BLAdmins — Built-in authorizations grant the BLAdmins role Read permission for all system objects in BMC Server Automation. This allows the BLAdmins role to view all activity within BMC Server Automation. In addition, out-of-box authorizations grant the BLAdmins role full authority to perform any actions on any system object in BMC Server Automation except for roles, users, and authorization profiles. For these, the BLAdmins role is only granted Read authorization. This default set of authorizations lets the BLAdmins role view any system object in BMC Server Automation and modify any object except roles and authorization profiles. The BLAdmins role can be renamed but it cannot be deleted.
So this page sums up what exactly you get with BLAdmins role. So you could create new role give same permissions and authorizations against all objects. Now if you are concerned with security maybe renaming BLAdmins role is better option then creating additional role with all authorizations?
Thanks for that excerpt. I had read that. I am wondering if there is anything, that for whatever reason, absolutely requires BLAdmins and cannot be done with a custom role containing all the exact same authorizations seen in the gui. Another way: Is there anything built in that absolutely requires BLAdmins or are the permissions seen on the gui all there really is?
1 of 1 people found this helpful
1. Is there anything built in that absolutely requires BLAdmins?
To be honest if there is such thing I have not found it yet.
2. are the permissions seen on the gui all there really is?
no, probably hard coded that it sees all objects even if it does not have permissions over. (Bill Robinson can probably confirm)
the only implicit permissions that the built in roles have are:
BLAdmins: read on all objects
RBACAdmins: read and modify acls on all objects.