facility object itself. For example, to modify
a property of a facility, a user must belong to a group that has Read & Write permission to the
facility, as well as permission for the Facilities feature.
To control the access to the resources associated with a facility, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Groups tab, select an entry in the Name column. Another set of tabs appears,
including the Facilities tab.
3 On the Facilities tab, select Read, Read & Write, or None.
4 Click Save.
Setting the Device Group Permissions
To control access to the servers in a public device group, select a permission on the Device
Groups tab. (You cannot control access to a private device group, which is visible only to the
user who created it.)
If the Device Groups tab lists no device groups, then access to servers is not controlled by
membership in device groups; however, access to servers is still controlled by their association
with customers and facilities. If the Device Groups tab lists at least one device group, then
access is denied to unlisted device groups (the equivalent of a None permission).
Access control based on device groups is optional. By default, membership in a device group
does not restrict access. In contrast, for servers associated with customers or facilities, the
default permission is None, which prohibits access.
You can combine customer, facility, and device group permissions to implement security
policies. For example, you can restrict access to servers that are associated with the Acme
Corp. customer, reside in the Fresno facility, and belong to a device group that contains only
Windows servers.
A device group can contain other device groups. However, permissions are not inherited by the
contained (children) device groups.
User and User Group Setup and Security 29
The permissions on the Device Groups tab control access to servers that belong to device
groups. However, these permissions do not control the management of the device groups. To
create, modify, or delete device groups, a user must belong to a user group that has the
Manage Public Device Groups and the Model Public Device Groups check boxes selected on
the Other tab. Also, the Managed Servers and Groups check box must be selected on the
Features tab. To add devices to a device group being used as an Access Control Group, the
user must be a member of the Super Administrators group.
To control access to servers that belong to a device group, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Groups tab, select an entry in the Name column. Another set of tabs appears,
including the Device Groups tab.
3 On the Device Groups tab, note the check box below Assign. If this check box is selected,
then access to managed servers is not based on device groups.
4 Deselect the check box below Assign.
5 Click Assign.
The Select Groups page appears. (See Figure 4.)
Figure 4 Select Groups Page
6 On the Select Groups page, use the Browse or Search tab to locate the device groups.
7 On the Browser or Search tab, click on the device group name and then click Select.
8 On the Device Groups tab, for each device group listed, select the check box and click the
button for the appropriate access.
To allow viewing (but not modification) of the servers in a device group, select the Read
permission. To allow both viewing and modification, select the Read & Write permission.
9 Click Save.
30 Chapter 1
Setting the General Feature Permissions
The Features tab of the SAS Web Client includes many tasks, including managing the servers
and running the wizards. If the check box for a feature is unselected, then the SAS Web Client
does not display the related links in the navigation panel.
To allow the users in a group the ability to view and execute a task on the Features tab,
perform the following:
1 From the navigation panel, select Administration Users & Groups.
2 On the Group tab, select a user group from the Name column.
3 Another set of tabs appears, including the Features tab. (See Figure 5.)
Figure 5 Features Tab
4 On the Features tab, select the check box for each feature that should be enabled for the
user group. To prevent (and hide) a feature, deselect the check box.
5 Click Save.
Setting the SA Client Features Permissions
The Client Features tab of the SAS Web Client lists permissions for the actions performed
with the SA Client. These actions are for features such as Application Configuration and
Software Policy Management.
To set these permissions for the SA Client perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Group tab, select a user group from the Name column. Another set of tabs appears,
including the Client Features tab.
3 On the Client Features tab, select the appropriate permission buttons.
4 Click Save.
User and User Group Setup and Security 31
Setting the Other Features Permissions
The Other tab of the SAS Web Client contains the following permissions:
General Permissions: Allows users in a user group to edit shared scripts or run my
scripts as root. The Features tab also has script-related permissions: Scripts, and Wizard:
Run Scripts.
Server and Device Group Permissions: Enables users in a user group to perform
particular tasks on managed servers. The Allow Run Refresh Jobs permission lets users
specify a job to update the servers list. The Manage Public Servers Group permission
enables users to create device groups, modify the group properties, and change the group
membership (through rule changes, or adding and deleting servers). All users can view all
public device groups.
The Model Public Servers Group permission lets users add custom attributes. (These
permissions apply to public, not private device groups. Only the user who creates a
private device group can view or modify it.) The Features tab also has a permission
related to managing servers: Managed Servers and Group.
Job Permissions: Allows users in a user group to view and schedule jobs, which include
operations such as Audit Servers, Snapshots, Push Configurations, and Audit
Configurations. The View All Jobs permission lets users view the details and schedules of
jobs created by all users. The Edit All Jobs permission enables users to view or modify the
schedules of jobs created by all users and to view the job details of all users. Without these
permissions, users can view and schedule only their own jobs.
To set the permissions on the Other tab, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Group tab, select a user group from the Name column. Another set of tabs appears,
including the Other tab.
3 On the Other tab, select the check boxes to assign permissions to this user group.
4 Click Save.
Setting Folder Permissions
To perform this task, your user or user group must have the Edit Folder Permission on the
target folder. When you create a folder, it has the same permissions and customer as its
parent folder. If you are changing the permissions of a folder that has children, you are
prompted to apply the changes to the children.
To set the permissions of a folder, perform the following steps:
1 In the SA Client, navigate to the folder.
2 From the Actions menu, select Folder Properties.
3 In the Folder Properties window, select the Permissions tab.
4 On the Permissions tab, click Add to allow certain user groups to access the folder.
5 For each user group and user displayed on the Permissions tab, select a check box such as
Write Objects Within Folder. To delegate the setting of permissions for this folder, select
Edit Folder Permissions.
32 Chapter 1
Adding OGFS Permissions
You can add OGFS permissions with the SAS Web Client or with the aaa command-line
utility. For syntax and examples of the aaa utility, see the SA Users Guide: Server
Automation.
To add an OGFS permission in the SAS Web Client, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the Group tab, select a user group from the Name column. Another set of tabs appears,
including the OGFS Permissions tab.
3 On the OGFS Permissions tab click Add Permission. The Add OGFS Permissions
window appears. (See Figure 6.)
Figure 6 Add OGFS Permissions Window
4 In the Add OGFS Permissions window, select a feature.
For descriptions of these features, see Table 3 on page 17.
5 If you selected a feature other than Launch Global Shell, select the managed servers this
permission applies to.
You can select servers associated with a customer, facility, or device group. If you want to
select servers associated with multiple resources (for example, two device groups) then
you must add a separate OGFS permission for each resource.
6 For Login Name, select the user account (login) on the managed servers.
The operation indicated by the Feature field will run on the managed server as the user
indicated by Login Name.
7 Click Grant.
User and User Group Setup and Security 33
Setting Private User Group Permissions
The SA Administrator can set the feature, resource, or folder permissions on a private user
group.
Perform the following steps to set permissions on a private user group:
1 From the navigation panel, select Administration Users & Groups. The Users &
Groups: View Users window appears.
2 Select the user from the User Name column. The Users & Groups: Edit User window
appears.
3 From the View As drop-down menu, select the user name and then click Edit.
4 In the Users & Groups: Edit Group - <user name> window select Features, Customers, or
Client features tab to assign the permissions.
5 Refer to the following sections to assign the permissions:
Setting the Customer Permissions on page 27
Setting the Facility Permissions on page 28
Setting the Device Group Permissions on page 28
Setting the General Feature Permissions on page 30
Setting the SA Client Features Permissions on page 30
Setting Folder Permissions on page 31
Managing Super and Customer Administrators
These users are the security administrators who assign permissions to user groups. To
manage super and customer administrators, you must log in to the SA Client as a super
administrator. When SA is first installed, the default super administrator is the admin user.
Viewing Super and Customer Administrators
To see which users are super or customer administrators, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Administrators tab. (See Figure 7.)
Figure 7 Administrators Tab
34 Chapter 1
3 On the Administrators tab, note the Type field, which identifies the user as either a super
or customer administrator. The name of the customer group is in parentheses.
Creating a Super Administrator
To create a super administrator, perform the following steps:
1 Create a new user who will be the super administrator. For instructions, see Creating a
User on page 24.
2 From the navigation panel, select Administration Users & Groups.
3 Select the Administrators tab.
4 Click New Super Administrator.
5 On the Add Super Administrators page, select one or more user names.
6 Click Save.
Deleting a Super Administrator
To delete a super administrator, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Administrators tab.
3 Select the check box for the user.
4 Click Revoke. This action revokes super administrator privileges from the user, but does
not delete the user from SA.
5 To delete the user from SA, follow the instructions in Deleting a User on page 25.
Delegating User Group Management to a Customer Administrator
A customer administrator is a user who can manage a subset of user groups. The subset is
determined by customer permissions and customer groups. For a full explanation of the
relationships between these objects, see Customer Administrators on page 21.
To delegate the management of a user group, perform the following steps:
1 Identify the user who will be responsible for user group management.
This user will be a customer administrator. If the user does not exist, follow the
instructions in Creating a User on page 24.
2 Decide which user group will be managed by the user identified in the preceding step.
For instructions on viewing the user group, see Creating a User Group on page 26.
3 Note the customer permissions of the user group.
For instructions on viewing these permissions, see Setting the Customer Permissions on
page 27.
4 From the navigation panel, select Administration Users & Groups.
5 Select the Customer Groups tab.
6 Click New Group.
User and User Group Setup and Security 35
7 Enter the customer group name. (See Figure 8.)
Figure 8 New Customer Group Window
8 Click Save.
9 Add the customers you noted in step 3 to the customer group.
10 Add the user you identified in step 1 to the customer group.
The user of step 1 is now the customer administrator who can manage the user group of
step 2.
11 (Optional) Verify that the user is listed as a customer administrator by following the
instructions in Viewing Super and Customer Administrators on page 33.
Managing Passwords and Login Settings
An SA user can change his or her own password on the Profile page of the SAS Web Client. A
super administrator can change the password of other users, as well as perform other
password management tasks described in the following sections.
Changing Passwords
Only a super administrator (admin) can change the passwords of other SA users. If the user
name has been imported from an external LDAP directory, then the password cannot be
changed with the SAS Web Client.
To change the password of an SA user in the SAS Web Client, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 On the User tab, select a user name.
3 On the User Identification tab, click Change Password.
4 Enter the new password, confirm it, and click Save.
36 Chapter 1
Specifying Password Character Requirements
To specify character requirements for SA users, perform the following steps:
1 From the navigation panel, select Administration System Configuration. The Select a
Product page appears.
2 Under Select a Product, click SAS Web Client. The Modify Configuration Parameters page
appears.
3 On the Modify Configuration Parameters page, set the
owm.features.MiniPasswordPolicy.allow parameter to true.
This parameter must be true for the other password parameters on this page to take
effect. To disable the other password parameters, set
owm.features.MiniPasswordPolicy.allow to false.
4 Set the values for the password parameters listed inTable 8.
5 Click Save.
6 To apply these parameter changes to other cores in a multimaster mesh, you must restart
the other cores.
Resetting Initial Passwords
To require users to reset their passwords the first time they log in to SA, perform the
following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Security Settings tab.
3 Select Reset.
Setting Password Expiration
To require SA users to change passwords after a certain number of days, perform the
following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Security Settings tab.
Table 8 Password Requirements on the Modify Configuration Parameters Page
password
requirement parameter allowed values
default
value
maximum number of
repeating, consecutive
characters
owm.pwpolicy.maxRepeats must be greater than 0 2
minimum number of
characters
owm.pwpolicy.minChars positive integer 6
minimum number of
non-alphabetic
characters
owm.pwpolicy.
minNonAlphaChars
must be less than value
of
owm.pwpolicy.minChars
0
User and User Group Setup and Security 37
3 In the check boxes next to the Expiration label, select the number of days for the password
expiration and the number of grace logins.
A grace login allows the user to log in with the old password. Typically, the grace login is
set to 1, enabling the user to log in to the SAS Web Client, access the My Profile page, and
change the password.
4 To specify the number of previous passwords allowed by users, select Retention and enter
a value.
This setting prohibits users from re-using the same set of passwords. For example, if the
value is 10, the users are not be allowed to re-use their previous 10 passwords.
For information on Login Failure and Account Inactivity, see Suspending a User on page 26.
Specifying Session Timeout
You can specify the timeout interval (in minutes) of inactive SA Client sessions. When a
session times out, the user must re-enter the password or log out.
To specify the timeout for SA Client sessions, perform the following steps:
1 From the navigation panel of the SAS Web Client, select Administration Users &
Groups.
2 Select the Security Settings tab.
3 Select Session Inactivity and specify the number of minutes.
The Session Inactivity parameter does not affect SAS Web Client sessions. The default session
timeout for the SAS Web Client is 60 minutes. To change the default, you edit a configuration
file and restart the OCC core component. For instructions on editing the configuration file,
contact your HP support representative.
Setting the User Agreement
If you enable the user agreement, when users log in with the SA Client or the SAS Web
Client, a dialog appears with a specified message. To continue the log in procedure, the users
must click Agree. (In some products, a user agreement dialog is called a login approval
screen.)
To set the user agreement, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Security Settings tab.
3 In the User Agreement section, select Display and enter text in the Message field.
Setting the Banner
If you enable the banner, after the users log in, the specified text appears in a banner at the
top of the SA Client and the SAS Web Client. To set the banner, perform the following steps:
1 From the navigation panel, select Administration Users & Groups.
2 Select the Security Settings tab.
3 In the Banner Settings section, select Display
38 Chapter 1
4 In the Message field, enter the text to be displayed in the banner.
5 To set the background color of the banner, select an item from Color Code or enter a hex
value in the adjacent field.
External LDAP Directory Service with SA
You can configure SA to use an external LDAP directory service for user authentication. With
external authentication, you do not have to maintain separate user names and passwords for
SA. When users log in to the SAS Web Client, they enter their LDAP user names and
passwords.
Imported Users
With the SAS Web Client, you search for users in the external LDAP and then you import
selected users into SA. You can limit the search results by specifying a filter. The import
process fetches the following user attributes from the LDAP:
firstName
lastName
fullName
emailAddress
phoneNumber
street
city
state
country
After the import process, you may edit the preceding list of attributes within the SAS Web
Client. However, you cannot change the user login name or password. Importing a user is a
one-time, one-way process. Changes to the user attributes you make using the SAS Web
Client are not propagated back to the external LDAP directory server, and vice versa.
Imported users are managed in the same way as users created by the SAS Web Client. For
example, you use the SAS Web Client to assign imported users to user groups and to delete
imported users from SA. If you delete an imported user with the SAS Web Client, the user is
not deleted from the external LDAP directory.
If you use external authentication, you can still create separate users with the SAS Web
Client. However, this practice is not recommended.
To see which users have been imported, view the Users tab of the SAS Web Client and note
the users with External in the Credential Store column.
SSL and External Authentication
Although SSL is not required for external authentication, it is strongly recommended. The
certificate files needed for LDAP over SSL must be in Privacy Enhanced Mail (PEM) format.
Depending on the LDAP server, you may need to convert the server's CA certificate to PEM
format.
User and User Group Setup and Security 39
Supported External LDAP Directory Servers
You can use the following directory server products with SA:
Microsoft Active Directory (Windows Server 2000, 2003 or 2008)
Novell eDirectory 8.7
SunDS 5.2
Modify the nsswitch.conf File (Linux)
In order to use LDAP authentication on Linux, the nsswitch.conf file must be modified as
follows:
passwd: files ldap
group: files ldap
The typical value for these entries is compat. However, this value can cause the SA gateway to
fail and/or interfere with OGFS functionality/access.
Alternatively, these values may also work:
passwd: compat
group: compat
passwd: files ldap
group: files ldap
passwd_compat: ldap
group_compat: ldap
Using an LDAP Directory Server with SA
To use an LDAP directory server with SA, perform the following basic steps:
1 Add the aaa.ldap entries to the twistOverrides.conf file with a text editor. See
Modifying the Web Services Data Access Engine Configuration File on page 40.
2 Get the SSL server certificate from the LDAP directory server. See Importing a Server
Certificate from the LDAP into SA on page 42. (Use of SSL is not required, but strongly
recommended.)
3 Edit the loginModule.conf file with a text editor. See Configuring the JAAS Login Module
(loginModule.conf) on page 43.
4 Restart the Web Services Data Access Engine:
Linux: /etc/init.d/opsware-sas restart twist
HP-UX: /sbin/init.d/opsware-sas restart twist
AIX: /etc/rc.d/init.d/opsware-sas restart twist
5 Use the SAS Web Client to import users from the LDAP directory server into SA. See
Importing External LDAP Users and User Groups on page 44.
In a mulitmaster mesh, you must perform steps 1 - 4 on each Web Services Data Access
Engine.
40 Chapter 1
Modifying the Web Services Data Access Engine Configuration File
To modify twistOverrides.conf, perform the following steps:
1 Log in as root to the system running the Web Services Data Access Engine, an SA Core
Component.
2 In a text editor, open this file:
/etc/opt/opsware/twist/twistOverrides.conf
3 In the text editor, add the necessary properties (listed in Table 9) to the
twistOverrides.conf file. Although not required, the SSL properties are recommended.
For examples of the lines required for the twistOverrides.conf file see, the sections
that follow Table 9.
4 Save the twistOverrides.conf file and exit the text editor.
5 Make sure that the Unix twist user has write access to the twistOverrides.conf file.
Table 9 Properties in twistOverrides.conf for an External LDAP
Property description
aaa.ldap.hostname The host name of the system running the LDAP
directory server.
aaa.ldap.port The port number of the LDAP directory server.
aaa.ldap.search.binddn The BIND DN (Distinguished Name) for LDAP
is required by the search of the import user
operation. A blank value denotes an anonymous
BIND.
aaa.ldap.search.pw The BIND password for LDAP is required by
the search for the import user operation. This
value is encrypted when the Web Services Data
Access Engine is restarted. A blank value
denotes an anonymous BIND.
aaa.ldap.search.filter.template The search filter template is used, with optional
filter substitution, as the filter in the LDAP
search for the user import. Any dollar sign ($)
character in the template will be replaced by the
filter string specified in the Import Users page
of the SAS Web Client. (The default value is an
asterisk (*) which matches all entries.)
aaa.ldap.search.base.template The configurable template allows support for a
range of DIT configurations and schema in the
LDAP service. The search base template string
is used for the search base in the LDAP search
operations for the user import.
aaa.ldap.search.naming.attribute The naming attribute allows support for a range
of schema in the LDAP services. Some use uid,
others use cn, and so on. The value of this
attribute is used for the internal user ID in SA.
