Roles and Permissions
Overview
Roles control user and group access to administrative functions within Universal Controller. A user or group that has been assigned a role has permission to perform any function defined for that role.
Permissions control user and group access to specific functions for specific types of Controller records.
Some roles have permissions for specific functions that can be assigned individually. For example, a user that has been assigned the ops_agent_cluster_admin role has permission to perform all functions associated with Agent Clusters. A user that has not been assigned the ops_agent_cluster_admin role still can be given permission to perform individual functions associated with Agent Clusters via the Agent Cluster Permissions.
Conversely, since there is no role associated with Agents, permissions for a user to perform functions associated with Agents must be assigned specific Agent Permissions.
Note
The ops_admin role assigns a user permission to perform all functions.
Assigning Roles to Users or Groups
Roles control user access to functions that include:
- Setting up security.
- Creating reports, filters, and gauges.
- Creating Agent Clusters, SNMP Managers.
- Creating Email Connections, Database Connections, PeopleSoft Connections, and SAP Connections.
- Creating and promoting bundles of records.
Each role is a predefined collection of administrative functions (see Description of Roles, below). By assigning a role to a user or group, you automatically give that user or group all functions associated with that role.
Note
You cannot add new roles to the Controller; you must assign administrative functions to groups or users using the predefined roles.
To assign roles to a user or group:
Step 1 | |
---|---|
Step 2 | For a User, click the User Roles tab. A list of Roles assigned to the User displays. |
Step 3 | Click Edit. An Edit Members pop-up displays that allows you to assign Roles to the User / Group. For example:
|
Step 4 | To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list. |
Step 5 | To assign a Role to the User / Group, move the Role from the Collection window to the Roles window:
To unassign a Role to the User / Group, move the Role from the Roles window to the Collection window:
|
Step 6 | Click Save. |
Description of Roles
The following table summarizes the roles available in the Controller.
Role Name | Available Functions | Contains Roles |
---|---|---|
ops_admin | All functions; this is the Universal Controller administrator role. The easiest way to assign full permissions to a user is to add the user to the Administrator Group, which by default is assigned the ops_admin role. Note The ops_admin role contains all other roles. If a user is assigned the ops_admin role, no other roles need to be assigned to that user, and unassigning any other role from the user will not revoke that role. | The ops_admin role contains all other roles. |
ops_agent_cluster_admin | Create, read, update, and delete agent clusters. | |
ops_audit_view | Read all Audits. If Audit Owner Read Permitted system property = true, users can view their own audits without having either the ops_admin role or the ops_audit_view role. | |
ops_bundle_admin |
(Also see Bundle Permissions and Promotion Target Permissions, below.) | |
ops_dashboard_global | Create, update, and delete Dashboard Details with Everyone visibility; updating includes updating Dashboard visibility. | |
ops_dashboard_group | Create, update, and delete Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility. | |
ops_dba | Create, update, delete Database Connections. | |
ops_email_admin | Create, read, update, delete Email Connections. | |
ops_filter_global | Create Filters with Everyone visibility. | |
ops_filter_group | Create Filters that belong to a group of which this user is a member. | |
ops_forecast_view | Read Forecast Calendar, Forecasts List, and Forecast Details. Note Users also can read forecast information, without being assigned this role, if they have Read permission for the Task specified in the Forecast Details. | |
ops_imex | List Import/Export XML. | |
ops_jcl_edit | Modify the JCL contents and update it. |
|
ops_jcl_view | Submit the JCL view request to the agent and view the contents of it. | |
ops_ldap_admin | Read and update LDAP Settings. | |
ops_multi_update | ||
ops_oauth_admin | Create, read, update, and delete OAuth Clients. | |
ops_oms_admin | Create, update, and delete OMS Servers. | |
ops_peoplesoft_admin | Create, read, update, and delete PeopleSoft Connections. | |
ops_promotion_accept_bundle | Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.) | |
ops_promotion_admin |
Note By default, the ops_promotion_admin role also grants Read permission for any type of definition that can be added to a Bundle, given the expectation that a promotion administrator would review the content of a Bundle before promoting it. To change this default behaviour, see the Promotion Read Permission Required Universal Controller property. |
|
ops_property_admin | Read, update, and delete Universal Controller system properties and Password Settings. | |
ops_report_admin |
The Strict Report Create Constraints Universal Controller system property specifies whether or not to restrict report creation only to users with the ops_admin, ops_report_admin, ops_report_group, or ops_report_global role. |
|
ops_report_global | Create global reports. | |
ops_report_group | Create reports that belong to a group to which this user is a member. | |
ops_report_publish | Publish reports. (This role was applicable only to the Controller 5.x release.) | |
ops_restore_version | Restore old versions of records. | |
ops_sap_admin | Create, read, update, and delete SAP Connections. | |
ops_server_operation_admin | Run Server Operations. | |
ops_service |
| |
ops_simulation_view | Read Simulation records. | |
ops_snmp_admin | Create, read, update, and delete SNMP Managers, to which the Controller sends SNMP notifications. | |
ops_sso_admin | Read and update Single Sign-On Settings. | |
ops_universal_event_template_admin | Create, read, update, and delete Universal Event Templates. |
|
ops_universal_event_template_view | Read Universal Event Templates. | |
ops_universal_template_admin | Create, read, update, and delete Universal Templates (including Universal Template Event Templates). |
|
ops_universal_template_view | Read Universal Templates (including Universal Template Event Templates). | |
ops_user_admin | Create, read, update, and delete users and groups. |
|
ops_user_impersonate | Allows an authenticated user to impersonate another user by using the X-Impersonate-User HTTP header on a Web Service request. | |
ops_webhook_admin |