Anchor
Overview
Overview
Overview

Roles control user and group access to administrative functions within Universal Controller. A user or group that has been assigned a role has permission to perform any function defined for that role.

Permissions control user and group access to specific functions for specific types of Controller records.

Some roles have permissions for specific functions that can be assigned individually. For example, a user that has been assigned the 60030979 ops_agent_cluster_admin role has permission to perform all functions associated with Agent Clusters. A user that has not been assigned the 60030979 ops_agent_cluster_admin role still can be given permission to perform individual functions associated with Agent Clusters via the 60030979 Agent Cluster Permissions.

Conversely, since there is no role associated with Agents, permissions for a user to perform functions associated with Agents must be assigned specific 60030979 Agent Permissions.

Note

title	Note

The 60030979 ops_admin role assigns a user permission to perform all functions.

...

Each role is a predefined collection of administrative functions (see 60030979 Description of Roles, below). By assigning a role to a user or group, you automatically give that user or group all functions associated with that role.

...

Role Name

Available Functions

Contains Roles

Anchor

	ops_admin
	ops_admin

ops_admin

All functions; this is the Universal Controller administrator role. The easiest way to assign full permissions to a user is to add the user to the Administrator Group, which by default is assigned the ops_admin role.

Note

title	Note

The ops_admin role contains all other roles. If a user is assigned the ops_admin role, no other roles need to be assigned to that user, and unassigning any other role from the user will not revoke that role.

ops_agent_cluster_admin
ops_audit_view
ops_bundle_admin
ops_dba
ops_email_admin
ops_filter_global
ops_filter_group
ops_forecast_view
ops_imex
ops_ldap_admin
ops_multi_update
ops_oms_admin
ops_peoplesoft_admin
ops_promotion_admin
ops_property_admin
ops_report_admin
ops_restore_version
ops_sap_admin
ops_server_operation_admin
ops_service
ops_snmp_admin
ops_sso_admin
ops_universal_event_template_admin
ops_universal_template_admin
ops_user_admin

Anchor

	ops_agent_cluster_admin
	ops_agent_cluster_admin

ops_agent_cluster_admin

Create, read, update, and delete agent clusters.

(Also see 60030979 Agent Cluster Permissions, below.)

Anchor

	ops_audit_view
	ops_audit_view

ops_audit_view

Read Audits.

Anchor

	ops_bundle_admin
	ops_bundle_admin

ops_bundle_admin

Create, read, update, and delete Bundles.
View Promotion Targets, including agent mappings.
View Promotion History.
View a record's list of bundles.
View Promotion Schedules.
Add a record to a bundle.
Create bundles by date.
Generate a Bundle Report.

(Also see 60030979 and 60030979 Bundle Permissions and Promotion Target Permissions, below.)

Anchor

	ops_dashboard_global
	ops_dashboard_global

ops_dashboard_global

Create, update, and delete Dashboard Details with Everyone visibility; updating includes updating Dashboard visibility.

Anchor

	ops_dashboard_group
	ops_dashboard_group

ops_dashboard_group

Create, update, and delete Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.

Anchor

	ops_dba
	ops_dba

ops_dba

Create, update, delete Database Connections.

(Also see 60030979 Database Connection Permissions, below.)

Anchor

	ops_email_admin
	ops_email_admin

ops_email_admin

Create, read, update, delete Email Connections.

(Also see 60030979 Email Connection Permissions, below.)

Anchor

	ops_filter_global
	ops_filter_global

ops_filter_global

Create Filters with Everyone visibility.

Anchor

	ops_filter_group
	ops_filter_group

ops_filter_group

Create Filters that belong to a group of which this user is a member.

Anchor

	ops_forecast_view
	ops_forecast_view

ops_forecast_view

Read Forecast Calendar, Forecasts List, and Forecast Details.

Note

title	Note

Users also can read forecast information, without being assigned this role, if they have Read permission for the Task specified in the Forecast Details.

