12 Replies Latest reply on Jul 27, 2010 5:12 PM by Naveen Anne

    Permissions for end-to-end patching in 80

    Naveen Anne

      Does anyone have a comprehensive list of permissions to grant to a user in 80 to go through end-to-end patching? This user is different than the BLAdmin user.

        • 1. Re: Permissions for end-to-end patching in 80
          Bill Robinson

          Does the role need to create and update catalogs as well as deploy patches?

          • 2. Re: Permissions for end-to-end patching in 80
            Naveen Anne

            No, creating and updating catalogs will be done by BLAdmin.

            The role needs to

            1. Create Patch Analysis jobs

            2. Run patch analysis jobs

            3. Download, package patches

            4. Create Patch deploy jobs

            5. Run Patch Deploy jobs

            • 3. Re: Permissions for end-to-end patching in 80
              Bill Robinson

              I opened a ticket about this.  right now it looks like you need:

               

              PatchRemediationJob.*

              BLPackage.*

              BatchJob.*

              DeployJob.*

              Server.Read

              Server.Deploy

              PatchCatalog.Read

              PatchingJob.*

              Server.Audit

              ServerGroup.Read

               

              Now, the one I'm confirming is Software.Modify.

               

              I think that's about it.

              • 4. Re: Permissions for end-to-end patching in 80
                Naveen Anne

                As the patch manager user, when I run a patch remediation job and click on the show results and click on job run (which failed), i get the following

                message: Job run with id 0 not found.

                 

                I tried to run a patch download instead of trying the whole patch remediation and the job runs through. I see the following messages in the log:

                 

                Executing work item Patch Download Job WorkItem (batch 1) on   application server: acsdallin102.acs-inc.com
                Payload   sucessfully downloaded for:   Windows6.1-2008-R2-KB971468-x64.msu-MS10-012-en-WINDOWS SERVER 2008 R2   STANDARD (X64)-GOLD
                Failed to   update Windows Hotfix:   Windows6.1-2008-R2-KB971468-x64.msu-MS10-012-en-WINDOWS SERVER 2008 R2   STANDARD (X64)-GOLD
                Patches   downloaded: 1
                Patches   failed to be downloaded: 0
                The job   'Download Test' has succeeded
                • 5. Re: Permissions for end-to-end patching in 80
                  Naveen Anne

                  Is there a way to redownload a patch i.e. force the download of a patch if it is already downloaded?

                  • 6. Re: Permissions for end-to-end patching in 80
                    Bill Robinson

                    Delete the file off the patch repo

                     

                    Oh, I think that the user will need read and maybe browse to the patch helper server.

                    • 7. Re: Permissions for end-to-end patching in 80
                      Naveen Anne

                      OK...as you mentioned in one of your previous post, it seems the user and the catalog need windowssoftware.modify.

                      Audit trail on the patch in catalog shows windowssoftware.modify failed for that user but passed for BLAdmin.

                      Testing it now.

                      • 8. Re: Permissions for end-to-end patching in 80
                        Bill Robinson

                        Oh, if you need to run the download job then you'll need more acls.  I have the patches already downloaded by my catalogs so I don't need to do that.

                        • 9. Re: Permissions for end-to-end patching in 80
                          Naveen Anne

                          I gave the user and the catalog everything except

                          windowssoftware.*

                          windowssoftware.delete

                           

                          I also gave everything in

                          PatchRespositoryDepotGroup.

                          PatchSubscription

                          PatchSmartGroup

                          PatchRemediationJob

                          PatchDownloadJob

                          PatchCatalog

                          Patch

                           

                          except .*, .delete

                          • 10. Re: Permissions for end-to-end patching in 80
                            Bill Robinson

                            PatchSubscription is from 7.3 I think, I don't think we need it anymore, but who knows

                             

                            I don't think they need the patchrepositorydepotgroup.

                            • 11. Re: Permissions for end-to-end patching in 80
                              Naveen Anne

                              I am able to download the patch now and create the remediation job. The remediation job runs successfully and creates the deploy job.

                              The deploy job fails in the simulate job with the following message:

                               

                              [27 Jul 2010 12:48:09,040] [WorkItem-Thread-44] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] Executing work item Deploy Dry Run Job:Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500; Server:pitdsethp01;  on application server: acsdallin102.acs-inc.com

                               

                              [27 Jul 2010 12:48:12,574] [WorkItem-Thread-44] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] executing command bltargetjobmanager -start -cmd "bldeploy fd7bb5e2221535c6b4709fe52abe3cf7 -N="/tmp/stage/fd7bb5e2221535c6b4709fe52abe3cf7" -P=pitdsethp01 -Q=params.txt -DryRun -Xr -V1 -Xp -js0 -jr1 -jc0 " -me "fd7bb5e2221535c6b4709fe52abe3cf7" -mp -sp  -ps  -h60 on server pitdsethp01

                               

                              [27 Jul 2010 12:48:28,865] [WorkItem-Thread-44] [ERROR] [support4:GLO-DCP-Windows-20:] [Deploy] DRYRUN failed for server pitdsethp01. Exit code = -5005


                              [27 Jul 2010 12:48:28,895] [WorkItem-Thread-44] [ERROR] [support4:GLO-DCP-Windows-20:] [Deploy] Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500->Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500 failed on server pitdsethp01 exit code = -5005


                              [27 Jul 2010 12:48:28,952] [Job-Execution-3] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] Phase: Dry-run completed with errors for target: pitdsethp01


                              [27 Jul 2010 12:48:29,169] [Job-Execution-3] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] The job 'simulate' has failed

                              • 12. Re: Permissions for end-to-end patching in 80
                                Naveen Anne

                                The agent we were deploying to had 7.4.3.1011 agent on it and it was a 64 bit server. Not compatible with 8.0 SP4 Application server. Resolved now.

                                I ended up giving plenty of authorizations to the patch management user