User and User Group Setup and Security 41
Example: twistOverrides.conf for Microsoft Active Directory Without SSL
aaa.ldap.search.binddn=cn=Administrator,cn=users,dc=example,dc=com
aaa.ldap.search.pw=secret
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.port=389
aaa.ldap.search.filter.template=(&(objectclass=user)(cn=$))
aaa.ldap.search.base.template=cn=users,dc=example,dc=com
aaa.ldap.search.naming.attribute=samaccountname
aaa.ldap.search.naming.display.name=cn
Example: twistOverrides.conf for Microsoft Active Directory With SSL
aaa.ldap.search.binddn=cn=Administrator,cn=users,dc=example,dc=com
aaa.ldap.search.pw=secret
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.secureport=636
aaa.ldap.ssl=true
aaa.ldap.servercert.ca.fname=/var/opt/opsware/crypto/twist/cert.pem
aaa.ldap.search.filter.template=(&(objectclass=user)(cn=$))
aaa.ldap.search.base.template=cn=users,dc=example,dc=com
aaa.ldap.search.naming.attribute=samaccountname
aaa.ldap.search.naming.display.name=cn
Example: twistOverrides.conf for Novell eDirectory Without SSL
aaa.ldap.search.binddn=cn=admin,o=example
aaa.ldap.search.pw=secret
aaa.ldap.search.naming.display.
name
The naming attribute allows support for a range
of schema in the LDAP services. Some use cn,
others use displayName, and so on. The value of
this attribute is used for the Full Name of SA
user.
aaa.ldap.ssl SSL: A value of true enables SSL.
aaa.ldap.secureport SSL: The secure port of the LDAP directory
server.
aaa.ldap.usestarttls SSL: A value of true enables Start TLS.
aaa.ldap.servercert.ca.fname SSL: The fully qualified file name of the server
CA certificate.
aaa.ldap.clientcert SSL: A value of true enables client certificate
use.
aaa.ldap.clientcert.fname SSL: The fully qualified file name of the client
certificate.
aaa.ldap.clientcert.ca.fname SSL: The fully qualified file name of the client
CA certificate.
Table 9 Properties in twistOverrides.conf for an External LDAP (contd)
Property description
42 Chapter 1
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.port=389
aaa.ldap.search.filter.template=(&(objectclass=inetorgperson)(uid=$))
aaa.ldap.search.base.template=o=example
aaa.ldap.search.naming.attribute=uid
aaa.ldap.search.naming.display.name=cn
Example: twistOverrides.conf for Novell eDirectory With SSL
aaa.ldap.search.binddn=cn=admin,o=example
aaa.ldap.search.pw=secret
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.secureport=636
aaa.ldap.ssl=true
aaa.ldap.servercert.ca.fname=/var/opt/opsware/crypto/twist/ldapcert.pem
aaa.ldap.search.filter.template=(&(objectclass=inetorgperson)(uid=$))
aaa.ldap.search.base.template=o=example
aaa.ldap.search.naming.attribute=uid
aaa.ldap.search.naming.display.name=cn
Example: twistOverrides.conf for SunDS Without SSL
aaa.ldap.search.binddn=cn=Directory Manager
aaa.ldap.search.pw=secret
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.port=389
aaa.ldap.search.filter.template=(&(objectclass=inetorgperson)(uid=$))
aaa.ldap.search.base.template=ou=people,dc=example,dc=com
aaa.ldap.search.naming.attribute=uid
aaa.ldap.search.naming.display.name=cn
Example: twistOverrides.conf for SunDS With SSL
aaa.ldap.search.binddn=cn=Directory Manager
aaa.ldap.search.pw=secret
aaa.ldap.hostname=myservername.internal.example.com
aaa.ldap.secureport=636
aaa.ldap.ssl=true
aaa.ldap.servercert.ca.fname=/var/opt/opsware/crypto/twist/ldapcert.pem
aaa.ldap.search.filter.template=(&(objectclass=inetorgperson)(uid=$))
aaa.ldap.search.base.template=ou=people,dc=example,dc=com
aaa.ldap.search.naming.attribute=uid
aaa.ldap.search.naming.display.name=cn
Importing a Server Certificate from the LDAP into SA
For SSL, the necessary certificates must be extracted from the LDAP and copied over
to SA.
To import a server certificate from the LDAP into SA, perform the following steps:
1 Extract the server certificate from the external LDAP. For instructions, see the following
sections.
2 Convert the extracted certificate to PEM format.
User and User Group Setup and Security 43
Certificates created on Windows systems are in Distinguished Encoding Rules (DER)
format. The following example converts a certificate from DER to PEM format with the
openssl utility:
OpenSSL> x509 -inform DER -outform PEM -in mycert.der \
-out mycert.pem
3 Copy the server certificate to the location specified by the Web Services Data Access
Engine configuration file (twistOverrides.conf). For example, the
twistOverrides.conf file could have the following line:
aaa.ldap.servercert.ca.fname=/var/opt/opsware/crypto/twist/ldapcert.pem
Extracting the Server Certificate from Microsoft Active Directory
To extract the server certificate, perform the following steps:
1 Run either the Certificates MMC snap-in console or the Certificate Services web interface.
2 Export the Root CA certificate from the Windows CA into DER format.
Extracting the Server Certificate from Novell eDirectory
To extract the server certificate, perform the following steps:
1 Find out the name of the local CA entry. (Example: CN=CORP-TREE CA.CN=Security)
2 Open the eDirectory Administration utility and click Modify Object.
3 Enter the entry name (CN=CORP-TREE CA.CN=Security).
4 Select the Certificates tab.
5 Click Self Signed Certificate.
6 Click Export.
7 In the dialog, click No for exporting the private key and then click Next.
8 Select the appropriate format (usually DER).
9 Click Save the exported certificate to a file.
Extracting the Server Certificate from SunDS
Typically, instead of exporting a server CA certificate from SunDS, you obtain the certificate
that was imported into SunDS.
Configuring the JAAS Login Module (loginModule.conf)
To configure the JAAS login module, perform the following steps:
1 Log in as root to the system running the Web Services Data Access Engine, an SA Core
Component.
2 In a text editor, open this file:
/etc/opt/opsware/twist/loginModule.conf
3 In the text editor, modify the loginModule.conf file so that it contains the following
lines:
/** Login configuration for JAAS modules **/
44 Chapter 1
TruthLoginModule {
com.opsware.login.TruthLoginModule sufficient debug=true;
com.opsware.login.LdapLoginModule sufficient debug=true;
};
4 Save the loginModule.conf file and exit the text editor.
Importing External LDAP Users and User Groups
Before importing external LDAP users, you must configure SA for use with your LDAP server.
See Using an LDAP Directory Server with SA on page 39 in this chapter for more information.
Importing LDAP Users Using the SAS Web Client
After you complete the tasks in this section, your users will be able to log in to the SAS Web
Client with their LDAP user names and passwords.
This method does not import LDAP user groups. If you want to import users and user groups,
see Importing LDAP Users and Groups Using the LDAP Authentication Configuration Tool
on page 45.
To import external users, perform the following steps:
1 In the SAS Web Client, from the navigation panel, select Administration Users &
Groups.
2 Select the Users tab. The page lists the existing SA users.
3 On the Users tab, click Import External Users.
The page displays the users in the LDAP that match the search filter. The default filter is
an asterisk (*), indicating that all users are selected. If a check box does not appear to the
left of the user name, then the user already exists in SA and cannot be imported.
If SA cannot connect to the LDAP, check for error messages in the following file:
/var/log/opsware/twist/stdout.log
4 To change the search filter, enter a value in the field to the left of Change Filter. For
example, to fetch only those user names beginning with the letter A, you enter A* in the
field.
In order to avoid retrieving large lists of user names, you should be very strict in your use of
the search filter so that you can retrieve a manageable list of users.
5 If you modified the search filter in the preceding step, click Change Filter. The page
displays the users in the LDAP that match the search filter.
6 You can assign users to the user groups listed at the bottom of the page or you can assign
them later.
7 Select the check boxes for the users you want to import. To import all users displayed,
select the top check box.
8 On the Import Users page, click Import.
User and User Group Setup and Security 45
Importing LDAP Users and Groups Using the LDAP Authentication Configuration Tool
The LDAP Authentication Configuration tool allows you to import both LDAP users and user
groups into the SA Model Repository. It is, however, a more complex process that requires
some preparation. This tool can be run from the command line or by selecting and running the
LDAP Authentication Configuration tool from the SA Client APX Library.
Prerequisites
The LDAP Authentication Configuration tool is a script that must be run on an SA Cores
Slice Component bundle host. Before running the script, you must have the following
information available:
Table 10 LDAP Authentication Configuration Tool Prerequisites
Prerequisite Description
Hostname The fully-qualified host name (FQHN) or IP address of the
LDAP directory server that SA is to use.
LDAP Server Port The LDAP directory server port. The default SSL port is 636
and the default non-SSL port is 389. SA does not support
StartTLS.
SSL Is SSL authentication required by your LDAP directory server?
If SSL is enabled, you must supply the trusted Certification
Authority (CA) certificates used to validate the servers SSL
certificate.
Trusted CA Certificates
To Validate Server SSL
Certificate
The complete path to the file on the LDAP directory server
containing the trusted Certification Authority (CA) certificates,
in Privacy Enhanced Mail (PEM) format, used to verify the
LDAP directory servers SSL certificate.
SSL with mutual (or
two-way) authentication
You must supply the following information:
1 Trusted CA certificates to validate server SSL certificate
2 Trusted CA certificates to validate client SSL certificate
3 Client certificate and (unencrypted) private key.
SSL with client
authentication enabled
1 The complete path to the file containing the trusted
Certification Authority (CA) certificates, in Privacy
Enhanced Mail (PEM) format, used to verify the SSL client
certificate.
2 The complete path to the file containing the client SSL
certificate and its corresponding private key, in Privacy
Enhanced Mail (PEM) format. The client private key must
not be encrypted.
Anonymous Search To
The Directory Information
Tree (DIT)
Does the LDAP directory allow anonymous searches to the
Directory Information Tree (DIT) where user information is
stored? Note that this implies that anonymous bind is allowed.
For example, does an anonymous user (a user who did not
supply a bind Distinguished Name (DN) and password) have
read access to the DIT? For most enterprises, anonymous search
is not allowed. If anonymous search is disabled, you must
supply the bind DN and password of a user who has read access
to the DIT.
46 Chapter 1
The LDAP Authentication Configuration Tool Process
When you run the LDAP Authentication Configuration tool, you will be prompted depending
on whether your LDAP Directory server requires SSL authentication or not and/or whether
anonymous search is allowed or not.
Anonymous Search: No
SSL: No
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
Bind Distinguished Name
(DN)
Required only if anonymous search is disabled. The bind DN for
the user who has read access to the DIT.
Bind Password Required only if anonymous search is disabled. The bind
password for the user who has read access to the DIT.
Attribute For Unique
Username
The attribute for the unique username.
For Active Directory the default is SAMAccountName.
For Novell eDirectory the default is cn.
For all other vendors, the default is uid.
Attribute For User
Display Name
The attribute for the user display name.
For Active Directory the default is displayName.
For Novell eDirectory the default is fullName.
For all other vendors, the default is cn.
Base DN The base distinguished name (DN), or the portion of the DIT to
be considered when searching for users during the user import
operation. The LDAP Authentication Configuration tool uses a
sub tree search, therefore, the search filter is only applicable to
users at or below the base DN.
Search Filter Template The Search Filter Template is used, with optional filter
substitution, as the filter in the LDAP search for the user
import.
Any dollar sign ($) character in the template is replaced by the
filter string specified in the Import Users page of the SAS Web
Client. (The default value is an asterisk (*) which matches all
entries.)
For Active Directory the default is (&(sAMAccountName=$)
(objectCategory=person)
(objectClass=user)
(sAMAccountType=805306368)).
For Novell eDirectory the default is
(&(cn=$)(objectClass=person)).
For all other vendors, the default is uid=$.
Table 10 LDAP Authentication Configuration Tool Prerequisites
Prerequisite Description
User and User Group Setup and Security 47
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
5 Enter the necessary information. Enter N when asked if anonymous search is allowed.
Enter N when asked if SSL setup is required.
6 After the tool completes, ensure that LDAP authentication configuration is successfully
validated and stored.
7 Log on to the Command Center and ensure that external user import works.
8 Ensure that you can log on to the Command Center as an LDAP user.
Anonymous Search: Yes
SSL: No
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
5 Enter the necessary information. Enter N when asked if anonymous search is allowed.
Enter N when asked if SSL setup is required.
6 After the tool completes, ensure that LDAP authentication configuration is successfully
validated and stored.
7 Log on to the Command Center and ensure that external user import works.
8 Ensure that you can log on to the Command Center as an LDAP user.
Anonymous Search: No
SSL: Yes (SSL server authentication only)
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
5 Enter N when asked if anonymous search is allowed. Enter Y when asked if SSL setup is
required. Answer N when asked whether to use SSL client authentication.
6 After the tool completes, ensure that LDAP authentication configuration is successfully
validated and stored.
48 Chapter 1
7 Log on to the Command Center and ensure that external user import works.
8 Ensure that you can log on to the Command Center as an LDAP user.
Anonymous Search: No
SSL: Yes (SSL mutual authentication required)
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
5 Enter N when asked if anonymous search is allowed. Enter Y when asked if SSL setup is
required. Enter Y when asked whether to use SSL client authentication.
6 After the tool completes, ensure that LDAP authentication configuration is successfully
validated and stored.
7 Log on to the Command Center and ensure that external user import works.
8 Ensure that you can log on to the Command Center as an LDAP user.
Anonymous Search: Yes
SSL: Yes (SSL server authentication only)
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
5 Enter Y when asked if anonymous search is allowed. Enter Y when asked if SSL setup is
required. Enter N when asked whether to use SSL client authentication.
Anonymous Search: Yes
SSL: Yes (SSL mutual authentication required)
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
./ldap_config.sh
User and User Group Setup and Security 49
5 Enter Y when asked if anonymous search is allowed. Enter Y when asked if SSL setup is
required. Enter Y when asked whether to use SSL client authentication.
The values shown as defaults are the values saved during the last LDAP Authentication
Configuration Tool session.
Example LDAP Authentication Configuration Tool Session
>./ldap_config.sh
Retrieving LDAP configuration ...
LDAP Connectivity Configuration
Enter the fully-qualified host name or IP for the LDAP directory server
[sample-centos.example.com] :
Does the LDAP directory server require SSL? [N] :
Enter the port number for the LDAP directory server [8389] :
Does the LDAP directory server support anonymous bind and anonymous read
access to the directory information tree? [N] :
Enter the bind distinguished name (DN) of the user who has read access to the
directory infomation tree (DIT)
[cn=Administrator,cn=users,dc=hyrule,dc=local] :
Do you want to change the bind password for
cn=Administrator,cn=users,dc=hyrule,dc=local [N] :
You have entered the following information:
LDAP Directory Server FQHN/IP : sample-centos.example.com
LDAP Directory Server Port : 8389
SSL Enabled? : false
Bind DN : cn=Administrator,
cn=users,dc=hyrule,dc=local
Bind Password Provided? : true
Is this correct? [Y] :
Verifying LDAP directory server connectivity ...
found naming context : DC=hyrule,DC=local
found naming context : CN=Configuration,DC=hyrule,DC=local
found naming context : CN=Schema,CN=Configuration,DC=hyrule,DC=local
found naming context : DC=DomainDnsZones,DC=hyrule,DC=local
found naming context : DC=ForestDnsZones,DC=hyrule,DC=local
LDAP directory server connectivity successfully verified.
LDAP Search Configuration
Is the LDAP directory server an Active Directory (AD) directory server? [Y] :
Enter the LDAP attribute for the unique username [SamAccountName] :
Enter the LDAP attribute for the user's display name [cn] :
Enter the LDAP search filter template
[(&(sAMAccountName=$)(objectCategory=person)(objectClass=user)
(sAMAccountType=805306368))] :
Enter the LDAP search base distinguished name (DN). Usually this is the root
naming context. [cn=users,dc=hyrule,dc=local] :
You have entered the following information:
LDAP Unique Username Attribute : SamAccountName
LDAP User Display Name Attribute : cn
50 Chapter 1
LDAP Search Filter Template :
(&(sAMAccountName=$)(objectCategory=person)(objectClass=user)
(sAMAccountType=805306368))
LDAP Search Base Distinguished Name (DN) :
cn=users,dc=hyrule,dc=local
Is this correct? [Y] :
Verifying LDAP search configuration ...
To test LDAP search configuration, you must provide a username of a LDAP
directory user to search.
LDAP search configuration is successfully verified only if the given user is
successfully returned by the LDAP
directory server.
Enter a username to search : *
You have entered the following information:
Username To Search : *
Is this correct? [Y] :
Resulting LDAP Search Filter :
(&(sAMAccountName=*)(objectCategory=person)(objectClass=user)(sAMAcco
untType=805306368))
Searching LDAP directory server for user * ...
Found 4 users
DN : CN=Administrator,cn=users,dc=hyrule,dc=local
cn : Administrator
SamAccountName : Administrator
DN : CN=Guest,cn=users,dc=hyrule,dc=local
cn : Guest
SamAccountName : Guest
DN : CN=krbtgt,cn=users,dc=hyrule,dc=local
cn : krbtgt
SamAccountName : krbtgt
DN : CN=link,cn=users,dc=hyrule,dc=local
cn : link
SamAccountName : link
Is this correct? [Y] :
LDAP search configuration successfully verified.
LDAP Users & Groups Synchronization Configuration
Do you want to configure users & groups synchronization? [Y] :
LDAP User Group Synchronization Configuration
Enter the LDAP search base distinguished name (DN) for the user groups
[cn=users,dc=hyrule,dc=local]
:
Enter the LDAP search filter template to search user groups
[(&(cn=$)(objectCategory=group))] :
Enter the LDAP attribute for the unique user group name [SamAccountName] :
User and User Group Setup and Security 51
Enter the LDAP attribute in the user group LDAP object class which contains
the DNs of its members [
member] :
You have entered the following information:
LDAP Search User Group Base DN :
cn=users,dc=hyrule,dc=local
LDAP Search User Group Search Filter Template :
(&(cn=$)(objectCategory=group))
LDAP Unique User Group Name Attribute : SamAccountName
LDAP Search User Group Membership Attribute : member
Is this correct? [Y] :
Verifying LDAP user group synchronization configuration ...