Anchor

	ops_imex
	ops_imex

ops_imex

List Import/Export XML.

Anchor

	ops_ldap_admin
	ops_ldap_admin

ops_ldap_admin

Read and update LDAP Settings.

Anchor

	ops_multi_update
	ops_multi_update

ops_multi_update

Update multiple records.

Anchor

	ops_oms_admin
	ops_oms_admin

ops_oms_admin

Create, update, and delete OMS Servers.

Anchor

	ops_peoplesoft_admin
	ops_peoplesoft_admin

ops_peoplesoft_admin

Create, read, update, and delete PeopleSoft Connections.

(Also see 60030979 PeopleSoft Connection Permissions, below.)

Anchor

	ops_promotion_accept_bundle
	ops_promotion_accept_bundle

ops_promotion_accept_bundle

Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.)

Anchor

	ops_promotion_admin
	ops_promotion_admin

ops_promotion_admin

Create, read, update, and delete Promotion Targets, including agent mappings.
View Bundles.
Refresh Target Agents.
Promote records.
Promote or schedule the promotion of a bundle.
Reschedule, cancel, and delete Promotion Schedules.
Generate a Bundle report.
Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.)

Note

title	Note

By default, the ops_promotion_admin role also grants Read permission for any type of definition that can be added to a Bundle, given the expectation that a promotion administrator would review the content of a Bundle before promoting it. To change this default behaviour, see the Promotion Read Permission Required Universal Controller property.

(Also see 60030979 and 60030979 Bundle Permissions and Promotion Target Permissions, below.)

ops_promotion_accept_bundle

Anchor

	ops_property_admin
	ops_property_admin

ops_property_admin

Read, update, and delete Universal Controller system properties and Password Settings.

Anchor

	ops_report_admin
	ops_report_admin

ops_report_admin

Create, read, update, and delete any report, regardless of visibility, in addition to the roles granted by the 60030979 ops_widget_admin role.
Create, update, and delete Dashboard Details with Everyone visibility and Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.

The Strict Report Create Constraints Universal Controller system property specifies whether or not to restrict report creation only to users with the ops_admin, ops_report_admin, ops_report_group, or ops_report_global role.

The Strict Dashboard Create Constraints Universal Controller system property specifies whether or not to restrict Dashboard creation only to users with the ops_admin, ops_report_admin, ops_dashboard_group, or ops_dashboard_global role.

ops_dashboard_global
ops_dashboard_group
ops_report_global
ops_report_group
ops_report_publish
ops_widget_admin

Anchor

	ops_report_global
	ops_report_global

ops_report_global

Create global reports.

Anchor

	ops_report_group
	ops_report_group

ops_report_group

Create reports that belong to a group to which this user is a member.

Anchor

	ops_report_publish
	ops_report_publish

ops_report_publish

Publish reports. (This role was applicable only to the Controller 5.x release.)

Anchor

	ops_restore_version
	ops_restore_version

ops_restore_version

Restore old versions of records.

Anchor

	ops_sap_admin
	ops_sap_admin

ops_sap_admin

Create, read, update, and delete SAP Connections.

(Also see 60030979 SAP Connection Permissions, below.)

Anchor

	ops_server_operation_admin
	ops_server_operation_admin

ops_server_operation_admin

Run Server Operations.

Anchor

	ops_service
	ops_service

ops_service

Log in and view Home Dashboard.
The Active Task Instances By Status widget will remain blank unless the user is assigned the Task Instance Read permission, as the ops_service role does not include access to such data.
Read Agents.
Read Universal Controller system properties.
Read Password Settings.
Read LDAP Settings (and run the Test Connection command).
Read Single Sign-On Settings.
Read Universal Event Templates and related data (Fields and Field Choices).
Read Universal Templates and related data (Fields and Field Choices).
Read Data Backup/Purge.
Unless the user also is assigned the ops_audit_view role, the Audit tab on the Data Backup/Purge Details, which allows for conveniently viewing related Audit records, will not be available.
Read Users and related data (Roles, Group Membership, and Permissions).
Update the User Details of the user.
Read Groups and related data (Roles, Group Membership, Child Groups, and Permissions).
Read Universal Controller Metrics (Monitoring Web Services).

