/
Roles and Permissions

Roles and Permissions

Overview

Roles control user and group access to administrative functions within Universal Controller. A user or group that has been assigned a role has permission to perform any function defined for that role.

Permissions control user and group access to specific functions for specific types of Controller records.

Some roles have permissions for specific functions that can be assigned individually. For example, a user that has been assigned the ops_agent_cluster_admin role has permission to perform all functions associated with Agent Clusters. A user that has not been assigned the ops_agent_cluster_admin role still can be given permission to perform individual functions associated with Agent Clusters via the Agent Cluster Permissions.

Conversely, since there is no role associated with Agents, permissions for a user to perform functions associated with Agents must be assigned specific Agent Permissions.
 

Note

The ops_admin role assigns a user permission to perform all functions.

Assigning Roles to Users or Groups

Roles control user access to functions that include:

  • Setting up security.
  • Creating reports, filters, and gauges.
  • Creating Agent Clusters, SNMP Managers.
  • Creating Email Connections, Database Connections, PeopleSoft Connections, and SAP Connections.
  • Creating and promoting bundles of records.

Each role is a predefined collection of administrative functions (see Description of Roles, below). By assigning a role to a user or group, you automatically give that user or group all functions associated with that role.

Note

You cannot add new roles to the Controller; you must assign administrative functions to groups or users using the predefined roles.


To assign roles to a user or group:

Step 1

Open a User or Group record.

Step 2

For a User, click the User Roles tab. A list of Roles assigned to the User displays.
 

 
For a Group, click the Group Roles tab. A list of Roles assigned to the Group displays.


Step 3

Click Edit. An Edit Members pop-up displays that allows you to assign Roles to the User / Group. For example:
 

 

  • The Collection window displays all Roles that have not been assigned to this User / Group.
  • The Roles List window displays all Roles that have been assigned to this User / Group.

Step 4

To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list.

Step 5

To assign a Role to the User / Group, move the Role from the Collection window to the Roles window:

  • To move a single Role, double-click it or click it once and then click the > arrow.
  • To move multiple Roles, Ctrl-click them and then click the > arrow.
  • To move all Roles, click the >> arrow.

To unassign a Role to the User / Group, move the Role from the Roles window to the Collection window:

  • To move a single Role, double-click it or click it once and then click the < arrow.
  • To move multiple Roles, Ctrl-click them and then click the < arrow.
  • To move all Roles, click the << arrow.

Step 6

Click Save.

Description of Roles

The following table summarizes the roles available in the Controller.

Role Name

Available Functions

Contains Roles

ops_admin

All functions; this is the Universal Controller administrator role. The easiest way to assign full permissions to a user is to add the user to the Administrator Group, which by default is assigned the ops_admin role.
 

Note

The ops_admin role contains all other roles. If a user is assigned the ops_admin role, no other roles need to be assigned to that user, and unassigning any other role from the user will not revoke that role.

The ops_admin role contains all other roles.

ops_agent_cluster_admin

Create, read, update, and delete agent clusters.
 
(Also see Agent Cluster Permissions, below.)


ops_audit_view

Read all Audits

If  Audit Owner Read Permitted system property  = true, users can view their own audits without having either the ops_admin role or the ops_audit_view role.


ops_bundle_admin


ops_dashboard_global

Create, update, and delete Dashboard Details with Everyone visibility; updating includes updating Dashboard visibility.


ops_dashboard_group

Create, update, and delete Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.


ops_dba

Create, update, delete Database Connections.
 
(Also see Database Connection Permissions, below.)


ops_email_admin

Create, read, update, delete Email Connections.
 
(Also see Email Connection Permissions, below.)


ops_filter_global

Create Filters with Everyone visibility.


ops_filter_group

Create Filters that belong to a group of which this user is a member.


ops_forecast_view

Read Forecast Calendar, Forecasts List, and Forecast Details.
 

Note

Users also can read forecast information, without being assigned this role, if they have Read permission for the Task specified in the Forecast Details.


ops_imex

List Import/Export XML.


ops_jcl_edit

Modify the JCL contents and update it.

  • ops_jcl_view
ops_jcl_viewSubmit the JCL view request to the agent and view the contents of it.

ops_ldap_admin

Read and update LDAP Settings.


ops_multi_update

Update multiple records.


ops_oauth_adminCreate, read, update, and delete OAuth Clients

ops_oms_admin

Create, update, and delete OMS Servers.


ops_peoplesoft_admin

Create, read, update, and delete PeopleSoft Connections.
 
(Also see PeopleSoft Connection Permissions, below.)


ops_promotion_accept_bundle

Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.)


ops_promotion_admin

Note

By default, the ops_promotion_admin role also grants Read permission for any type of definition that can be added to a Bundle, given the expectation that a promotion administrator would review the content of a Bundle before promoting it. To change this default behaviour, see the Promotion Read Permission Required Universal Controller property.

 
(Also see Bundle Permissions and Promotion Target Permissions, below.)

  • ops_promotion_accept_bundle

ops_property_admin

Read, update, and delete Universal Controller system properties and Password Settings.


ops_report_admin

  • Create, read, update, and delete any report, regardless of visibility, in addition to the roles granted by the ops_widget_admin role.
  • Create, update, and delete Dashboard Details with Everyone visibility and Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.

The Strict Report Create Constraints Universal Controller system property specifies whether or not to restrict report creation only to users with the ops_admin, ops_report_admin, ops_report_group, or ops_report_global role.
 
The Strict Dashboard Create Constraints Universal Controller system property specifies whether or not to restrict Dashboard creation only to users with the ops_admin, ops_report_admin, ops_dashboard_group, or ops_dashboard_global role.

  • ops_dashboard_global
  • ops_dashboard_group
  • ops_report_global
  • ops_report_group
  • ops_report_publish
  • ops_widget_admin

ops_report_global

Create global reports.


ops_report_group

Create reports that belong to a group to which this user is a member.


ops_report_publish

Publish reports. (This role was applicable only to the Controller 5.x release.)


ops_restore_version

Restore old versions of records.


ops_sap_admin

Create, read, update, and delete SAP Connections.
 
(Also see SAP Connection Permissions, below.)


ops_server_operation_admin

Run Server Operations.


ops_service


ops_simulation_viewRead Simulation records. 

ops_snmp_admin

Create, read, update, and delete SNMP Managers, to which the Controller sends SNMP notifications.
 
(Also see SNMP Manager Permissions, below.)


ops_sso_admin

Read and update Single Sign-On Settings.


ops_universal_event_template_admin

Create, read, update, and delete Universal Event Templates.
  • ops_universal_event_template_view

ops_universal_event_template_view

Read Universal Event Templates.

ops_universal_template_admin

Create, read, update, and delete Universal Templates (including Universal Template Event Templates).

  • ops_universal_template_view

ops_universal_template_view

Read Universal Templates (including Universal Template Event Templates).


ops_user_admin

Create, read, update, and delete users and groups.

  • ops_user_impersonate
ops_user_impersonate

Allows an authenticated user to impersonate another user by using the X-Impersonate-User HTTP header on a Web Service request.


ops_webhook_admin