Searching LDAP directory server for all users and user groups ...
Searching LDAP directory server for all LDAP users ...
Resulting LDAP Search Filter For All LDAP Users :
(&(sAMAccountName=*)(objectCategory=person)(object
Class=user)(sAMAccountType=805306368))
Found 4 LDAP users
Parsing search results ...
Searching LDAP directory server for all LDAP user gruops ...
Resulting LDAP Search Filter For All LDAP User Groups :
(&(cn=*)(objectCategory=group))
Found 16 LDAP user groups
Parsing search results ...
Do you wish to display detail search result? [N] : y
Parsing search results ...
Denied RODC Password Replication Group: 2 members
Administrator : cn=administrator,cn=users,dc=hyrule,dc=local
krbtgt : cn=krbtgt,cn=users,dc=hyrule,dc=local
Allowed RODC Password Replication Group: 0 members
Enterprise Read-only Domain Controllers: 0 members
Group Policy Creator Owners: 1 members
Administrator : cn=administrator,cn=users,dc=hyrule,dc=local
Domain Controllers: 0 members
Cert Publishers: 0 members
Domain Users: 0 members
Enterprise Admins: 1 members
Administrator : cn=administrator,cn=users,dc=hyrule,dc=local
Schema Admins: 1 members
Administrator : cn=administrator,cn=users,dc=hyrule,dc=local
DnsAdmins: 0 members
Read-only Domain Controllers: 0 members
RAS and IAS Servers: 0 members
Domain Guests: 0 members
Domain Admins: 1 members
Administrator : cn=administrator,cn=users,dc=hyrule,dc=local
Domain Computers: 0 members
DnsUpdateProxy: 0 members
52 Chapter 1
Is this correct? [Y] :
LDAP user group synchronization configuration successfully verified.
The following properties will be stored into global configuration.
aaa.ldap.hostname=gyee-centos.cup.hp.com
aaa.ldap.port=8389
aaa.ldap.ssl=false
aaa.ldap.search.binddn=cn=Administrator,cn=users,dc=hyrule,dc=local
aaa.ldap.search.pw=true
aaa.ldap.search.naming.attribute=SamAccountName
aaa.ldap.search.display.name.attribute=cn
aaa.ldap.search.filter.template=(&(sAMAccountName=$)(objectCategory=person)(o
bjectClass=user)(sAMAcc
ountType=805306368))
aaa.ldap.search.base.template=cn=users,dc=hyrule,dc=local
aaa.ldap.enable.users.groups.sync=true
aaa.ldap.search.usergroup.naming.attribute=SamAccountName
aaa.ldap.search.usergroup.membership.naming.attribute=member
aaa.ldap.search.usergroup.base.template=cn=users,dc=hyrule,dc=local
aaa.ldap.search.usergroup.filter.template=(&(cn=$)(objectCategory=group))
Are you sure? [Y] :
Saving LDAP configuration ...
LDAP configuration successfully saved.
Do you want to schedule a recurring job for LDAP users & user groups
synchronization? [Y] :
Select one of the following recurring schedule for LDAP users & user groups
synchronization job:
1) Daily
2) Weekly
3) Monthly
Enter 1, 2, or 3 [3] : 1
Scheduling users & user groups synchronization job ...
LDAP users & user groups synchronization job has been successfully schedule.
Job ID=110001
Viewing Imported LDAP User Groups in the SAS Web Client
After you have imported LDAP users and user groups using the LDAP Authentication
Configuration tool, you can view the user groups in the SAS Web Client. Log in to the SAS
Web Client and select Users and Groups in the navigation panel, then the Groups tab.
Figure 9 shows a screen similar to what you will see:
User and User Group Setup and Security 53
Figure 9 LDAP User Groups in the SAS Web Client
You should not edit user groups being maintained by LDAP synchronization. These files are
indicated by the description, __DO_NOT_EDIT__MAINTAINED_BY_LDAP_SYNC_.
Synchronizing LDAP Users
After you have imported users from the LDAP directory server, you can use the LDAP
Authentication Configuration tool to synchronize LDAP users.
1 Log in to a server hosting a Slice Component bundle for your SA Core.
2 Log in as the twist user:
su twist
3 Issue the following command:
cd /opt/opsware/twist
4 Invoke the LDAP Authentication Configuration tool:
5 ./ldap_config.sh
6 You will see output similar to the following:
Retrieving LDAP configuration ...
Verifying LDAP server connectivity ...
User Synchronization Phase
Searching LDAP directory server for all LDAP users ...
Found 4 LDAP users
Parsing search results ...
4 LDAP users do not exist in SA
Creating them now ...
Creating user cn=link,cn=users,dc=hyrule,dc=local
Creating user cn=krbtgt,cn=users,dc=hyrule,dc=local
Creating user cn=guest,cn=users,dc=hyrule,dc=local
Creating user cn=administrator,cn=users,dc=hyrule,dc=local
User Group Synchronization Phase
Searching LDAP directory server for all LDAP user groups ...
Found 16 LDAP user groups
Parsing search results ...
creating user group Denied RODC Password Replication Group
creating user group Allowed RODC Password Replication Group
54 Chapter 1
creating user group Enterprise Read-only Domain Controllers
creating user group Group Policy Creator Owners
creating user group Domain Controllers
creating user group Cert Publishers
creating user group Domain Users
creating user group Enterprise Admins
creating user group Schema Admins
creating user group DnsAdmins
creating user group Read-only Domain Controllers
creating user group RAS and IAS Servers
creating user group Domain Guests
creating user group Domain Admins
creating user group Domain Computers
creating user group DnsUpdateProxy
Updating user groups no longer found in LDAP ...
LDAP Users & User Groups Sync Results
==================================================================
Number of LDAP Users Found : 4
Number of LDAP Users Does Not Exist In SA : 4
Number of LDAP Users Successfully Created in SA : 4
Number of LDAP Users Failed To Create In SA : 0
Number of LDAP User Groups Found : 16
Number of LDAP User Groups Successfully Updated in SA : 0
Number of LDAP User Groups Successfully Created in SA : 16
Number of SA User Groups No Longer in LDAP : 0
Number of SA User Groups Failed To Update : 0
Number of LDAP User Groups Failed To Process : 0
Elapsed Time : 00:00:27
==================================================================
LDAP users removed from the LDAP directory will not be removed from SA, however, these
user will not be able to log in to SA since their corresponding authentication information has
been removed from the LDAP directory.
LDAP user with the same user ID as an existing SA user will be skipped regardless of the
users credential store type. SA will neither create nor update duplicated users.
RSA SecurID
/SA Integration
RSA SecurID
Opsware
AgenI
Local SecuriIy
AuIhoriIy SubsysIem
(LSASS)
ogshcap.dll MSV1_0
3!
!GENT
Global Shell: Windows Subauthentication Package 201
In the case of the SA Agent, the Agent passes a NULL password along with the user name
when it calls a special Windows API to request subauthentication by the SA
subauthentication package (ogshcap.dll). The Windows API then calls the MSV1_0
authentication package which, in turn, passes the credentials, including the NULL password
to the requested subauthentication package.
The SA subauthentication package performs checks to verify that the user account is not
locked out or disabled, and that the calling client is the SA Agent. The DLL ignores the
password field, which is empty (NULL). After its verification steps are passed, the DLL
returns a success status to MSV1_0, which creates a login session that is then passed to
LSASS. In turn, LSASS passes a handle to this login session to the SA Agent. This handle to a
login session is then passed by the SA Agent to a call to the Win32 API
CreateProcessAsUser() to run the child process in the identity of the non-LocalSystem user.
After Windows has been requested to perform a single subauthentication operation using the
ogshcap.dll file, Windows opens this file and keeps it open until the server next reboots. This
means that the ogshcap.dll cannot be deleted before the next reboot, nor can it be overwritten
during an Agent installation or upgrade without a reboot.
For all Windows operating systems, the user name of the security principal being
authenticated must be a member of the Administrators group on the local server or of the
Domain Admins group of the Primary Domain of which the server is a member.
SA Agent Installation Changes
During an SA Agent installation on all Windows operating systems, a new Windows registry
value is created (if it does not already exist) as the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
The new registry value is of type REG_SZ and contains:
Name: Auth155
Value: ogshcap
The SA Agent Installer contains a new file (ogshcap.dll) in the SA 7.80 release. During an
Agent installation, the ogshcap.dll file is copied to the following source location:
%SystemDrive%:\Program Files\Opsware\bin\ogshcap.dll
After this DLL file is created at this location, the Agent Installer tries to copy it to the
following destination location:
%SystemRoot%\system32\ogshcap.dll
If no such file currently exists at the destination location, the copy succeeds. If the copy fails
because the file is open and is in use, the Agent Installer calculates a cryptographic hash of
both source and destination files. If the source and destination files are different by hash, the
Agent Installer calls the Win32 API MoveFileEx() which creates a Windows-internal
registry key. This registry key informs Windows that it must replace the destination file with
the source file at the next reboot.
If the hash for one or both DLL files cannot be successfully calculated, the Agent Installer
assumes that the replacement of the DLL is warranted. For example, if the Microsoft
cryptographic modules cannot be loaded by the Agent Installer, the hash cannot be calculated.
The Agent Installer then assumes that the DLL must be replaced.
202 Chapter 8
A post-install reboot can be initiated after the Agent installation by specifying the installer
option (--reboot) on the Agent Installer command line.
When a post-install reboot is required to get the latest version of the DLL, the reboot performs
a move operation where the DLL in the source location is moved to the destination location.
Therefore, the source DLL file overwrites the destination DLL.
If the existing ogshcap.dll on the operating system must be replaced and a reboot is required
to accomplish this, the Agent Installer will not (by default) initiate the reboot. A reboot occurs
only if the person performing the installation specifies --reboot as a command-line option.
The --reboot option is accepted by the Agent Installer on all operating systems; however, it
is performed only on Windows operating systems. For example, if the
--reboot option is specified during an Agent installation on a Linux 7.2 operating system, a
reboot will not be performed by the Agent Installer. In comparison, if the
--reboot option is specified during an Agent installation on a Windows 2000 operating
system, a reboot will be performed by the Agent Installer.
If the hashes have been calculated, and the source and destination files are verified as
identical, no attempt to overwrite the opened ogshcap.dll is made.
The Agent always performs the first-time installation of the ogshcap.dll or the analysis of
whether an existing DLL should be overwritten with the version of the DLL that is in the
Agent Installer payload. In this case, there is no way to prevent installation of this DLL by the
Agent Installer.
If the Agent Installer indicates that a reboot is required and the reboot does not occur after
the Agent installation, the SA Agent will be using the out-of-date version of the DLL until the
reboot occurs. This means that any bug fixes or modified functionality that are in the new
DLL will not be used by the SA Agent until the reboot. However, Windows authentication, on
behalf of the SA Agent by the old DLL, will still successfully occur, even while the DLL is
marked for replacement by the newer DLL.
The following sample Agent Installer log is from an installation of the ogshcap.dll. In this
case, the existing DLL on the operating system does not need to be replaced.
[08/Jun/2005 20:59:18] [INFO] Install CAP file if differing checksum between
new and existing file.
[08/Jun/2005 20:59:18] [TRACE] NeedToReplaceOGSHCAPDLL()
[08/Jun/2005 20:59:18] [INFO] Testing CAP file existence:
C:\WINDOWS\system32\ogshcap.dll
[08/Jun/2005 20:59:18] [INFO] C:\WINDOWS\system32\ogshcap.dll CAP file exists
[08/Jun/2005 20:59:18] [TRACE] GenerateKeyToFile()
[08/Jun/2005 20:59:18] [TRACE] Successfully called CreateFile(C:\Program
Files\Common Files\Opsware\cogbot\hmac.key)
[08/Jun/2005 20:59:18] [TRACE] Key file already exists
[08/Jun/2005 20:59:18] [TRACE] C:\Program Files\Common
Files\Opsware\cogbot\hmac.key size: 36 bytes
[08/Jun/2005 20:59:18] [TRACE] Successfully called CloseHandle(C:\Program
Files\Common Files\Opsware\cogbot\hmac.key)
[08/Jun/2005 20:59:18] [TRACE] GenerateKeyToFile() = 1
[08/Jun/2005 20:59:18] [INFO] Calculate MAC for File:
C:\WINDOWS\system32\ogshcap.dll
[08/Jun/2005 20:59:18] [TRACE] C:\WINDOWS\system32\ogshcap.dll size: 40960
bytes
[08/Jun/2005 20:59:18] [TRACE] C:\Program Files\Common
Files\Opsware\cogbot\hmac.key size: 36 bytes
Global Shell: Windows Subauthentication Package 203
[08/Jun/2005 20:59:18] [TRACE] Successfully called CreateFileMapping() for
C:\WINDOWS\system32\ogshcap.dll
[08/Jun/2005 20:59:18] [TRACE] Successfully called CreateFileMapping() for
C:\Program Files\Common Files\Opsware\cogbot\hmac.key
[08/Jun/2005 20:59:18] [TRACE] CalculateMAC()
[08/Jun/2005 20:59:18] [TRACE] PrintHexBytes()
[08/Jun/2005 20:59:18] [TRACE] HMAC for C:\WINDOWS\system32\ogshcap.dll: 0x02
0x95 0x2B 0x03 0x51 0x02 0x9F 0x6D 0x58 0xF6 0xF1 0x5E 0x1C 0xFC 0x2A 0x72
0x5D
0x7E 0x5F 0xDA
[08/Jun/2005 20:59:18] [TRACE] CalculateMACFromFile() = 1
[08/Jun/2005 20:59:18] [INFO] Calculate MAC for File: C:\Program
Files\Opsware\bin\ogshcap.dll
[08/Jun/2005 20:59:18] [TRACE] C:\Program Files\Opsware\agent\bin\ogshcap.dll
size:
40960 bytes
[08/Jun/2005 20:59:18] [TRACE] C:\Program Files\Common
Files\Opsware\cogbot\hmac.key size: 36 bytes
[08/Jun/2005 20:59:18] [TRACE] Successfully called CreateFileMapping() for
C:\Program Files\Opsware\agent\bin\ogshcap.dll
[08/Jun/2005 20:59:18] [TRACE] Successfully called CreateFileMapping() for
C:\Program Files\Common Files\Opsware\cogbot\hmac.key
[08/Jun/2005 20:59:18] [TRACE] CalculateMAC()
[08/Jun/2005 20:59:18] [TRACE] PrintHexBytes()
[08/Jun/2005 20:59:18] [TRACE] HMAC for C:\Program
Files\Opsware\agent\bin\ogshcap.dll: 0x02 0x95 0x2B 0x03 0x51 0x02 0x9F 0x6D
0x58
0xF6 0xF1 0x5E 0x1C 0xFC 0x2A 0x72 0x5D 0x7E 0x5F 0xDA
[08/Jun/2005 20:59:18] [TRACE] CalculateMACFromFile() = 1
[08/Jun/2005 20:59:18] [INFO] C:\WINDOWS\system32\ogshcap.dll CAP file does
not
need to be replaced
[08/Jun/2005 20:59:18] [TRACE] NeedToReplaceOGSHCAPDLL() = 0
[08/Jun/2005 20:59:18] [TRACE] UpdateCAPRegistrySetting()
[08/Jun/2005 20:59:18] [INFO] Update SubAuthentication Package Registry key
[08/Jun/2005 20:59:18] [TRACE] Successfully opened registry key
SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
[08/Jun/2005 20:59:18] [TRACE] Successfully found registry value: 'Auth255'
at
this key, retrieved value 'ogshcap' (8) bytes.
[08/Jun/2005 20:59:18] [TRACE] Existing registry value matches expected
value:
'ogshcap'
[08/Jun/2005 20:59:18] [TRACE] UpdateCAPRegistrySetting() = 1
[08/Jun/2005 20:59:18] [INFO] UpdateCapRegistrySetting() was successful
[08/Jun/2005 20:59:18] [TRACE] Win32InstallN() = 1
[08/Jun/2005 20:59:18] [INFO] Installation completed successfully.
[08/Jun/2005 20:59:18] [INFO] An Agent install time reboot is NOT needed.
204 Chapter 8
SA Agent Uninstallation Changes
During an SA Agent uninstallation, the Windows uninstaller tries to remove the following
file:
%SystemRoot%\system32\ogshcap.dll
If the removal fails (because the file is open and is in use by Windows), the uninstaller calls
MoveFileEx() instructing Windows to remove the file during the next reboot. The uninstaller
will prompt the user whether it should initiate a reboot immediately, if the attempt to remove
the file fails.
The uninstaller also removes the special subauthentication registry key value created at
Agent install time. See SA Agent Uninstallation Changes on page 204 for more information.
205
A Permissions Reference
Permissions Required for the SAS Web Client
The following table lists the feature permissions according to tasks that can be performed
with the SAS Web Client.
Table 1 Permissions Required for SAS Web Client Tasks
Task Feature Permission
OS PROVISIONING
Prepare OS Wizard: Prepare OS
Edit OS nodes Operating Systems
View servers in the server pool Server Pool
CONFIGURATION TRACKING
Create or edit tracking policy Configuration Tracking
Managed Servers and Groups
Reconcile tracking policy Configuration Tracking
Managed Servers and Groups
Perform configuration backup Configuration Tracking
Managed Servers and Groups
View backup history, restore queue Configuration Tracking
Managed Servers and Groups
Enable or disable tracking Configuration Tracking
Managed Servers and Groups
SERVER MANAGEMENT
Edit server properties Managed Servers and Groups
Edit server network properties Managed Servers and Groups
Edit server custom attributes Managed Servers and Groups
Deactivate server Deactivate
Delete server Managed Servers and Groups
Re-assign customer Managed Servers and Groups
View servers (read-only access) Managed Servers and Groups
Run server communications test Managed Servers and Groups
206 Appendix A
Storage Visibility and Automation Permissions
You must have certain permissions to perform actions in the Storage Visibility and
Automation feature. See the Storage Visibility and Automation Installation & Administration
Guide for a description of these permissions.