Anchor

	ops_snmp_admin
	ops_snmp_admin

ops_snmp_admin

Create, read, update, and delete SNMP Managers, to which the Controller sends SNMP notifications.

(Also see 60030979 SNMP Manager Permissions, below.)

Anchor

	ops_sso_admin
	ops_sso_admin

ops_sso_admin

Read and update Single Sign-On Settings.

Anchor

	ops_universal_template_admin
	ops_universal_template_admin

ops_universal_event_template_admin

Create, read, update, and delete Universal Event Templates.

ops_universal_event_template_view

Anchor

	ops_universal_template_view
	ops_universal_template_view

ops_universal_event_template_view

Read Universal Event Templates.

Anchor

	ops_universal_template_admin
	ops_universal_template_admin

ops_universal_template_admin

Create, read, update, and delete Universal Templates (including Universal Template Event Templates).

ops_universal_template_view

Anchor

	ops_universal_template_view
	ops_universal_template_view

ops_universal_template_view

Read Universal Templates (including Universal Template Event Templates).

Anchor

	ops_user_admin
	ops_user_admin

ops_user_admin

Create, read, update, and delete users and groups.

Anchor

	ops_widget_admin
	ops_widget_admin

ops_widget_admin

Create, update, and delete Widgets.

...

You can further narrow down which records each permission applies to by specifying either name parameters or Business Services. For example, a given permission might apply only to tasks whose name begins with "SF," or a permission might apply only to tasks that have been assigned to a specific Business Service or to tasks that do not belong to any Business Services. See 60030979 General Permissions Field Descriptions, below, for more details.

...

The following fields of information and buttons display in the Permissions Details for all Permission types:

Field Name

Description

Details

This section contains detailed information about the permission.

Anchor

	Name
	Name

Name

Applies this permission to records whose name matches the string specified here. Wildcards are supported.

Anchor

	Member of Any Business Service or Unassigned
	Member of Any Business Service or Unassigned

Member of Any Business Service or Unassigned

Applies this permission both to records that belong to any Business Service and to records that do not belong to any Business Service.

Anchor

	Unassigned to Business Service
	Unassigned to Business Service

Unassigned to Business Service

Applies this permission to records that do not belong to any Business Service. If this option is enabled, the user / user group will have the defined permissions on all records that do not belong to any Business Service.

Anchor

	Member of Business Services field
	Member of Business Services field

Member of Business Services

Applies this permission to records that are members of the selected Business Service(s). Click the lock icon to unlock the field and select Business Services.

Metadata

This section contains Metadata information about this record.

UUID

Universally Unique Identifier of this record.

Updated By

Name of the user that last updated this record.

Updated

Date and time that this record was last updated.

Created By

Name of the user that created this record.

Created

Date and time that this record was created.

Buttons

This section identifies the buttons displayed above and below the Permissions Details that let you perform various actions.

Save

Saves a new record in the Controller database.

Save & New

Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.

Update

Include Page

	IL:Update button
	IL:Update button

Delete

Include Page

	IL:Delete button
	IL:Delete button

Refresh

Refreshes any dynamic data displayed in the Details.

Close

For pop-up view only; closes the pop-up view of this record.

...

(You also can assign Agent Cluster Permissions to a user by assigning the 60030979 ops_agent_cluster_admin role to the user.)

Options

Description

Create

Grants permission to create a new Agent Cluster.

Read

Grants permission to read an Agent Cluster definition.

Note
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an Agent Cluster definition. (Only certain fields can be updated.)

Delete

Grants permission to delete an Agent Cluster.

