1 Reply Latest reply on Jan 15, 2017 5:42 PM by Bill Robinson

    Missing RBAC Policy in patch catalogs

    Todd McDaniel

      Guys,

       

      I a few questions about how the patch catalog updates permissions on patches.

       

       

      One thing I've just discovered as inconsistent is our RH6 patch catalog has NO RBAC policy assigned and yet the patches have rbac permissions assigned and Im wondering how new downloaded patches are having permissions applied? I also found a similar issue with our Solaris 10 x86 catalog. No RBAC policy but the patches have rbac permissions assigned. The patches all have applied permissions but even most recent downloaded patches in the catalogs that don't have an RBAC Policy in the Patch catalog? From where do these patches get their assigned acl policy? From the parent directory? Is RBAC Policy mandatory? Our RH5 and Solaris Sparc have RBAC policies assigned.

       

       

      Also, another question. When I reassign/assign (as for above) an RBAC policy to a patch catalog, will it overwrite or append the existing permissions applied to all the patches in the catalog? As a followup question, when I am ready to cleanup these permissions, how do I go about removing all the unwanted old permissions?

       

      running 8.6.01.66 Bladelogic

        • 1. Re: Missing RBAC Policy in patch catalogs
          Bill Robinson

          You don't need to set the rbac policy in the catalog, however it's a good idea if multiple roles will need to access the objects in it.  the permissions on the objects in the catalog work like any other new object - for the role creating them (the role running the cuj), look at the 'default object permission template' in the role's settings.  the permissions defined in that acl template will be applied to the newly created objects.  otherwise it will be Role objecttype.*.  of course people could have manually updated the permissions are various points as well.

           

          if you set the rbac policy now, it should apply the rbac policy to all objects during the next CUJ.  that will append to the existing permissions.

           

          removing permissions will require you to take a manual action of either removing each one you don't want on each object (eg, w/ a script) or using the 'replace' option and applying new permissions once to all the objects in the catalog.