Lock servers Managed Servers and Groups
Set scheduled job to refresh server list Allow Run Refresh Jobs
REPORTS
Create or view reports Data Center Intelligence Reports
MANAGE ENVIRONMENT
Create or edit customer Customers
Create or edit facility Facilities
IP RANGES AND RANGE GROUPS
IP Ranges IP Ranges and Range Groups
Model: Hardware
Model: SA
IP Range Groups IP Ranges and Range Groups
Model: Hardware
Model: SA
SYSTEM CONFIGURATION
Manage users and groups (Administrators group only)
Define server attributes Server Attributes
Run system diagnosis tools System Diagnosis
Manage SA System configuration Configure SA
Run SA multimaster tools Multimaster
Gateway management Manage Gateway
OTHER TASKS
Run custom extension Wizard: Custom Extension
Deploy code See Code Deployment User Groups on
page 279.
Table 1 Permissions Required for SAS Web Client Tasks (contd)
Task Feature Permission
Permissions Reference 207
Permissions Required for the SA Client
The following tables in this section summarize the permissions required for the SA Client
features.
Application Configuration Management Permissions
Device Group Permissions
SA Discovery and Agent Deployment Permissions
Job Permissions
Patch Management for Windows - Permissions
Patch Management for Solaris - Permissions
Solaris Patch Policy Management - Permissions
Patch Management for Other Unix - Permissions
Software Management Permissions
Script Execution Permissions
Audit and Remediation Permissions
Service Automation Visualizer Permissions
Virtual Server Permissions
OS Provisioning Permissions
Compliance View Permissions
Server Property and Reboot Permissions
Server Objects Permission
More Information for Security Administrators
In some organizations, security administrators work with many applications and do not
specialize in SA. To learn about SA quickly, security administrators can refer to Process
Overview for Security Administration on page 22 - This short section lists the overall tasks for
setting up security in SA.
Application Configuration Management Permissions
Table 2 specifies the permissions required by users to perform specific actions with
application configurations in the SA Client. For security administrators, the table answers
this question: To perform a particular action, what permissions does a user need?
In addition to the feature permissions listed in Table 2, every user action also requires the
Managed Servers and Groups feature permission.
In Table 2, the Server Permission column is for the servers referenced by the application
configuration or configuration template. Server permissions are specified by the Customer,
Facility, and Device Groups permissions in the SAS Web Client. In Table 2, the Folder
Permission column is for the folders in the SA Library that contain the application
configurations and configuration templates.
208 Appendix A
To perform an action, the user requires several permissions. For example, to attach an appli-
cation configuration to a server, the user must have the following permissions:
Manage Application Configurations: Read
Manage Configuration Templates: Read
Manage Installed Configuration and Backups on Servers: Read & Write
Managed Servers and Groups
Read & Write permissions to the facility, device group, and customer of the server
Read permission for the folder in the SA library that contains the application
configuration or template
Table 2 Application Configuration Management Permissions Required for User
Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
Application Configuration
Create Application
Configuration
Manage Application
Configurations:
Read & Write
and Manage
Configuration Templates:
Read
None Read & Write
View Application Configuration Manage Application
Configurations:
Read & Write
and Manage
Configuration Templates:
Read
None Read
Edit Application Configuration Manage Application
Configurations:
Read & Write
and Manage
Configuration Templates:
Read
None Read & Write
Delete Application
Configuration
Manage Application
Configurations:
Read & Write
and Manage
Configuration Templates:
Read
None Read & Write
Permissions Reference 209
Specify Template Order Manage Application Con-
figurations:
Read & Write
and Manage Configura-
tion Templates:
Read
None Read & Write
Attach Application
Configuration to Server
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
Read & Write Read
Attach Application
Configuration to Device Group
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
and Manage Public
Device Group: Yes
and Model Public Device
Group: Yes
Read & Write Read
Set Application Configuration
Values on Server
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
Read & Write Read
Table 2 Application Configuration Management Permissions Required for User
Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
210 Appendix A
Push Application Configuration
to Server
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
Read & Write Read
Schedule Application
Configuration Push
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
Read & Write Read
Scan Configuration Compliance Allow Configuration
Compliance Scan: Yes
and Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
Read Read
Schedule Application
Configuration Audit
Allow Configuration
Compliance Scan: Yes
and Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
Read Read
Table 2 Application Configuration Management Permissions Required for User
Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
Permissions Reference 211
Roll Back (Revert) Application
Configuration Push
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read & Write
Read & Write Read
Application Configuration Templates
Create Application
Configuration Template
Manage Configuration
Templates:
Read & Write
None Read & Write
View Application Configuration
Template
Manage Configuration
Templates:
Read & Write
None Read
Edit Application Configuration
Template
Manage Configuration
Templates:
Read & Write
None Read & Write
Delete Application
Configuration Template
Manage Configuration
Templates:
Read & Write
None Read & Write
Load (Import) Application
Configuration Template
Manage Application
Configurations:
Read & Write
and Manage
Configuration Templates:
Read & Write
None Read & Write
Set Application Configuration
Template to Run as Script
Manage Configuration
Templates:
Read & Write
None Read & Write
Compare Two Application
Configuration Templates
Manage Configuration
Templates:
Read
None Read
Table 2 Application Configuration Management Permissions Required for User
Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
212 Appendix A
Table 3 lists the actions that users can perform with application configurations for each
permission. Table 3 has the same data as Table 2, but is sorted by permission. Although not
indicated in Table 3, the Managed Servers and Groups permission is required for all OS
provisioning actions.
For security administrators, Table 3 answers this question: If a user is granted a particular
permission, what actions can the user perform?
Compare Application
Configuration Template Against
Actual Configuration File
(Preview)
Manage Application
Configurations:
Read
and Manage
Configuration Templates:
Read
and Manage Installed
Configuration and
Backups on Servers:
Read
Read Read
Table 2 Application Configuration Management Permissions Required for User
Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
Table 3 User Actions Allowed by Application Configuration Management
Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
Allow Configuration Compliance
Scan: Yes
and Manage Application
Configurations:
Read
and Manage Configuration
Templates:
Read
Scan Configuration
Compliance
Read Read
Schedule Application
Configuration Audit
Read Read
Permissions Reference 213
Manage Application
Configurations:
Read & Write
and Manage Configuration
Templates:
Read
Create Application
Configuration
None Read & Write
Delete Application
Configuration
None Read & Write
Edit Application
Configuration
None Read & Write
Specify Template Order None Read & Write
View Application
Configuration
None Read
Manage Application
Configurations:
Read & Write
and Manage Configuration
Templates:
Read & Write
Load (Import) Application
Configuration Template
None Read & Write
Manage Application
Configurations:
Read
and Manage Configuration
Templates:
Read
and Manage Installed
Configuration and Backups on
Servers:
Read
Compare Application
Configuration Template
Against Actual
Configuration File
(Preview)
Read Read
Manage Application
Configurations:
Read
and Manage Configuration
Templates:
Read
and Manage Installed
Configuration and Backups on
Servers:
Read & Write
Attach Application
Configuration to Server
Read & Write Read
Push Application
Configuration to Server
Read & Write Read
Roll Back (Revert)
Application Configuration
Push
Read & Write Read
Schedule Application
Configuration Push
Read & Write Read
Set Application
Configuration Values on
Server
Read & Write Read
Table 3 User Actions Allowed by Application Configuration Management
Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
214 Appendix A
Device Group Permissions
To use the Device Groups feature in the SA Client, you must have the permissions described
in the Table 4. For a list of tasks that require the Model Public Device Group permission, see
Table 14.
Manage Application
Configurations:
Read
and Manage Configuration
Templates:
Read
and Manage Installed
Configuration and Backups on
Servers:
Read & Write
and Manage Public Device
Group: Yes
and Model Public Device Group:
Yes
Attach Application
Configuration to Device
Group
Read & Write Read
Manage Configuration
Templates:
Read
Compare Two Application
Configuration Templates
None Read
Manage Configuration
Templates:
Read & Write
Create Application
Configuration Template
None Read & Write
Delete Application
Configuration Template
None Read & Write
Edit Application
Configuration Template
None Read & Write
Manage Configuration
Templates:
Read & Write (cont.)
Set Application
Configuration Template
to Run as Script
None Read & Write
View Application
Configuration Template
None Read
Table 3 User Actions Allowed by Application Configuration Management
Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
(App
Config, App
Config
Template)
Table 4 Device Groups Feature Permissions
User Action Feature Permission
Creating a public static device group Manage Public Device Group
Permissions Reference 215
SA Discovery and Agent Deployment Permissions
To use Discovery and Deployment (ODAD) in the SA Client, you must have the permissions
described in the Table 5.
In addition to the feature permissions listed in the preceding table, the following is also
required:
Read access to facilities where you will scan for servers and manage servers
Features Managed Servers and Groups must be enabled
Client Features Unmanaged Servers Allow Manage Server set to Yes
Client Features Unmanaged Servers Allow Scan Network set to Yes
Read access must be set to customer Opsware
Job Permissions
To manage jobs in the SA Client, you must have the permissions described in the Table 6.
When you select the Edit All Jobs permission, the View All Jobs permission is automatically
selected.
Creating a public dynamic device group Manage Public Device Group
Adding a server to a public static device group Manage Public Device Group
Adding a server to a public dynamic device Group Manage Public Device Group
Removing a server from a public static device group Manage Public Device Group
Removing servers from a public dynamic device group Manage Public Device Group
Moving a public device group Manage Public Device Group
Duplicating a public device group Manage Public Device Group
Deleting a public device group Manage Public Device Group
Adding devices to a device group being used as an
Access Control Group
Manage Public Device Group and
Super Administrator
Table 4 Device Groups Feature Permissions (contd)
User Action Feature Permission
Table 5 ODAD Feature Permissions
User Action Feature Permission
Deploy (Install) Agent with ODAD Allow Deploy Agent: Yes
Scan Network with ODAD Allow Scan Network: Yes
View Servers Running Agents Managed Servers and Groups
Add servers to a facility Facilities - Manage Facilities
216 Appendix A
To view any job in the SA Client, you must have permissions to run or execute the job. For
example, if you had the permissions for an action such as Manage Application Configurations
set to Read, but did not have Write permissions for this action, you would not be able to see
any Application Configuration Push jobs in the SA Client.
In general, In order to view jobs
Patch Management for Windows - Permissions
Table 7 specifies the Patch Management permissions required by users to perform specific
actions in the SA Client. For security administrators, the table answers this question: To
perform a particular action, what permissions does a user need?
In addition to the feature permissions listed in Table 7, every user action also requires the
Managed Servers and Groups feature permission.
In Table 7, most of the entries in the User Action column correspond to menu items in the SA
Client. In addition to feature permissions, server permissions are required on the managed
servers affected by the patching operation.
If the Allow Install Patch permission is set to Yes, then the Manage Patch and the Manage
Windows Patch Policies permissions are automatically set to Read.
Table 6 Job Management Permissions
User Action Feature Permission
Enable Approval Integration Manage Approval Integration
Set Job Types Requiring Approval Manage Approval Integration
Invoke JobService API Methods to Manage Blocked
(Pending Approval) Jobs
(This action is performed by customized software on
the backend, not by end-users logged onto the SA
Client.)
Edit All Jobs
View All Jobs
End (Cancel) Job Edit All Jobs
View All Jobs
Delete Schedule Edit All Jobs
View All Jobs
Table 7 Windows Patch Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Patches
Permissions Reference 217
Install Patch (Available) Allow Install Patch: Yes
Manage Patch: Read
Read & Write
Uninstall Patch (Available) Allow Uninstall Patch: Yes
and Manage Patch: Read
Read & Write
Install Patch (Limited Availability) Allow Install Patch: Yes
Manage Patch: Read & Write
Read & Write
Uninstall Patch (Limited Availabil-
ity)
Allow Uninstall Patch: Yes
and Manage Patch: Read & Write
Read & Write
Open Patch (View Patch) Manage Patch: Read N/A
Change Patch Properties Manage Patch: Read & Write N/A
Import Patch Manage Patch: Read & Write
and Package
N/A
Import Patch Database Manage Patch: Read & Write N/A
Export Patch Manage Patch: Read
and Package
N/A
Export Patch or Allow Install Patch: Yes
and Package: Yes
N/A
Export Patch or Allow Uninstall Patch: Yes
and Package
N/A
Export Patch or Manage Policy: Read
and Package
N/A
Delete Patch Manage Patch: Read & Write N/A
Patch Policies and Exceptions
Remediate Policy Allow Install Patch: Yes Read & Write
Open Patch Policy (View) Manage Windows Patch Policy: Read N/A
Add Patch to Patch Policy Manage Patch: Read
and Manage Windows Patch Policy:
Read & Write
N/A
Remove Patch from Patch Policy Manage Windows Patch Policy: Read
& Write
N/A
Set Exception Allow Install Patch: Yes Read & Write
Set Exception or Allow Uninstall Patch: Yes Read & Write
Copy Exception Allow Install Patch: Yes Read & Write
Table 7 Windows Patch Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
218 Appendix A
Table 8 lists the actions that users can perform for each Patch Management permission.
Table 8 has the same data as Table 7, but is sorted by feature permission. Although it is not
indicated in Table 8, the Managed Servers and Groups permission is required for all Patch
Management actions.
Copy Exception or Allow Uninstall Patch: Yes Read & Write
Attach Patch Policy to Server (or
Device Group)
Manage Windows Patch Policy: Read Read & Write
Detach Patch Policy from Server (or
Device Group)
Manage Windows Patch Policy: Read Read & Write
Create Patch Policy Manage Windows Patch Policy: Read
& Write
N/A
Delete Patch Policy Manage Windows Patch Policy: Read
& Write
N/A
Change Patch Policy Properties Manage Windows Patch Policy: Read
& Write
N/A
Patch Compliance Rules
Edit Patch Products (Patch Configu-
ration window)
Manage Patch Compliance Rules:
Yes
N/A
Scan Patch Compliance Manage Windows Patch Policy: Read N/A
Schedule a Patch Policy Scan Manage Patch Compliance Rules:
Yes
N/A
Change Default Patch Availability Manage Patch Compliance Rules:
Yes
N/A
Change Patch Policy Compliance
Rules
Manage Patch Compliance Rules:
Yes
N/A
View Patch Policy Compliance Rules Manage Windows Patch Policy: Yes N/A
Table 7 Windows Patch Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 219
For security administrators, Table 8 answers this question: If a user is granted a particular
feature permission, what actions can the user perform?
Table 8 User Actions Allowed by Windows Patch Management Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Allow Install Patch: Yes Copy Exception Read & Write
Remediate Policy Read & Write
Set Exception Read & Write
Allow Install Patch: Yes
and Manage Patch: Read
Install Patch (Available) Read & Write
Uninstall Patch (Available) Read & Write
Allow Install Patch: Yes
and Manage Patch: Read & Write
Install Patch (Limited Availability) Read & Write
Uninstall Patch (Limited
Availability)
Read & Write
Allow Install Patch: Yes
and Package: Yes
Export Patch N/A
Allow Uninstall Patch: Yes Copy Exception Read & Write
Set Exception Read & Write
Allow Uninstall Patch: Yes
and Package
Export Patch N/A
Allow Uninstall Patch: Yes
and Manage Patch: Read
Uninstall Patch Read & Write
Manage Patch Compliance Rules:
Yes
Change Default Patch Availability N/A
Change Patch Policy Compliance
Rules
N/A
Edit Patch Products (Patch
Configuration window)
N/A
Schedule a Patch Policy Scan N/A
Manage Windows Patch Policy: Read Attach Patch Policy to Server (or
Device Group)
Read & Write
Detach Patch Policy from Server (or
Device Group)
Read & Write
Open Patch Policy (View) N/A
220 Appendix A
Patch Management for Solaris - Permissions
This section describes permissions for managing patches on Solaris systems. For patch
information on other Unix systems, see Patch Management for Other Unix - Permissions on
page 225. For permissions on Solaris patch policies, see Solaris Patch Policy Management -
Permissions on page 222.
Table 9 specifies the Patch Management permissions required by users to perform specific
actions in the SA Client. For security administrators, the table answers this question: To
perform a particular action, what permissions does a user need?
In addition to the feature permissions listed in Table 9, every user action also requires the
Managed Servers and Groups feature permission.
In Table 9, most of the entries in the User Action column correspond to menu items in the SA
Client. In addition to feature permissions, server permissions are required on the managed
servers affected by the patching operation.
Manage Windows Patch Policy: Read
& Write
Change Patch Policy Properties N/A
Create Patch Policy N/A
Delete Patch Policy N/A
Remove Patch from Patch Policy N/A
Manage Windows Patch Policy: Yes View Patch Policy Compliance Rules N/A
Manage Patch: Read Open Patch (View Patch)
Scan Patch Compliance
N/A
Manage Patch: Read & Write Change Patch Properties N/A
Delete Patch N/A
Import Patch Database N/A
Manage Patch: Read & Write
and Package
Import Patch N/A
Manage Patch: Read
and Manage Windows Patch Policy:
Read & Write
Add Patch to Patch Policy N/A
Manage Patch: Read
and Package
Export Patch N/A
Manage Policy: Read
and Package
Export Patch N/A
Table 8 User Actions Allowed by Windows Patch Management Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 221
If the Allow Install Patch permission is set to Yes, then the Manage Patch permission is
automatically set to Read. If you plan to use Solaris patch policies, you should also set
Manage Software Policy to Read or Read & Write. For more information, see Solaris Patch
Policy Management - Permissions on page 222.
Table 10 lists the actions that users can perform for each Solaris Patch Management
permission. Table 10 has the same data as Table 9, but is sorted by feature permission.
Although it is not indicated in Table 10, the Managed Servers and Groups permission is
required for all Patch Management actions.
Table 9 Solaris Patch Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Patches
Install Patch (Available) Allow Install Patch: Yes
Manage Patch: Read
Read & Write
Uninstall Patch (Available) Allow Uninstall Patch: Yes
Manage Patch: Read
Read & Write
Install Patch (Limited Availability) Allow Install Patch: Yes
Manage Patch: Read & Write
Read & Write
Uninstall Patch (Limited Availabil-
ity)
Allow Uninstall Patch: Yes
Manage Patch: Read & Write
Read & Write
Open Patch (View Patch) Manage Patch: Read N/A
Change Patch Properties Manage Patch: Read & Write N/A
Import Patch Manage Patch: Read & Write N/A
Export Patch Manage Patch: Read
Allow Install Patch: Yes (optional)
Allow Uninstall Patch: Yes (optional)
Manage Software Policy: Read
(optional)
N/A
Delete Patch Manage Patch: Read & Write N/A
222 Appendix A
For security administrators, Table 10 answers this question: If a user is granted a particular
feature permission, what actions can the user perform?
Solaris Patch Policy Management - Permissions
Table 11 specifies the Solaris Patch Policy Management permissions required by users to
perform specific actions in the SA Client. For security administrators, the table answers this
question: To perform a particular action, what permissions does a user need?