Commands

ALL: Grants permission to issue any command.
Resume Agent Cluster: Grants permission to resume the ability of a suspended Agent Cluster to run tasks.
Suspend Agent Cluster: Grants permission to suspend the ability of an Agent Cluster to run tasks.
Resume Agent Cluster Membership: Grants permission to resume the membership of an Agent in an Agent Cluster.
Suspend Agent Cluster Membership: Grants permission to suspend the membership of an Agent from an Agent Cluster.
Resolve Agent Cluster: Grants permission to resolve the Network Alias of an Agent Cluster with a Distribution type of Network Alias.

...

(You also can assign Bundle Permissions to a user by assigning the 60030979 ops_bundle_admin role to the user.)

Options	Description
Create	Grants permission to create a Bundle matching both the specified name wildcard and business service membership, including the use of the Create Bundle By Date and Create Bundle By Business Service commands.
Read	Grants permission to read a Bundle matching both the specified name wildcard and business service membership. User can run a Bundle Report for a Bundle matching both the specified name wildcard and business service membership. User can Read a Promotion Schedule associated with a Bundle matching both the specified name wildcard and business service membership.
Update	Grants permission to update a Bundle matching both the specified name wildcard and business service membership, including the use of the Add To Bundle command.
Delete	Grants permission to delete a Bundle matching both the specified name wildcard and business service membership.
Commands	ALL: Grants permission to issue any command. Promote Bundle: Grants permission to promote a Bundle. For the ALL or Promote Bundle command: User can promote a Bundle matching both the specified name wildcard and business service membership, assuming the user has Read permission for the Bundle. User can Cancel, Reschedule, or Delete a Promotion Schedule associated with a Bundle matching both the specified name wildcard and business service membership, assuming the user has Read permission for the Bundle.

...

(You also can assign Database Connection Permissions to a user by assigning the 60030979 ops_dba role to the user.)

Options	Description
Create	Grants permission to create a new Database Connection.
Read	Grants permission to read a Database Connection. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update a Database Connection.
Delete	Grants permission to delete a Database Connection.
Execute	Grants permission to execute a task that requires a Database Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)
Commands	ALL: Grants permission to issue any command. Copy Database Connection: Grants permissions to copy a Database Connection. Test Connection: Grants permission to test a Database Connection.

...

(You also can assign Email Connection Permissions to a user by assigning the 60030979 ops_email_admin role to the user.)

Options	Description
Create	Grants permission to create a new Email Connection.
Read	Grants permission to read an Email Connection. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update an Email Connection.
Delete	Grants permission to delete an Email Connection.
Execute	Grants permission to execute a task that requires an Email Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)
Commands	ALL: Grants permission to issue any command. Copy Email Connection: Grants permissions to copy an Email Connection. Test Connection: Grants permission to test an Email Connection.

...

(You also can assign OMS Server Permissions to a user by assigning the 60030979 ops_oms_admin role to the user.)

Options	Description
Create	Grants permission to create a new OMS Server.
Read	Grants permission to read an OMS Server. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update an OMS Server.
Delete	Grants permission to delete an OMS Server.
Commands	ALL: Grants permission to suspend and resume OMS Servers. Resume: Grants permission to resume the connection of a suspended OMS Server. Suspend: Grants permission to suspend the connection of an OMS Server.

...

(You also can assign PeopleSoft Connection Permissions to a user by assigning the 60030979 ops_peoplesoft_admin role to the user.)

Options	Description
Create	Grants permission to create a new PeopleSoft Connection.
Read	Grants permission to read a PeopleSoft Connection. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update a PeopleSoft Connection.
Delete	Grants permission to delete a PeopleSoft Connection.
Execute	Grants permission to execute a task that requires a PeopleSoft Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)
Commands	ALL: Grants permission to issue any command. Copy PeopleSoft Connection: Grants permission to copy a PeopleSoft Connection.

...

(You also can assign Promotion Target Permissions to a user by assigning the 60030979 ops_promotion_admin role to the user.)