Table 10 User Actions Allowed by Solaris Patch Management Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Allow Install Patch: Yes Remediate Policy Read & Write
Allow Install Patch: Yes
Manage Patch: Read
Install Patch (Available) Read & Write
Uninstall Patch (Available) Read & Write
Allow Install Patch: Yes
Manage Patch: Read & Write
Install Patch (Limited Availability) Read & Write
Uninstall Patch (Limited
Availability)
Read & Write
Allow Install Patch: Yes
(Also sets Manage Patch: Read)
Export Patch N/A
Allow Uninstall Patch: Yes
(Also sets Manage Patch: Read)
Export Patch N/A
Allow Uninstall Patch: Yes
(Also sets Manage Patch: Read)
Uninstall Patch Read & Write
Manage Patch: Read Open Patch (View Patch) N/A
Export Patch N/A
Manage Patch: Read & Write Change Patch Properties N/A
Delete Patch N/A
Import Patch N/A
Permissions Reference 223
If a customer is assigned to a folder, then customer constraints might limit the objects that
can be associated with a Solaris patch policy contained in the folder. For a list of tasks affected
by these constraints, see Customer Constraints, Folders, and Software Policies on page 16.
Table 11 Solaris Patch Policy Management Permissions Required for User
Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Solaris Patch Policy
Create Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Write
Delete Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Write
Open Solaris Patch
Policy (View)
Manage Software Policy:
Read
N/A Read
Edit Solaris Patch
Policy Properties
Manage Software Policy:
Read & Write
N/A Write
Add Patches Manage Software Policy:
Read & Write
Manage Patches: Read
N/A Folder containing
the software policy:
Write
Add Scripts Manage Software Policy:
Read & Write
Manage Server Scripts: Read
N/A Folder containing
the software policy:
Write
Remove Patches Manage Software Policy:
Read & Write
N/A Write
Remove Scripts Manage Software Policy:
Read & Write
N/A Write
Attach Solaris Patch
Policy
Manage Software Policy:
Read
Allow Attach/Detach
Software Policy: Yes
Model Public Device Groups:
Yes (This permission is
required if you are attaching
the Solaris patch policy to a
public device group.)
Read & Write Read
224 Appendix A
Detach Solaris Patch
Policy
Manage Software Policy:
Read
Allow Attach/Detach
Software Policy: Yes
Model Public Device Groups:
Yes (This permission is
required if you are attaching
the Solaris patch policy to a
public device group.)
Read & Write Read
Remediate Manage Software Policy:
Read
Allow Remediate Servers:
Yes
Model Public Device Groups:
Yes (Required if you
remediate a public device
group.)
Read & Write Read
Scan Solaris Patch
Compliance
N/A Read N/A
Rename Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Write
Cut Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Write
Copy Solaris Patch
Policy
Manage Software Policy:
Read
N/A Read
Paste Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Source Folder: Read
(for copy and paste)
Source Folder:
Write (for cut and
paste)
Destination Folder:
Write
Move Solaris Patch
Policy
Manage Software Policy:
Read & Write
N/A Source Folder:
Write
Destination Folder:
Write
Table 11 Solaris Patch Policy Management Permissions Required for User Actions
(contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 225
Patch Management for Other Unix - Permissions
This section describes permissions for managing patches on Unix systems other than Solaris.
For Solaris information, see Patch Management for Solaris - Permissions on page 220. You can
use software policies with Unix patches. For more information, see Software Management
Permissions on page 227.
Table 12 specifies the Patch Management permissions required by users to perform specific
actions in the SA Client. For security administrators, the table answers this question: To
perform a particular action, what permissions does a user need?
In addition to the feature permissions listed in Table 12, every user action also requires the
Managed Servers and Groups feature permission.
In Table 12, most of the entries in the User Action column correspond to menu items in the SA
Client. In addition to feature permissions, server permissions are required on the managed
servers affected by the patching operation.
If the Allow Install Patch permission is set to Yes, then the Manage Patch permission is
automatically set to Read. If you plan to use policies, you should also set Manage Software
Policy to Read or Read & Write.
Table 12 Unix Patch Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Patches
Install Patch (Available) Allow Install Patch: Yes
Manage Patch: Read
Read & Write
Uninstall Patch (Available) Allow Uninstall Patch: Yes
and Manage Patch: Read
Read & Write
Install Patch (Limited Availability) Allow Install Patch: Yes
Manage Patch: Read & Write
Read & Write
Uninstall Patch (Limited
Availability)
Allow Uninstall Patch: Yes
and Manage Patch: Read & Write
Read & Write
Open Patch (View Patch) Manage Patch: Read N/A
Change Patch Properties Manage Patch: Read & Write N/A
Export Patch Manage Patch: Read
and Package
N/A
Export Patch or Allow Install Patch: Yes
and Package: Yes
N/A
Export Patch or Allow Uninstall Patch: Yes
and Package
N/A
226 Appendix A
Table 13 lists the actions that users can perform for each Patch Management permission.
Table 13 has the same data as Table 12, but is sorted by feature permission. Although it is not
indicated in Table 13, the Managed Servers and Groups permission is required for all Patch
Management actions.
For security administrators, Table 13 answers this question: If a user is granted a particular
feature permission, what actions can the user perform?
Export Patch or Manage Policy: Read
and Package
N/A
Delete Patch Manage Patch: Read & Write N/A
Table 12 Unix Patch Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Table 13 User Actions Allowed by Unix Patch Management Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Allow Install Patch: Yes Copy Exception Read & Write
Remediate Policy Read & Write
Set Exception Read & Write
Allow Install Patch: Yes
and Manage Patch: Read
Install Patch (Available) Read & Write
Uninstall Patch (Available) Read & Write
Allow Install Patch: Yes
and Manage Patch: Read & Write
Install Patch (Limited Availability) Read & Write
Uninstall Patch (Limited
Availability)
Read & Write
Allow Install Patch: Yes
and Package: Yes
Export Patch N/A
Allow Uninstall Patch: Yes Copy Exception Read & Write
Set Exception Read & Write
Allow Uninstall Patch: Yes
and Package
Export Patch N/A
Manage Patch: Read Open Patch (View Patch) N/A
Permissions Reference 227
Software Management Permissions
Table 14 specifies the Software Management permissions required by users to perform
specific actions in the SA Client. For security administrators, the table answers this question:
To perform a particular action, what permissions does a user need?
If a customer is assigned to a folder, then customer constraints might limit the objects that
can be associated with a software policy contained in the folder. For a list of tasks affected by
these constraints, see Customer Constraints, Folders, and Software Policies on page 16.
To install software, you must belong to a user group that has the install software feature
permissions. This user group must also have folder permissions for the software you want to
install.
Manage Patch: Read & Write Change Patch Properties N/A
Delete Patch N/A
Import Patch Database N/A
Manage Patch: Read & Write
and Package
Import Patch N/A
Manage Patch: Read
and Manage Policy: Read & Write
Add Patch to Policy N/A
Manage Patch: Read
and Package
Export Patch N/A
Manage Policy: Read
and Package
Export Patch N/A
Table 13 User Actions Allowed by Unix Patch Management Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Table 14 Software Management Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Software Policy
Create Software Policy Manage Software Policy:
Read & Write
N/A Write
Delete Software Policy Manage Software Policy:
Read & Write
N/A Write
228 Appendix A
Open Software Policy
(View)
Manage Software Policy:
Read
N/A Read
Edit Software Policy
Properties
Manage Software Policy:
Read & Write
N/A Write
Add Packages Manage Software Policy:
Read & Write
Manage Packages: Read
N/A Folder containing
the software policy:
Write
Add RPM Packages Manage Software Policy:
Read & Write
Manage Packages: Read
N/A Folder containing
the software policy:
Write
Add Patches Manage Software Policy:
Read & Write
Manage Patches: Read
N/A Folder containing
the software policy:
Write
Add Application
Configurations
Manage Software Policy:
Read & Write
Manage Application
Configuration: Read
N/A Folder containing
the software policy:
Write
Add Scripts Manage Software Policy:
Read & Write
Manage Server Scripts: Read
N/A Folder containing
the software policy:
Write
Add Server Objects Manage Software Policy:
Read & Write
Manage Packages: Read
N/A Folder containing
the software policy:
Write
Add Software Policies Manage Software Policy:
Read & Write
N/A Folder containing
the software policy:
Write
Remove Packages Manage Software Policy:
Read & Write
N/A Write
Remove RPM
Packages
Manage Software Policy:
Read & Write
N/A Write
Remove Patches Manage Software Policy:
Read & Write
N/A Write
Remove Application
Configurations
Manage Software Policy:
Read & Write
N/A Write
Table 14 Software Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 229
Remove Software
Policies
Manage Software Policy:
Read & Write
N/A Write
Remove Scripts Manage Software Policy:
Read & Write
N/A Write
Remove Server Objects Manage Software Policy:
Read & Write
N/A Write
Install/ Uninstall
Software
Manage Software Policy:
Read
Allow Attach/Detach
Software Policy: Yes
Allow Install/Uninstall
Software: Yes
Model Public Device Groups:
Yes (Required if you
remediate a public device
group)
Read & Write Read
Attach Software Policy Manage Software Policy:
Read
Allow Attach/Detach
Software Policy: Yes
Model Public Device Groups:
Yes (This permission is
required if you are attaching
the software policy to a
public device group)
Read & Write Read
Detach Software Policy Manage Software Policy:
Read
Allow Attach/Detach
Software Policy: Yes
Model Public Device Groups:
Yes (This permission is
required if you are attaching
the software policy to a
public device group)
Read & Write Read
Table 14 Software Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
230 Appendix A
Remediate Manage Software Policy:
Read
Allow Remediate Servers:
Yes
Model Public Device Groups:
Yes (Required if you
remediate a public device
group)
Read & Write Read
Run ISM Control Manage Software Policy:
Read
Allow Run ISM Control: Yes
Model Public Device Groups:
Yes (Required if you run ISM
Control on a public device
group)
Read & Write Read
Duplicate Zip Package Manage Software Policy:
Read & Write
N/A Write
Edit ZIP Installation
Directory
Manage Software Policy:
Read & Write
N/A Write
Scan Software
Compliance
N/A Read N/A
Rename Software
Policy
Manage Software Policy:
Read & Write
N/A Write
Cut Software Policy Manage Software Policy:
Read & Write
N/A Write
Copy Software Policy Manage Software Policy:
Read
N/A Read
Paste Software Policy Manage Software Policy:
Read & Write
N/A Source Folder: Read
(for copy and paste)
Source Folder:
Write (for cut and
paste)
Destination Folder:
Write
Table 14 Software Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 231
Move Software Policy Manage Software Policy:
Read & Write
N/A Source Folder:
Write
Destination Folder:
Write
Folder
Create Folder N/A N/A Write
Delete Folder N/A N/A Write
Open Folder N/A N/A Read
View Folder Properties N/A N/A Read
Edit Folder Properties N/A N/A Write
Manage Folder
Permissions
N/A N/A Edit Folder
Permissions
Cut Folder N/A N/A Write
Copy Folder N/A N/A Read
Paste Folder N/A N/A Source Folder: Read
(for copy and paste)
Source Folder:
Write (for cut and
paste)
Destination Folder:
Write
Move Folder N/A N/A Source Folder:
Write
Destination Folder:
Write
Rename Folder N/A N/A Write
Package
Import Package Manage Package: Read &
Write
N/A Write
Export Package Manage Package: Read N/A Read
Open Package (View) Manage Package: Read N/A Read
Edit Package
Properties
Manage Package: Read &
Write
N/A Read
Table 14 Software Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
232 Appendix A
Delete Package Manage Package: Read &
Write
N/A Write
Rename Package Manage Package: Read &
Write
N/A Write
Cut Package Manage Package: Read &
Write
N/A Write
Paste Package Manage Package: Read &
Write
N/A Source Folder: Read
(for copy and paste)
Source Folder:
Write (for cut and
paste)
Destination Folder:
Write
Move Package Manage Package: Read &
Write
N/A Source Folder:
Write
Destination Folder:
Write
Table 14 Software Management Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 233
Table 15 lists the actions that users can perform for each Software Management permission.
Table 15 has the same data as Table 14, but is sorted by feature permission. For security
administrators, Table 15 answers this question: If a user is granted a particular feature
permission, what actions can the user perform?
Table 15 User Actions Allowed by Software Management Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Manage Software
Policy: Read & Write
Create Software Policy N/A Write
Delete Software Policy N/A Write
Edit Software Policy N/A Write
Rename Software Policy N/A Write
Cut Software Policy N/A Write
Paste Software Policy N/A Write
Move Software Policy N/A Write
Remove Packages N/A Write
Remove Patches N/A Write
Remove Application
Configurations
N/A Write
Remove Scripts N/A Write
Remove Server Objects N/A Write
Remove Software Policy N/A Write
Duplicate ZIP packages N/A Write
Manage Software
Policy: Read
Open Software Policy (View) N/A Read
Copy Software Policy
Properties
N/A Read
Manage Software
Policy: Read & Write
And
Manage Package: Read
Add Packages
Add RPM Packages
N/A Folder containing
the software policy:
Write
Folder containing
the package: Read
Manage Software
Policy: Read & Write
And
Manage Patches: Read
Add Patches N/A Folder containing
the software policy:
Write
Folder containing
the patch: Read
234 Appendix A
Manage Software
Policy: Read & Write
And
Manage Application
Configuration: Read
Add Application
Configurations
N/A Folder containing
the software policy:
Write
Folder containing
the application
configuration: Read
Manage Software
Policy: Read & Write
Add Software Policies N/A Folder containing
the software policy:
Write
Folder containing
the software policy
to be added to
another software
policy: Read
Manage Software
Policy: Read & Write
And
Manage Server
Scripts: Read
Add Scripts N/A Folder containing
the software policy:
Write
Folder containing
the scripts: Read
Manage Software
Policy: Read & Write
And
Manage Packages:
Read
Add Server Objects N/A Folder containing
the software policy:
Write
Folder containing
the server objects:
Read
Manage Software
Policy: Read & Write
Remove Packages N/A Write
Remove RPM Packages N/A Write
Remove Patches N/A Write
Remove Application
Configurations
N/A Write
Remove Scripts N/A Write
Remove Server Objects N/A Write
Remove Software Policies N/A Write
Table 15 User Actions Allowed by Software Management Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 235
Manage Software
Policy: Read
And
Allow Attach/Detach
Software Policy: Yes
And
Model Public Device
Groups: Yes (Required
if you are attaching the
software policy to a
public device group)
Attach Software Policy Read & Write Read
Detach Software Policy Read & Write Read
Manage Software
Policy: Read
And
Allow Remediate
Servers: Yes
And
Model Public Device
Groups: Yes (Required
if you remediate a
public device group)
Remediate Read & Write Read
Manage Software
Policy: Read
And
Allow Attach/Detach
Software Policy: Yes
And
Allow Install/Uninstall
Software: Yes
And
Model Public Device
Groups: Yes (Required
if you remediate a
public device group)
Install/ Uninstall Software Read & Write Read
Table 15 User Actions Allowed by Software Management Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
236 Appendix A
Script Execution Permissions
Table 16 specifies the Script Execution permissions required by users to perform specific
actions in the SA Client. For security administrators, the table answers this question: To
perform a particular action, what permissions does a user need?
Manage Software
Policy: Read
And
Allow Run ISM
Control: Yes
And
Model Public Device
Groups: Yes (Required
if you run ISM Control
on a public device
group)
Run ISM Control Read & Write Read
Manage Package: Read
& Write
Import Package N/A Write
Delete Package N/A Write
Rename Package N/A Write
Cut Package N/A Write
Paste Package N/A Write
Move Package N/A Write
Manage Package: Read
& Write
Edit Package Properties N/A Read
Manage Package: Read Export Package N/A Read
Open Package (View) N/A Read
Table 15 User Actions Allowed by Software Management Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 237
If a customer is assigned to a folder, then customer constraints might limit the objects that
can be associated with a software policy contained in the folder. For a list of tasks affected by
these constraints, see Customer Constraints, Folders, and Software Policies on page 16.
Table 16 Script Execution Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Creating a Non Super
User Server Script
Manage Server Script: Read
& Write
N/A Write
Creating a Super User
Server Script
Manage Server Script: Read
& Write
Allow Control of Super User
Server Scripts: Yes
N/A Write
Creating an OGFS
Script
Manage OGFS Script: Read
& Write
N/A Write
Opening (Viewing all
script properties
except script contents)
a Non Super User
Server Script
Manage Server Script: Read N/A Execute
Opening (Viewing all
script properties
including script
contents) a Non Super
User Server Script
Manage Server Script: Read N/A Read
Opening (Viewing all
script properties
except script contents)
a Super User Server
Script
Manage Server Script: Read
Allow Control of Super User
Server Scripts: Yes
N/A Execute
Opening (Viewing all
script properties
including script
contents) a Super User
Server Script
Manage Server Script: Read
Allow Control of Super User
Server Scripts: Yes
N/A Read
Opening (Viewing all
script properties
except script contents)
an OGFS Script
Manage OGFS Script: Read N/A Execute
Opening (Viewing all
script properties
including script
contents) an OGFS
Script
Manage OGFS Script: Read N/A Read
238 Appendix A
Editing Non Super
User Server Script
Properties
Manage Server Script: Read
& Write
Note: The Allow Control of
Super User Server Scripts:
Yes permission is required to
edit the script property, Can
Run as Super User.