Options	Description
Create	Grants permission to create a Promotion Target matching both the specified name wildcard and business service membership.
Read	Grants permission to read a Promotion Target matching both the specified name wildcard and business service membership. User can View Target Server Info for Promotion Target matching both the specified name wildcard and business service membership.
Update	Grants permission to update a Promotion Target matching both the specified name wildcard and business service membership.
Delete	Grants permission to delete a Promotion Target matching both the specified name wildcard and business service membership
Execute	Grants permission to promote a Bundle using a Promotion Target matching both the specified name wildcard and business service membership, assuming the user has both Read permission and Promote Bundle command permission for the Bundle.
Commands	ALL: Grants permission to issue any command. Refresh Target Agents: Grants permission to refresh Target Agents.

...

(You also can assign SAP Connection Permissions to a user by assigning the 60030979 ops_sap_admin role to the user.)

Options	Description
Create	Grants permission to create a new SAP Connection.
Read	Grants permission to read an SAP Connection. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update an SAP Connection.
Delete	Grants permission to delete an SAP Connection.
Execute	Grants permission to execute a task that requires an SAP Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)
Commands	ALL: Grants permission to issue any command. Copy SAP Connection: Grants permissions to copy an SAP Connection.

...

(You also can assign SNMP Manager Permissions to a user by assigning the 60030979 ops_snmp_admin role to the user.)

Options	Description
Create	Grants permission to create a new SNMP Manager.
Read	Grants permission to read an SNMP Manager. The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.
Update	Grants permission to update an SNMP Manager.
Delete	Grants permission to delete an SNMP Manager.
Execute	Grants permission to execute a task that requires an SNMP Manager. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)
Commands	ALL: Grants permission to issue any command. Copy SNMP Manager: Grants permissions to copy an SNMP Manager.

...

This controls global variable access the following ways:

Users with the 60030979 ops_admin role have full access to all global variables.
Users with the 60030979 ops_promotion_admin role have Read access to all global variables.
Create, Read, Update, and Delete permissions must be assigned to users explicitly if those permissions are not granted through the 60030979 or 60030979 ops_admin or ops_promotion_admin role.
Only those global variables for which a user has Read permission will be visible from the Variables list.
Only those global variables for which the Execution User of a task instance has Read permission will be available within the variable scope of a task instance.
A Set Variable action for a global variable will require appropriate global variable Create or Update permission.
CLI and Web Services APIs will require appropriate global variable permissions depending on whether the command will Read, Create, or Update a global variable.
Create Bundle By Date command will only add a global variable to the bundle if the:
- Global variable qualifies for the specified date.
- User invoking the command has Read permission for that global variable.

...

All users will have Read access to virtual resources.
Users with the 60030979 ops_admin role will have full access to all virtual resources.
Create, Update, Delete, and Execution permissions must be explicitly assigned to users if those permissions are not granted through the 60030979 ops_promotion_admin role.
Only those virtual resources for which the Execution User of the task instance has Execute permission can be requested by the task instance. Any virtual resource requested by task instances with an Execution User that does not have Execute permission for that virtual resource will result in the task instance going into Start Failure status, with status description Execution for virtual resource "resource-name" prohibited due to security constraints.
Set Virtual Resource Limit System Operation action will require appropriate virtual resource Update permission.
CLI and Web Services APIs will require appropriate virtual resource permissions: Updating a virtual resource limit through the CLI and Web Services APIs will require virtual resource Update permission.

...

To export or import the Permissions For Group XML, you must have the 60030979 ops_admin role or the 60030979 and 60030979 ops_imex and ops_user_admin roles.

If the groups do not exist on the import system, they (and their Permissions) will be created there.

...

Versions Compared

Old Version 20

New Version Current

Key

Anchor
Overview
Overview
Overview

Page Comparison

Versions Compared

Old Version 20

New Version Current

Key

AnchorOverviewOverviewOverview

Anchor
Overview
Overview
Overview