N/A Write
Editing a Super User
Server Script
Manage Server Script: Read
and Write
Allow Control of Super User
Server Scripts: Yes
N/A Write
Editing OGFS Script
Properties
Manage OGFSr Script: Read
& Write
N/A Write
Locating Server Script
in Folders
Manage Server Script: Read N/A Read
Locating OGFS Script
in Folders
Manage OGFS Script: Read N/A Read
Exporting a Server
Script
Manage Server Script: Read N/A Read
Exporting an OGFS
Script
Manage OGFS Script: Read N/A Read
Renaming a Server
Script
Manage Server Script: Read
& Write
N/A Write
Renaming a Super
User Server Script
Manage Server Script: Read
& Write
Allow Control of Super User
Server Scripts: Yes
N/A Write
Renaming an OGFS
Script
Manage OGFS Script: Read
& Write
N/A Write
Deleting a Server
Script
Manage Server Script: Read
& Write
N/A Write
Deleting a Super User
Server Script
Manage Server Script: Read
& Write
Allow Control of Super User
Server Scripts: Yes
N/A Write
Table 16 Script Execution Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Permissions Reference 239
Deleting an OGFS
Script
Manage OGFS Script: Read
& Write
N/A Write
Running Server Script
as Super User
Managed Servers and
Groups: Yes
Read and
Write
Execute
Running Server Script
as a Super User (by
copying the script
contents from another
script)
Manage Server Script: Read
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
Managed Servers and
Groups: Yes
Read and
Write
Read
Running Server Script
as a specified user
Managed Servers and
Groups: Yes
Read and
Write
Execute
Running Server Script
as a specified user (by
copying the script
contents from another
script)
Manage Server Script: Read
Run Ad-Hoc Scripts: Yes
Managed Servers and
Groups: Yes
Read and
Write
Read
Running Ad-Hoc
Scripts
Run Ad-Hoc Scripts: Yes
Managed Servers and
Groups: Yes
Read and
Write
N/A
Running Ad-Hoc
Scripts
as super user
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
Managed Servers and
Groups: Yes
Read and
Write
N/A
Running OGFS Scripts N/A N/A Execute
Table 16 Script Execution Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
240 Appendix A
Table 17 lists the actions that users can perform for each Script Execution permission.
Table 17 has the same data as Table 16, but is sorted by feature permission. For security
administrators, Table 17 answers this question: If a user is granted a particular feature
permission, what actions can the user perform?
Table 17 User Actions Allowed by Script Execution Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Manage Server Script:
Read & Write
Creating a Non Super User
Server Script
N/A Write
Editing Non Super User
Server Script Properties
N/A Write
Deleting a Non Super User
Server Script
N/A Write
Renaming a Non Super User
Server Script
N/A Write
Manage Server Script:
Read
Opening (Viewing all script
properties including script
contents) a Non Super User
Server Script
Opening (Viewing all script
properties including script
contents) a Super User
Server Script
N/A Read
Locating Server Script in
Folders
N/A Read
Exporting Server Scripts N/A Read
Manage Server Script:
Read
Opening (Viewing all script
properties excluding script
contents) a Non Super User
Server Script
Opening (Viewing all script
properties excluding script
contents) a Super User
Server Script
Execute
Manage Server Script:
Read & Write
And
Allow Control of Super
User Server Scripts:
Yes
Creating a Super User
Server Script
N/A Write
Permissions Reference 241
Editing Super User Server
Script Properties
Editing Non Super User
Server Script Properties
N/A Write
Renaming a Super User
Server Script
Renaming a Non Super User
Server Script
N/A Write
Deleting a Super User Server
Script
Deleting a Non Super User
Server Script
N/A Write
Manage OGFS: Read
& Write
Creating an OGFS Script N/A Write
Editing OGFS Script
Properties
N/A Write
Deleting an OGFS Script N/A Write
Renaming an OGFS Script N/A Write
Manage OGFS Script:
Read
Opening (Viewing all the
OGFS Script Properties,
including script contents) an
OGFS Script
N/A Read
Locating OGFS in Folders N/A Read
Exporting OGFS Scripts N/A Read
Manage OGFS Script:
Read
Opening (Viewing all the
OGFS Script Properties,
excluding script contents) an
OGFS Script
N/A Execute
Run Ad-Hoc Scripts Running Ad-Hoc scripts Read and
Write
N/A
Run Ad-Hoc Scripts
and Source Visible
Server Scripts as
Super User
Running Ad-Hoc scripts as
super User
Read and
Write
N/A
N/A Running Non Super User
Server Script
Read and
Write
Execute
Table 17 User Actions Allowed by Script Execution Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
242 Appendix A
The following table lists the script execution permissions required for running scripts using a
software policy.
N/A Running Private Scripts Read and
Write
Execute (on Home
folder)
N/A Running OGFS Scripts N/A Execute
Table 17 User Actions Allowed by Script Execution Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Table 18 Script Execution Permissions Required for Software Management
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
Adding a Server Script
to a software policy
Manage Server Scripts: Read N/A Read
Adding a Server Script
to the Options step in
the Remediate window
N/A N/A Execute
Adding a Server Script
to the Options step in
the Remediate window
(Copying the script
contents)
Manage Server Scripts: Read
Run Ad-Hoc Scripts: Yes
N/A Read
Adding a Super User
Server Script to the
Options step in the
Remediate window
Manage Server Scripts: Read
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
N/A Read
Specifying an Ad-Hoc
Script to the Options
step in the Remediate
window
Run Ad-Hoc Scripts: Yes N/A N/A
Specifying an Super
User Ad-Hoc Script to
the Options step in the
Remediate window
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
N/A N/A
Permissions Reference 243
Audit and Remediation Permissions
Table 19 specifies the Audit and Remediation permissions required by users to perform
specific actions in the SA Client. For security administrators, the table answers this question:
To perform a particular action, what permissions does a user need?
In addition to the feature permissions listed in Table 19, every user action also requires the
Managed Servers and Groups feature permission.
Server Permissions for Audit and Remediation
Audit and Remediation actions require both feature and server feature permissions. For
example, the Create Audit action requires the feature permission Manage Audit: Read &
Write and the Managed Servers and Groups feature permission. This action also needs Read
permission on the server referenced by the Audit. In Table 19, the Server Permission column
Adding a Server Script
to the Options step in
the Install Software
window
N/A N/A Execute
Adding a Server Script
to the Options step in
the Install Software
window (Copying the
script contents)
Manage Server Scripts: Read
Run Ad-Hoc Scripts: Yes
N/A Read
Adding a Super User
Server Script to the
Options step in the
Install Software
window
Manage Server Scripts: Read
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
N/A Read
Specifying an Ad-Hoc
Script to the Options
step in the Install
Software window
Run Ad-Hoc Scripts: Yes N/A N/A
Specifying an Super
User Ad-Hoc Script to
the Options step in the
Install Software
window
Run Ad-Hoc Scripts: Yes
Run Ad-Hoc Scripts and
Source Visible Server Scripts
as Super User: Yes
N/A N/A
Table 18 Script Execution Permissions Required for Software Management
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permissions
244 Appendix A
is for the servers referenced by the Audit or Snapshot Specification depending on the
action. Server permissions are specified by the customer, facility, and device groups
permissions in the SAS Web Client.
If an Audit and Remediation object (such as a Snapshot Specification) references multiple
servers, at least Read permission is required for all servers referenced. Otherwise, the object
cannot be viewed or modified.
Audit and Remediation objects are not directly associated with customers and facilities. but
customer and facility permissions do control access to servers which are referenced by Audit
and Remediation objects, such as Snapshot Specifications and Audits.
OGFS Permissions for Audit and Remediation
For the actions that access a managed servers file system, the OGFS Read Server File System
permission is required. For example, the Read Server File System permission is required to
create a Snapshot Specification with rules that include the files of a managed server. Such
rules include Application Configurations, Custom Scripts, COM+ objects, File System, IIS
Metabase entries, and Windows Registry.
Other types of selection criteria require the corresponding OGFS permissions:
Read Server Registry
Read COM+ Database
Read IIS Metabase
Audit and Remediation User Action Permissions
The following table lists typical Audit and Remediation user actions and the permissions
required to perform them.
Table 19 Audit and Remediation Permissions Required for User Actions
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Snapshot Specification
View contents of Snapshot
Specification
Manage Snapshot
Specification: Read
N/A Read
Schedule and run a
Snapshot Specification
Manage Snapshot
Specification: Read
N/A Read
Create Snapshot
Specification
Manage Snapshot
Specification: Read & Write
N/A Read & Write
Create Application
Configuration Rule
Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Write Server
File System
Read & Write
Permissions Reference 245
Create COM+ Rule Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Read COM+
Database
Read & Write
Create Custom Script Rule Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Allow Create Custom Script
Policy Rules: Yes.
Write Server
File System
Read & Write
Create Files Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Write Server
File System
Read & Write
Create IIS Metabase Rule Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Read IIS
Metabase
Read & Write
Create Registry Rule Manage Snapshot
Specification: Read & Write
Allow Create Task Specific
Policy: Yes
Read Server
Registry
Read & Write
Link Audit Policy into
Snapshot Specification
Manage Snapshot
Specification: Read & Write
Manage Audit Policy: Read
LIbrary Folder: Read
N/A Read & Write
Import Audit Policy into
Snapshot Specification
Manage Snapshot
Specification: Read & Write
Manage Audit Policy: Read
Library Folder: Read
N/A Read & Write
Save As Audit Policy Manage Snapshot
Specification: Read & Write
Manage Audit Policy: Read
& Write
Library Folder: Read &
Write
N/A Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
246 Appendix A
Snapshots
View, list contents of a
Snapshot
Manage Snapshot: Read
Manage Snapshot
Specification: Read
N/A Read
Create Audit from Snapshot Manage Snapshot: Read
Manage Snapshot
Specification: Read
Manage Audit: Read
N/A Read
View Archived Snapshot Manage Snapshot: Read N/A Read
Create Audit from archived
Snapshot
Manage Snapshot: Read
Manage Audit: Read
N/A Read
Delete Snapshot results Manage Snapshot:
Read & Write
N/A Read & Write
Detach Snapshot from a
server
Allow General Snapshot
Management: Yes
Manage Snapshot: Read &
Write
Manage Snapshot
Specification: Read
N/A Read
Remediate Snapshot results Manage Snapshot: Read
Manage Snapshot
Specification: Read
Allow Remediate Audit/
Snapshot Results: Yes
N/A Read & Write
Remediate Snapshot
Results: Application
Configuration
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Write Server
File System
Read & Write
Remediate Snapshot
Results: COM+
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Read COM+
Database
Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 247
Remediate Snapshot
Results: Custom Scripts
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Write Server
File System
Read & Write
Remediate Snapshot
Results: File System
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Write Server
File System
Read & Write
Remediate Snapshot
Results: Metabase
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Read IIS
Metabase
Read & Write
Remediate Snapshot
Results: Registry
Manage Snapshot: Read
Allow Remediate Audit/
Snapshot Results: Yes
Manage Snapshot
Specification: Read
Read Server
Registry
Read & Write
Audits
View an Audit Manage Audit: Read N/A Read
Schedule and run an Audit Manage Audit: Read
Manage Audit Result: Read
& Write
N/A Read
Create an Audit Manage Audit: Read & Write N/A Read & Write
Create Application
Configuration Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Write Server
File System
Read & Write
Create COM+ Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Read COM+
Database
Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
248 Appendix A
Create Custom Script Rule Manage Audit: Read & Write
Allow Create Custom Script
Policy Rules: Yes
Allow Create Task Specific
Policy: Yes
Write Server
File System
Read & Write
Create Discovered Software
Rule
Manage Audit: Read & Write
Manage Server Modules:
Read
Allow Create Task Specific
Policy: Yes
N/A Read & Write
Create Files Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Write Server
File System
Read & Write
Create Hardware Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
N/A Read & Write
Create IIS Metabase Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Read IIS
Metabase
Read & Write
Create Internet Information
Server Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
N/A Read & Write
Create Registered Software
Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Create Runtime State Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 249
Create Software Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
N/A Read & Write
Create Storage Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Create Weblogic Rule Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Create .NET Framework
Configurations Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Create Windows Registry
Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Read Server
Registry
Read & Write
Create Windows Services
Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
N/A Read & Write
Create Windows/Unix Users
and Groups Rule
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Server Modules:
Read
N/A Read & Write
Link an Audit Policy into an
Audit
Manage Audit: Read & Write
Allow Create Task Specific
Policy: Yes
Manage Audit Policy: Read
SA Client Library Folder:
Read
N/A Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
250 Appendix A
Import an Audit Policy into
an Audit
Manage Audit: Read & Write
Manage Audit Policy: Read
Library Folder: Read
N/A Read & Write
Save as Audit Policy Manage Audit: Read & Write
Manage Audit Policy: Read
& write
Library Folder: Read &
Write
N/A Read & Write
Audit Results
View Audit Results Manage Audit Results:
Read
Manage Audit: Read
N/A Read
View Archived Audit
Results
Manage Audit: Read N/A Read
Delete Audit Results Manage Audit Results:
Read & Write
N/A Read & Write
Remediate Audit Results Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
N/A Read & Write
Remediate Audit Results:
Application Configuration
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Write Server
File System
Read & Write
Remediate Audit Results:
COM+
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Read COM+
Database
Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 251
Remediate Audit Results:
Custom Script Rule
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Write Server
File System
Read & Write
Remediate Audit Results:
Discovered Software
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Remediate Audit Results:
Files
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Write Server
File System
Read & Write
Remediate Audit Results:
IIS Metabase
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Read IIS
Metabase
Read & Write
Remediate Audit Results:
Remediate Internet
Information Server
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Read IIS
Metabase
Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
252 Appendix A
Remediate Audit Results:
Remediate Discovered
Software
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Remediate Audit Results:
Remediate Software
Manage Audit: Read
Manage Audit Results: Read
& Write
N/A Read & Write
Remediate Audit Results:
Remediate Storage
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Remediate Audit Results:
Remediate Weblogic
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 253
Table 20 lists the actions that users can perform for each Audit and Remediation permission.
Table 20 has the same data as Table 19, but is sorted by feature permission. Although it is not
indicated in Table 20, the Managed Servers and Groups permission is required for all Audit
and Remediation actions.
Remediate Audit Results:
Remediate Windows .NET
Framework Configurations
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Remediate Audit Results:
Windows Registry
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Read Server
Registry
Read & Write
Remediate Audit Results:
Windows Services
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
N/A Read & Write
Remediate Audit Results:
Remediate Windows/Unix
Users and Groups
Manage Audit: Read
Manage Audit Results: Read
& Write
Allow Remediate Audit/
Snapshot Results: Yes
Manage Server Module:
Read
Allow Execute Server
Modules: Yes
N/A Read & Write
Table 19 Audit and Remediation Permissions Required for User Actions (contd)
User Action Feature Permission
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
254 Appendix A
For security administrators, Table 20 answers this question: If a user is granted a particular
feature Audit and Remediation permission, what actions can the user perform?
Table 20 User Actions Allowed by Audit and Remediation Permissions
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Allow Create Custom Script
Rule Policy: No
and
Manage Audit: Read
View Custom Script Rule:
Audit
N/A Read
Allow Create Custom Script
Rule Policy: Yes
and
Manage Audit: Read & Write
Create Custom Script Rule:
Audit
Write Server
File System
Read & Write
Allow Create Custom Script
Rule Policy: No
and
Manage Snapshot: Read &
Write
View Custom Script Rule:
Snapshot
N/A Read
Allow Create Custom Script
Rule Policy: Yes
and
Manage Snapshot: Read &
Write
Create Custom Script Rule:
Snapshot
Write Server
File System
Read & Write
Allow General
Snapshot Management: Yes
Detach Snapshot from a
server
N/A Read
Manage Snapshot
Specification: Read
and
Allow Remediate Audit/
Snapshot Results: No
and
Manage Audit or Manage
Snapshot: Read
View Audit or Snapshot, No
Remediation
N/A Read
Permissions Reference 255
Manage Snapshot
Specification: Read
and
Allow Remediate Audit/
Snapshot Results: Yes
and
Manage Audit or Manage
Snapshot: Read & Write
Remediate Audit/Snapshot
Results
N/A Read & Write
Manage Snapshot
Specification: Read
and
Allow Remediate Audit/
Snapshot Results: Yes
and
Manage Audit or Manage
Snapshot Results: Read &
Write
Remediate Application
Configuration Rule
Write Server
File System
Read & Write
Remediate COM+ Rule Read COM+
Database
Read & Write
Remediate Custom Script
Rule Registry Rule
Write Server
File System
Read & Write
Remediate File System Rule Read IIS
Metabase
Read & Write
Remediate IIS Metabase
Rule
Read Server
Registry
Read & Write
Remediate Windows Registry
Rule
Write Server
File System
Read & Write
Manage Audit: Read View, schedule, run Audit N/A Read
Manage Audit: Read & Write
and
Allow Create Task Specific
Policy: Yes
Create, edit, delete Audit N/A Read & Write
Save Audit as Audit Policy N/A Read & Write
Link Audit Policy into Audit N/A Read & Write
Create Application
Configuration Rule
Write Server
File System
Read & Write
Create COM+ Rule Read COM+
Database
Read & Write
Create File System Rule Write Server
File System
Read & Write
Create IIS Metabase Rule Read IIS
Metabase
Read & Write
Create Window Registry
Rule
Read Server
Registry
Read & Write
Table 20 User Actions Allowed by Audit and Remediation Permissions (contd)
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
256 Appendix A
Manage Audit: Read & Write
and
Allow Create Custom Script
Policy Rules: Yes
and
Allow Create Task Specific
Policy: Yes
Create Custom Scripts Rule Write Server
File System
Read & Write
Manage Audit: Read & Write
and
Manage Server Module: Read
and
Allow Create Task Specific
Policy
Create the following Audit
Rules:
Discovered Software
Registered Software
Runtime State
Storage
Weblogic
Windows .NET
Framework
Configurations
Windows Users and
Groups
N/A Read & Write
Manage Audit Results: Read View Audit Results N/A Read
Manage Audit Results: Read
& Write
Delete Audit Results N/A Read & Write
Manage Snapshot
Specification: Read & Write
View, schedule, run Snapshot
Specification
N/A Read
Table 20 User Actions Allowed by Audit and Remediation Permissions (contd)
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 257
Manage Snapshot
Specification: Read & Write
and
Allow Create Task Specific
Policy
Create, edit, and delete
Snapshot Specification
N/A
Save Snapshot Specification
as Audit Policy
(This action requires REad &
Write for the library folder
where policy lives.)
N/A
Link Audit Policy Into Audit N/A Read & Write
Create Application
Configuration Rule
Write Server
File System
Read & Write
Create COM+ Rule Read COM+
Database
Read & Write
Create Discovered Software
Create File System Rule Write Server
File System
Read & Write
Create IIS Metabase Rule Read IIS
Metabase
Read & Write
Create Windows Registry
Rule
Read Server
Registry
Read & Write
Manage Snapshot
Specification: Read & Write
and
Manage Server Module: Read
and
Allow Create Task Specific
Policy
Create the following
Snapshot Rules:
Discovered Software
Registered Software
Runtime State
Storage
Weblogic
Windows .NET
Framework
Configurations
Windows Users and
Groups
N/A Read & Write
Table 20 User Actions Allowed by Audit and Remediation Permissions (contd)
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
258 Appendix A
Manage Snapshot
Specification: Read & Write
and
Create Custom Script Policy
Rule
and
Allow Create Task Specific
Policy
Create Custom Rule for
Snapshot Specification
Write Server
File System
Read & Write
Manage Snapshot: Read View contents of Snapshot N/A Read
Manage Snapshot:
Read & Write
Delete Snapshot results N/A Read & Write
Manage Audit Policy: Read View contents of Audits and
Snapshot Specifications
N/A Read
Manage Audit Policy:
Read & Write
Create, edit Audit Policy. N/A Read & Write
Create Application
Configuration Rule
Write Server
File System
Read & Write
Create COM+ Rule Read COM+
Database
Read & Write
Create File System Rule Write Server
File System
Read & Write
Create IIS Metabase Rule Read IIS
Metabase
Read & Write
Create Windows Registry
Rule
Read Server
Registry
Read & Write
Table 20 User Actions Allowed by Audit and Remediation Permissions (contd)
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Permissions Reference 259
Service Automation Visualizer Permissions
Table 21 specifies the Service Automation Visualizer (SAV) permissions required to perform
specific actions in the SA Client. For security administrators, the table answers this question:
To perform a particular action, what permissions does a user need?
In Table 21, most of the entries in the User Action column correspond to menu items in the SA
Client. In addition to feature permissions, server read permissions are required on the
managed servers affected by the analyze operation, such as permissions to open a Remote
Terminal or a Remote Desktop Client, open the Device Explorer, and open a Global Shell
session from the Service Automation Visualizer.
SAV permissions required to scan a server are the same for both physical servers and virtual
servers.
Manage Audit Policy: Read &
Write
Manage Server Module: Read
Create the following
Snapshot Rules:
Discovered Software
Registered Software
Runtime State
Storage
Weblogic
Windows .NET
Framework
Configurations
Windows Users and
Groups
N/A Read & Write
Manage Audit Policy:
Read & Write
and
Allow Create Custom Script
Policy Rule
Create Custom Script Rule Write Server
File System
Read & Write
Table 20 User Actions Allowed by Audit and Remediation Permissions (contd)
Feature Permission User Action
OGFS
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
260 Appendix A
For details on this feature, see the Service Automation Visualizer chapter in the SA Users
Guide: Application Automation.
Table 21 SAV Permissions Required for User Actions
User Action
Feature
Permission
Source Server
Permission
(Customer,
Facility)
Folder
Permission
SAV-Only Operations
Launch the Service Automation
Visualizer
Allow Analyze: Yes Read N/A
Generate a scan or refresh
Snapshot regular or virtual
servers
Allow Analyze: Yes Read N/A
Create a Snapshot or edit a
scheduled Snapshot
Allow Analyze: Yes
Manage Business
Applications: Read
& Write
Read N/A
Start, stop, pause, restart virtual
server inside of SAV (pause VM
for VMware only cannot pause
a Solaris local zone)
Administer Virtual
Server: Yes
Read N/A
SA Client Operations
Run script (as a non-Super User) Run Ad-hoc Scripts:
Yes
Read and Write N/A
Run script (as a Super User) Run Ad Hoc &
Source Visible
Server Scripts As
Super User: Yes
Read and Write N/A
Execute OGFS script Manage OGFS
Scripts: Yes
Read and Write N/A
Storage Operations (SE-enabled core)
Viewing SAN arrays or NAS filer
data, including relationships.
View Storage
Systems: Yes
Read N/A
Viewing any SAN switch data,
including relationships
View Storage
Systems: Yes
Read N/A
SA Client Folder Operations
Open a Business Application from
a folder
N/A N/A Read Objects
Within Folder
Create a Business Application and
save to a folder
Manage Business
Applications: Yes
N/A Write Objects
Within Folder
Rename a Business Application
inside a folder
N/A N/A Write Objects
Within Folder
Permissions Reference 261
In order to save a Business Application to a users own home directory in the Library, for
example, /home/username, this users private user group will also need to have the Manage
Business Applications permission set to Yes. For more information, see the User Group and
Setup chapter in the SA Administration Guide.
Viewing Storage in SAV and SA Permissions.
Your user may be able to view some types of storage information in a SAV snapshot even if
your user belongs to any groups that do not have permission to see storage devices such as
SAN fabrics, arrays, and so on.
Specifically, If your user belongs to one or more groups that have the permission Manage
Business Applications: Read & Write, then your user will be able to view such devices in a SAV
snapshot and objects as fabrics (switches), storage arrays, network devices, and VM info in the
SAV snapshot, even if the group does not have individual permissions granted to see those
devices and objects.
If your user belongs to one or more groups that do not have Manage Business Applications:
Read & Write, your user will be able to view SAN fabrics (switches), storage arrays, network
devices, and VM info in a SAV snapshot only if the group has those individual permissions
granted.
For example, if your user belonged to one or more groups that have the following permission:
Manage Business Applications: Read & Write but had Manage Fabrics: None, your user would
still be able to see fabrics (and SAN switches) in the SAV snapshot.
Virtual Server Permissions
Table 22 specifies the virtual server permission required to perform specific actions in the SA
Client. For security administrators, the table answers this question: To perform a particular
action, what permissions does a user need?
In Table 22, most of the entries in the User Action column correspond to menu items in the SA
Client.
In addition to feature permissions, server read permissions are required on hypervisor
servers. After you create a new virtual server, its permissions are treated just like a physical
server, including OS Provisioning.
To clone a virtual machine, you must have read-write permission to at least one Customer.
The following types of permissions are required for cloning:
Features/Customers
Delete a Business Application
from a folder
N/A N/A Write Objects
Within Folder
Cut, copy, or paste a Business
Application from a folder
N/A N/A Write Objects
Within Folder
Table 21 SAV Permissions Required for User Actions (contd)
User Action
Feature
Permission
Source Server
Permission
(Customer,
Facility)
Folder
Permission
262 Appendix A
Features/Managed Servers and Groups
Read (or Read-Write) permissions to the source Hypervisor Customer
Read (or Read-Write) permissions to source VM Customer
Read (or Read-Write) permissions to target Hypervisor Customer
Read (or Read-Write) permissions to the source Hypervisor and VM and target
Hypervisor Facility
Read-Write permissions to at least one Customer, so the clone can be assigned to that
customer
Client Features/Manage Virtual Servers (This confers the View Virtual Servers feature
permission.)
For details on this feature, see the Virtual Server Management in the SA Users Guide:
Server Automation.
Table 22 Virtual Server Permissions Required for User Actions
User Action Feature Permission
Hypervisor
Server
Permission
(Customer,
Facility,
Device
Group)
View the Virtual Servers feature in
the SA Client navigation panel
View virtualization object in a
virtual servers device explorer
View Virtual Servers: Yes
(Note: If this permission is set to No,
you will still be able to see virtual
servers in the All Managed Servers
list.)
Read on the
hypervisor
server
Refresh a hypervisor server View Virtual Servers: Yes Read on the
hypervisor
server
Create, modify, or remove a virtual
server
View Virtual Servers: Yes
Manage Virtual Servers: Yes
Read on the
hypervisor
server
Clone a virtual server View Virtual Servers: Yes
Manage Virtual Servers: Yes
Customer: Yes
Manage Servers and Groups: Yes
Read on the
hypervisor
server
Read on the
virtual server
Start and stop a Solaris zone View Virtual Servers: Yes
Manage Virtual Servers: Yes
Administer Virtual Servers: Yes
Read on the
hypervisor
server
Power on, power off, suspend, or
reset a VMware virtual machine
View Virtual Servers: Yes
Manage Virtual Servers: Yes
Administer Virtual Servers: Yes
Read on the
hypervisor
server
Permissions Reference 263
Table 23 lists the actions that users can perform for each virtual server permission. Table 23
has the same data as Table 22, but is sorted by feature permission. For security
administrators, Table 23 answers this question: If a user is granted a particular feature
permission, what actions can the user perform?
Use the ESX VM Creation wizard Allow Configuration of Network
Booting Server
Read/Write to
the Facility
and
Customer
Folder
View the user login name to VMware
ESXi servers.
Manage Credentials: Read Read on the
hypervisor
server
Modify the user credentials,
authenticate with the user
credentials and validate the
connection status on VMware ESXi
servers.
Manage Credentials: Read & Write Read/Write
on the
hypervisor
server
Table 22 Virtual Server Permissions Required for User Actions (contd)
User Action Feature Permission
Hypervisor
Server
Permission
(Customer,
Facility,
Device
Group)
Table 23 User Actions Allowed by Virtual Server Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
View Virtual Servers: Yes
Manage Virtual Servers: No
View the Virtual Servers feature in
the SA Client navigation panel and
virtual servers in the Contents pane.
View virtualization object in a
virtual servers device explorer
Refresh a hypervisor server
Read on the
hypervisor
server
View Virtual Servers: Yes
Manage Virtual Servers: Yes
Create, modify, or remove a virtual
server
Clone a virtual server
Read on the
hypervisor
server
View Virtual Servers: Yes
Manage Virtual Servers: Yes
Administer Virtual Servers: Yes
Start and stop a Solaris zone
Power on, power off, suspend, or
reset a VMware virtual machine
Read on the
hypervisor
server
264 Appendix A
OS Provisioning Permissions
The following section describes the OS Provisioning permissions required by users to perform
specific actions in the SA. For security administrators, the following table answers this
question: To perform a particular action, what permissions does a user need?
In Table 24, the Server Permission column is for the servers referenced by the OS sequence or
installation profile. Server permissions are specified by the Customer, Facility, and Device
Groups permissions in the SAS Web Client.
With the OS Provisioning feature in the SAS Web Client, in order to create and save an OS
sequence you must save it in a folder, so you will need write permissions to the folder.
See Customer Permissions and Folders on page 73 in this chapter for more information.
Manage Credentials: Read View the user login name to VMware
ESXi hypervisor servers.
Read on the
hypervisor
server
Manage Credentials: Read & Write Modify the user credentials,
authenticate with the user
credentials and validate the
connection status on VMware ESXi
servers.
Read/Write
on the
hypervisor
server
Table 23 User Actions Allowed by Virtual Server Permissions (contd)
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group)
Table 24 OS Provisioning Permissions Required for User Actions
User Action
Feature
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
OS Build Plan
Create OS Build Plan Manage OS Build
Plan: Read &
Write
None Write
View OS Build Plan Manage OS Build
Plan: Read
None Read
Edit OS Build Plan Manage OS Build
Plan: Read &
Write
None Write
Permissions Reference 265
Delete OS Build Plan Manage OS Build
Plan: Read &
Write
None Write
Add Device Group to OS Build Plan Any of the feature
permission
combination
below is valid:
1) Manage
Servers and
Groups + Manage
OS Build Plan:
Read & Write, or
2) Manage Public
Device Group (in
Client Features
tab, Servers
section) + Manage
OS Build Plan:
Read & Write, or
3) Manage Public
Device Groups
(SAS Web Client)
(from Others tab,
Servers and
Device Group
Permission
section) + Manage
OS Build Plan:
Read & Write
None Folder containing
the OS Build
Plan: Write
Add OGFS Script to OS Build Plan Manage OGFS
Script: Read +
Manage OS Build
Plan: Read &
Write
None Folder containing
the OGFS Script:
Read + Folder
containing the OS
Build Plan: Write
Table 24 OS Provisioning Permissions Required for User Actions (contd)
User Action
Feature
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
266 Appendix A
Add Server Script to OS Build Plan Manage Server
Script: Read +
Manage OS Build
Plan: Read &
Write
None Folder containing
the Server Script:
Read + Folder
containing the OS
Build Plan: Write
Add ZIP Package to OS Build Plan Manage Package:
Read + Manage
OS Build Plan:
Read & Write
None Folder containing
the package: Read
+ Folder
containing the OS
Build Plan: Write
Attach Software Policy to OS Build
Plan
Manage Software
Policy: Read +
Manage OS Build
Plan: Read &
Write
None Folder containing
the Software
Policy: Read +
Folder containing
the OS Build
Plan: Write
Attach Windows Patch Policy to OS
Build Plan
Manage Windows
Patch: Policy +
Manage OS Build
Plan: Read &
Write
None Folder containing
the OS Build
Plan: Write
Run OS Build Plan (from server or
from OS Build Plan node)
Manage Servers
and Groups +
Manage OS Build
Plan: Read +
Allow Execute OS
Build Plan: Yes
Read & Write Folder
(/Opsware
/Tools/OS
Provisioning)
contains the Run
OS Build Plan
web extension:
Execute + Folder
containing the OS
Build Plan: Read
OS Sequence
Create OS Sequence Manage OS
Sequence:
Read & Write
None Write
View OS Sequence Manage OS
Sequence:
Read
None Read
Edit OS Sequence Manage OS
Sequence:
Read & Write
None Write
Table 24 OS Provisioning Permissions Required for User Actions (contd)
User Action
Feature
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
Permissions Reference 267
Delete OS Sequence Manage OS
Sequence:
Read & Write
None Write
Run OS Sequence
(From server or from OS sequences)
Manage OS
Sequence:
Read
and
Allow Execute OS
Sequence: Yes
Read & Write Read
View unprovisioned servers SA Web Client
permission:
Server Pool
Read N/A
Attach Software Policy Manage Software
Policy: Read +
Manage OS
Sequence: Read &
Write
NA Folder containing
the Software
Policy: Read +
Folder containing
the OS Sequence:
Write
Attach Windows Patch Policy Manage Windows
Patch: Policy +
Manage OS
Sequence: Read &
Write
NA Folder containing
the OS Sequence:
Write
Attach Solaris Patch Policy Manage Software
Policy: Read +
Manage OS
Sequence: Read &
Write
NA Folder containing
the Solaris Patch
Policy: Read +
Folder containing
the OS Sequence:
Write
Table 24 OS Provisioning Permissions Required for User Actions (contd)
User Action
Feature
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
268 Appendix A
Attach Device Group Any of the
following
combinations are
valid:
1) Manage
Servers and
Groups + Manage
OS Sequence:
Read & Write
2) Manage Public
Device Group
(NOTE: under
Client Features,
Servers section) +
+ Manage OS
Sequence: Read &
Write
3) Manage Public
Device Group
(SAS Web Client)
(NOTE: under
Others tab, Server
and Device Group
Permissions
section)
NA Folder containing
the OS Sequence:
Write
OS Installation Profile
Create, edit, delete OS installation
profile
Wizard: Prepare
OS
Read N/A
Unprovisioned Server List
View servers in the unprovisioned
server list
Server Pool N/A N/A
Manage Boot Clients
Execute Managed Boot Clients Web
Application
Allow
Configuration of
Network Booting
+ Managed Server
and Groups
+ Manage
Customers
+ Server Pool
Read/Write to
the Facility
and
Customer
+ Read/Write
to customer
Not Assigned
List and Execute
on the /Opsware
/Tools/OS
Provisioning/
Manage Boot
Clients folder
Table 24 OS Provisioning Permissions Required for User Actions (contd)
User Action
Feature
Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Folder
Permission
Permissions Reference 269
Table 25 lists the actions that users can perform for each OS Provisioning permission.
Table 25 has the same data as Table 24, but is sorted by feature permission.
For security administrators, Table 25 answers this question: If a user is granted a particular
feature permission, what actions can the user perform?
Manage Boot Clients Permissions
The following section describes the permissions required to use the Manage Boot Clients
(MBC) Utility for OS Provisioning.
Table 25 User Actions Allowed in the SA Client by OS Provisioning Permissions
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group) Folder
Manage OS Sequence: Read View OS sequence Read Read
Manage OS Sequence: Read &
Write
Manage OS Sequence: Read &
Write
Run OS sequence Write Write
Create OS sequence Read Write
Allow Execute OS Sequence:
Yes
Run OS sequence Write Read
Allow Execute OS Sequence:
No
View OS sequence N/A Read
Manage OS Sequence: Read
Allow execute OS Sequence:
Yes
Run OS sequence Write Read
Manage OS Sequence: Read
Allow Execute OS Sequence:
No
View OS sequence Read Read
Manage OS Sequence: Write
Allow Execute OS Sequence:
Yes
Run OS sequence
Edit OS sequence
Write Write
Manage OS Sequence: Write
Allow Execute OS Sequence:
No
Edit OS sequence Read Write
Wizard: Prepare OS Create, edit, delete OS
installation profile
Read &
Write,
N/A,
N/A
N/A
Server Pool View servers in the
unprovisioned server list
Read N/A
270 Appendix A
Table 26 Manage Boot Client (MNC) Utility Permissions
Compliance View Permissions
The following section describes the Compliance View permissions required by users to
perform specific actions in the SA Client. For security administrators, the following table
answers this question: To perform a particular action, what permissions does a user need?
Feature Permission User Action
Server
Permission
(Customer,
Facility,
Device
Group) Folder
Allow Execute OS Sequence Run OS sequence Write Read
Manage Server and Groups Manage Server and Groups Write Read
Manage Customers Create, edit Customers Write Read
Server Pool Access Server Pool Write Read
Read & Write permission to
customer Not Assigned
Access to servers assigned to
customer Not Assigned
Write Read
Allow Configuration of
Network Booting
Configuration of Network
Booting
Write Read
Table 27 Compliance View Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Audit
View Details Manage Audit Result: Read Read
Run Audit Manage Audit: Read
Manage Audit Result: Read & Write
Read & Write
Remediate Allow Remediate Audit/Snapshot
Result: Yes
For other permissions needed to
remediate for specific audit rules, see
Audit and Remediation User Action
Permissions on page 244, Table 20.
Read & Write
Software
Remediate Manage Software Policy: Read
Allow Remediate Servers: Yes
Read & Write
Permissions Reference 271
Scan Device Manage Software Policy: Read
Or
Allow Attach/Detach Software Policy:
Yes
Or
Allow Install/Uninstall Software: Yes
Or
Allow Remediate Servers: Yes
Read & Write
Patch
Remediate Manage Patch Policy: Read
Install Patch: Yes
Read & Write
Scan Device Manage Patch: Read
Or
Manage Patch Policy: Read
Or
Allow Install Patch: Yes
Or
Allow Uninstall Patch: Yes
Or
Allow Install/Uninstall Software
Or
Allow Remediate Servers
Read & Write
App Config
Viewing Details Manage Application Configurations:
Read
Read
Scan Device Allow Configuration Compliance
Scan: Yes
Read
Specific App Config Remediation See Application Configuration
Management Permissions on page
207 for permissions required for
remediating application
configurations.
Read & Write
Table 27 Compliance View Permissions Required for User Actions (contd)
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
272 Appendix A
Server Property and Reboot Permissions
Table 7 specifies the permissions required by users to modify server properties, reboot servers,
and deactivate servers. For security administrators, the table answers this question: To
perform a particular action, what permissions does a user need?
Server Objects Permission
Table 29 specifies the permissions required for server objects such as Registered Software,
Internet Information Server, Local Security Settings, Runtime State, Users and Groups, and
.Net Framework Configuration.
Table 28 Server Property and Reboot Permissions Required for User Actions
User Action Feature Permission
Server
Permission
(Customer,
Facility,
Device
Group)
Deactivate Server Deactivate Read & Write
Modify Property: Server Name or
Description
N/A Read & Write
Reboot Server Reboot Server: Yes Read & Write
Table 29 Server Object Permissions
User Action
Feature
Permission
Server Permission
(Customer, Facility,
Device Group)
Folder
Permissions
Browse Server
Objects
Manage Server
Modules: Read &
Write
Allow Execute Server
Modules: Yes
N/A N/A
Add to Library (From
the Server Browser)
Manage Server
Modules: Read &
Write
Allow Execute Server
Modules: Yes
Manage Package:
Read and Write
Write
Permissions Reference 273
Add to Software
Policy
Manage Server
Modules: Read and
Write
Allow Execute Server
Modules: Yes
Manage Package:
Read and Write
Manage Software
Policy: Read & Write
N/A Write
Table 29 Server Object Permissions (contd)
User Action
Feature
Permission
Server Permission
(Customer, Facility,
Device Group)
Folder
Permissions
274 Appendix A
Predefined User Group Permissions
The following table lists the permissions of the predefined user groups for the features in the
SAS Web Client. An X in a table cell indicates that the group has permission to use the
feature. The headings in the table columns abbreviate the names of the user groups as
follows:
Basic: Basic Users
Inter: Intermediate Users
Adv: Advanced Users
OSA: SA System Administrators
Admin: Administrators
Table 30 SAS Web Client Permissions of the Predefined User Groups
Feature Name basic inter adv osa admin
FEATURE TAB
Configuration Tracking X X X
Configure SA X
Customers X X X X
DNS X X X
Data Center Intelligence Reports X X
Facilities X X X X
IP Ranges and Range Groups X X X
ISM Controls X X X
Manage Gateway X
Managed Servers and Groups X X X X
Model: Hardware X X X
Model: Opsware X
Model: Service Levels X X X
Multimaster X
Operating Systems X X
Server Attributes X X
Server Pool X X
System Diagnosis X X
Wizard: Custom Extension X X
Wizard: Prepare OS X X X
OTHER TAB
Permissions Reference 275
Only the Administrator group also has permission to manage SA users and user groups, a
feature not listed on the SAS Web Client tabs.
The following table lists the permissions of the predefined user groups for the SA Client
features.
The table cells contain the following abbreviations:
R: Read (only)
RW: Read & Write
Y: Yes
N: No or None
Deactivate X X
Allow Run Refresh Jobs
Manage Public Device Groups X
Model Public Device Groups
View All Jobs
Edit All Jobs
Table 30 SAS Web Client Permissions of the Predefined User Groups (contd)
Feature Name basic inter adv osa admin
Table 31 SA Client Permissions of the Predefined User Groups
Feature Name basic inter adv osa admin
APPLICATION CONFIGURATION
Configuration N R RW N N
Configuration Files N R RW N N
Configuration on Servers N R RW N N
Allow Check Consistency on
Servers
N N Y N N
COMPLIANCE
Audit Templates N R RW N N
Audit Results N R RW N N
Snapshot Templates N R RW N N
Snapshots (specific to servers) N R RW N N
Selection Criteria N R RW N N
Allow General Snapshot
Management
N Y Y N N
AGENT DEPLOYMENT
Allow Deploy Agent N N Y N N
276 Appendix A
When HP Server Automation is first installed, default permissions are assigned to the
top-level folders of the SAS Web Client. The following table lists these default permissions.
The table uses the following abbreviations for permissions:
L: List Contents of Folder
R: Read Objects Within Folder
W: Write Objects Within Folder
P: Edit Folder Permissions
Allow Scan Network N N Y N N
PATCH MANAGEMENT
Manage Patch N N RW N N
Manage Patch Policy N N RW N N
Allow Install Patch N N Y N N
Allow Uninstall Patch N N Y N N
Manage Patch Compliance Rules N N N N N
SCRIPT MANAGEMENT
(FRESH INSTALL - 7.0/7.5)
Manage Server Scripts RW RW RW RW N
Allow Control of Super User
Server Scripts
N N Y Y N
Run Ad Hoc Scripts Y Y Y Y N
Run Ad Hoc & Source Visible
Server Scripts As Super User
N Y Y Y N
Manage OGFS Script RW RW RW RW N
Table 31 SA Client Permissions of the Predefined User Groups (contd)
Feature Name basic inter adv osa admin
Table 32 Default Top-Level Folder Permissions of the Predefined User Groups
Folder basic inter adv osa admin
/ L L W L P
/Opsware L L L P
/Opsware/Tools L L L P
/Opsware/Tools/ISMTOOL R W P
/Package Repository R W P
/Package Repository/All AIX R W P
/Package Repository/All AIX/AIX
<version>
R W P
Permissions Reference 277
/Package Repository/All HP-UX R W P
/Package Repository/All HP-UX/
HP-UX <version>
R W P
/Package Repository/All Red Hat
Linux
R W P
Package Repository/All Red Hat
Linux/Red Hat Linux <version>
R W P
/Package Repository/All SunOS R W P
/Package Repository/All SunOS/
SunOS <version>
R W P
/Package Repository/All SuSE
Linux
R W P
/Package Repository/All SuSE
Linux/SuSE Linux <version>
R W P
/Package Repository/All Windows R W P
/Package Repository/All Windows/
Windows <version>
R W P
Table 32 Default Top-Level Folder Permissions of the Predefined User Groups
Folder basic inter adv osa admin
278 Appendix A
Private User Groups (PUG) Permissions
Private user groups are new as of SA 7.0. Private user groups are created for each
pre-existing user during a pre-SA 7.0 core upgrade to SA 7.50 or later.
The following table lists the script management and folder permissions of the private user
groups who were a member of the following pre-defined group(s) before the core was upgraded
from a pre-SA 7.0 release to SA 7.50. The headings in the table columns abbreviate the names
of the user groups as follows:
Basic: Basic Users
Inter: Intermediate Users
Adv: Advanced Users
OSA: SA System Administrators
Admin: Administrators
Table 33 Script Management and folder permissions of Private User Groups
Feature Name basic inter adv osa admin
SCRIPT MANAGEMENT
(Upgrade from pre-7.0 to 7.5)
Manage Server Scripts RW RW RW RW N
Allow Control of Super User
Server Scripts
N N Y Y N
Run Ad-hoc Scripts Y Y Y Y N
Run Ad Hoc & Source Visible
Server Scripts As Super User
N Y Y Y N
Manage Server Scripts RW RW RW RW N
Manage OGFS Script N N N N N
Folder permission on
/Migrated/Scripts/Shared
Scripts folder
LRX LRX LRXW LRXW LE
Permissions Reference 279
Code Deployment User Groups
The following tables describe the capabilities of the Code Deployment user groups. For more
information, see the Accessing Code Deployment & Rollback section of the SA Users Guide:
Server Automation.
Table 34
Code Deployment User
Group Description
Super User Can define, request, or perform any code deployment
operation on hosts designated for either staging or
production. Because a Super User can perform operations on
hosts associated with any customer, only a few users should
belong to this group.
History Viewer Can view a log of operations (service operations,
synchronizations and sequences) that have been previously
executed from the Code Deployment feature. Viewing this
information can help you determine the status of particular
deployment operations, and whether they completed
successfully.
Table 35
Code Deployment User
Group Description
Service Editor Can define a service, and modify or delete service definitions.
Production Service
Performer
Can directly perform or request performance of service
operations on hosts designated for use in production.
Staging Service Performer Can directly perform or request performance of service
operations on hosts designated for use in staging.
Production Service
Requester
Can request performance of service operations on hosts
designated for use in production.
Staging Service Requester Can request performance of service operations on hosts
designated for use in staging.
Table 36
Code Deployment User
Group Description
Synchronization Editor Can define a synchronization, and modify or delete the
synchronization definition.
Synchronization Performer Can directly perform or request performance of a
synchronization action.
Synchronization Requester Can request performance of a synchronization action.
280 Appendix A
Table 37
Code Deployment User
Group Description
Sequence Editor Can define a sequence, and modify or delete the sequence
definition.
Production Sequence
Performer
Can directly perform or request performance of a sequence of
actions on hosts designated for use in production.
Staging Sequence Performer Can directly perform or request performance of a sequence of
actions on hosts designated for use in staging.
Production Sequence
Requester
Can request performance of a sequence of actions on hosts
designated for use in production.
Staging Sequence Requester Can request performance of a sequence of actions on hosts
designated for use in staging.
281
Index
A
aaa utility, 32
access.log, 178
accessing, realm information, 116
activating users, 26
adding
users to a user group, 27
users to CDR user groups, 59
admin, 21, 22, 24, 25, 27, 33, 35
admin. See also super administrator
Administrator. See also super administrator
Agent
Cache Logs, 172
Cache monitoring, 172
Cache Ports, 172
Logs, 171
logs, 148
monitoring processes, 170
AIX, 171
HP-UX, 171
Solaris, 170
Reachability Communication Tests, 170
URL, 171
Agent cache
monotoring processes, 172
Agent Monitoring, 170
Agent Port, 170
approval dialog, 37
auditverify tool, 153
authentication
Credential Store, 25
external LDAP, 38
HP Network Automation, 25
B
backup, deleting files, 160
banner message, 37
Boot Server
Logs, 190
logs, 147
monitoring, 190
Ports, 190
Build Manager
Logs, 189
logs, 147
monitoring, 189
monitoring processes, 189
Ports, 189
URL, 189
C
code deployment
configuring, email alert addresses, 196
user groups, 279
code deployment user groups
adding users, 59
Command Center
Logs, 173
monitoring, 173
monitoring processes, 173
Ports, 173
URL, 173
Command Engine
Logs, 179
logs, 147
monitoring, 178
monitoring processes, 178
Port, 178
system diagnostic tests, 135
URL, 179
Command Engine Notifcation Email, 194
Components
system diagnosis, 169
configuration
SA configuration parameters, 193
configuring
contact information, 193
email alert addresses for SA core, 194
email notification addresses for CDR, 196
JAAS login module, 43
mail server, 194
conflicts
alert emails, 107
282
causes, 92
error messages, 107
overview, 92
prevention, 94
resolving, 100, 104
constraints
customer and folder, 16
Core Gateway, 113
monitoring, 187
creating
user groups, 26
users, 24
creating, Manual updates, 126
Credential Store, 25
customer administrator, 21, 27, 34
customer group, 21, 34, 35
D
Data Access Engine
logs, 147
monitoring, 174
monitoring processes, 175
multiple, 162
Port, 174
reassigning, 163
See also Multimaster Central Data Access
Engine.
system diagnostic tests, 133
URLs, 176
Data Center Intelligence reporting
required permissions, 206
delegated security, 22, 31, 34
deleting
users, 25
deleting, backup files, 160
digital, 153
Discovery and Agent Deployment
permissions required, 214, 215
E
editing
user information, 25
email alert addresses
CDR, 196
SA core, 194
enabling, realm information, 114
F
Facilities
defined, 113
multiple, 89
viewing, information, 114
file system, 17
folder permissions, 15, 31
G
Gateway
Logs, 188
monitoring, 187
monitoring processes, 188
Ports, 187
URL, 188
Global File System
Adapter, 184
Agent Proxy, 184
Hub, 184
Logs, 185
monitoring, 184
monitoring processes, 184
Spoke
ports, 186
Global Shell, 17
grace login, 37
I
IIS, 17
importing, external LDAP users, 44
importing, server certificate from external LDAP, 42
inactive
account, 26
session, 37
installations
multiple Data Access Engine, 162
IP range groups
required permissions, 206
IP ranges
required permissions, 206
J
JBoss, 148
L
LDAP directory
Credential Store field, 25
external authentication, 38
283
importing, external users, 44
importing, server certificate, 42
passwords, 35
process for using external LDAP, 39
supported external directory servers, 39
Load Balancing Gateway
Logs, 174
monitoring, 174
monitoring processes, 174
Ports, 174
log
digital signatures, 153
login approval, 37
login failure, 26
logs
about, 147
Agents, 148
Boot Server, 147
Build Manager, 147
Command Engine, 147
configuring, 148, 155
Data Access Engine, 147
Global Shell Audit, 150
JBoss, 148
managed servers
Global Shell logs, 150
Media Server, 148
Model Repository, 148
Model Repository Multimaster Component, 148
SA Web Client, 148
Software Repository, 149
Web Services Data Access Engine, 149
M
manage environment, required permissions, 206
Management Gateway, 113
monitoring, 187
Manual updates
creating, 126
defined, 122
overview, 125
Software Repository Cache, applying to, 127
uploading, Microsoft utilities, 128
Media Server
Logs, 190
logs, 148
monitoring, 190
Ports, 190
metabase, 17
Model Repository
Logs, 182
logs, 148
monitoring processes, 181
Port, 181
Model Repository Multimaster Component
logs, 148
monitoring, 183
monotoring processes, 183
Port, 183
system diagnostic tests, 135
monitoring remote server access, 152
multimaster
alert emails during conflicts, 107
configuring, mail server, 194
conflicts, 92
designating the Central Data Access Engine, 163
error messages in multimaster conflicts, 107
mesh, 95
network administration, 106
preventing conflicts, 94
tools, 95
multimaster, tools, 95, 99
Multimaster Central Data Access Engine, 163
Multimaster Central Data Access Engine Port
Forwarding, 175
Multimaster Conflicts, 182
Multiple facilities, 89
N
network administration, 106
Network Automation (NA), 25
O
OGFS
monitoring, 184
OGFS permissions, 17, 32
On-demand updates
defined, 122
overview, 124
Oracle
monitoring
model repository, 181
OS provisioning
required permissions, 205
P
password
changing, 35
expiration, 36
initial log on, 36
284
min and max characters, 36
non-modifiable, 25
policy parameters, 36
reseting, 36
retention and re-use, 37
wrong, 26
Permissions
IP ranges and IP range groups, required for, 206
manage environment, required for, 206
OS Provisioning, required for, 205
other tasks, required, 206
reports, required for, 206
SA Client permissions for user groups, 274
SA Web Client permissions for user groups, 274
script management and execution, required, 272
server management, required for, 205
system configuration, required for, 206
Virtualization Director, required, 259
virtualization director, required, 261
permissions
customer and server, 14
delegated, 16, 31, 34
folder, 15
folder and customer, 27
ODAD, required, 214, 215
OGFS, 17
scripts, 15
setting
customer permissions, 27
device group permissions, 28
facility permissions, 28
feature permissions, 30
folder permissions, 31
OGFS permissions, 32
other feature permissions, 31
SA Client feature permissions, 30
viewing, users permissions, 25
preventing, conflicts, 94
Primary Data Access Engine, 162
R
RDP, 17
Realms
enabling realm information, 114
viewing realm information, 117
realms
defined, 113
reassigning, Data Access Engine, 163
registry, 17
resolving
conflicts by object, 100
conflicts by transaction, 104
rosh, 17
running, system diagnosis, 136
S
SA
configuration, 193
configuration parameters, 193
configuring, contact information, 193
configuring, email alert addresses, 194
troubleshooting, 132
SA components
internal and external names, 159
running, system diagnosis, 136
Satellite
accessing, realm information, 116
gateways, 113
manual update, 122
on-demand updates, 122
overview, 111
permissions, required, 114
Software Repository Cache, overview, 121
Satellite. See Satellite.
SA Web Client
logs, 148
Scripts
Distributed Scripts
permissions required, 272
scripts, 15
deleting backup files, 160
Secondary Data Access Engine, 163
security administrator overview, 22
Server Agent
monitoring, 170
server certificate
extracting
Microsoft Active directory from, 43
Novell eDirectory from, 43
SunDS from, 43
importing, external LDAP from, 42
server management
required permissions, 205
session timeout, 37
setting
customer permissions, 27
device group permissions, 28
facility permissions, 28
feature permissions, 30
folder permissions, 31
OGFS permissions, 32
other feature permissions, 31
285
SA Client feature permissions, 30
Software Repository
Logs, 180
logs, 149
monitoring, 179
monitoring processes, 179
Ports, 179
system diagnostic tests, 134
URL, 180
Software Repository Cache
applying, Manual updates, 127
managing, 121
packages, availability of, 122
staging files, 128
Software Repository Multimaster Component
conflicts, 92
Spoke
Logs, 187
monitoring, 186
monotoring processes, 186
Ports, 186
ssh, 18
super administrator, 21, 22, 24, 25, 27, 33, 34, 35
supported
external LDAP directory servers, 39
suspending users, 26
system configuration
overview, 193
required permissions, 206
setting configuration parameters, 193
System diagnosis, 169
system diagnosis
Command Engine tests, 135
Data Access Engine tests, 133
Model Repository Multimaster Component tests,
135
running, system diagnosis, 136
Software Repository tests, 134
testing, 132
troubleshooting, problems, 132
Web Services Data Access tests, 134
system diagnosis, tools, 132, 136
T
Table Space Usage, 182
timeout
session, 37
tnsnames.ora, 175
tools
multimaster tools, 95, 99
system diagnosis, 132, 136
troubleshooting, 132
twist.log, 177
twistOverrides.conf, 40
U
user agreement, 37
User groups
code deployment, 279
user groups
adding a user, 27
adding users to CDR, 59
creating, 26
predefined, 19
SA Client permissions, 274
SA Web Client permissions, 274
setting
customer permissions, 27
device group permissions, 28
facility permissions, 28
feature permissions, 30
OGFS permissions, 32
other feature permissions, 31
SA Client feature permissions, 30, 31
users
activating, 26
creating, 24
deleting, 25
editing, user information, 25
importing, external LDAP users, 44
overview, 13
suspending, 26
viewing permissions, 25
V
viewing
facilities information, 114
permissions, 25
realm information, 117
Virtualization Director
permissions required, 261
Visual Application Manager
permissions required, 259
W
WebLogic
messages and exceptions, 177
Web Services Data Access Engine
Logs, 177
logs, 149
286
monitoring, 176
monitoring processes, 176
Port, 176
system diagnostic tests, 134
URL, 177
Web Services Data Access Engine configuration file,
40