Use > Server patching > Patch management for Ubuntu > Roles for Ubuntu patch management

Roles for Ubuntu patch management

Server Automation provides support for rigorous change management by assigning the functions of patch management to several types of users in an organization. These users include a policy setter, a patch administrator, and a system administrator.

Note These responsibilities are controlled by assigning permissions for managing patches in SA. To obtain these permissions, contact your SA Administrator. See the SA 10.51 Administer section.

  • Policy setter: The Policy Setter is a member of a security standards group that reviews package releases and identifies the vendor packages that will be included in the organization’s patch policies. A Policy Setter is responsible for reviewing the latest security threats and the packages that vendors have released to address these problems. Policy Setters generally are experts in the operating systems and applications that they manage, and is able to assess the necessity of applying packages issued by vendors. A Policy Setter is also able to diagnose common problems that arise after packages are installed, allowing for a thorough test of the patch application process.

Best Practice: For reliable automated updates, use the dynamic patch policies instead of static manual patch policies.

  • Patch administrator: The Patch Administrator has the authority to import, test, and edit package options. The Patch Administrator is often referred to as the security administrator in an organization. A Patch Administrator is granted specific permissions to import packages into HPE Server Automation to test them and then mark them as available for use. Patch Administrators are also able to edit package options (such as installation scripts) through patch management. Other types of users are not allowed to import or edit packages. Typically, a Patch Administrator imports the Ubuntu Debian metadata database and tests package on non-production reference hardware. After testing the packages and determining that the packages are safe to apply to production systems, a Patch Administrator marks the packages available in the Library and then advises System Administrators to apply the approved packages.
  • System administrator: The System Administrator installs packages that have been approved for use uniformly and automatically, according to the options that the Patch Administrator specifies. The System Administrator is an SA user who is responsible for the day-to-day maintenance of the servers in a deployment. These users are not required to have the same level of expertise in low-level system details as the Policy Setter and Patch Administrator. Because the Patch Administrator has set up the patch installation, the System Administrator can attach policies to servers, set an exception for a package, and install packages on a large number of managed servers. They are responsible for searching for servers that require the approved package, installing the packages, and verifying that the packages were successfully installed. The System Administrator can import packages but cannot install a package until the Patch Administrator has marked it as available. The System Administrator can also uninstall packages.
  • HPE Server Automation also provides predefined patch user groups for patch deployers and patch policy setters. See Predefined patch user groups.

Predefined patch user groups

During an SA installation or upgrade, certain predefined user groups are created, such as patch deployers and patch policy setters.

  • Patch deployers—Access to install patches.
  • Patch policy setters—Access to set patching policy.
  • Software policy setters—Access to set software policy. (For Ubuntu patch policy management, you need both Patch Policy Setters and Software Policy Setters user groups.)

Next to the predefined action permissions, you must grant the necessary resource permissions to these user groups. Use of these predefined user groups is optional. You can modify the permissions of the predefined user groups and you can also delete or copy these groups to create new groups. Changes to or deletions of these predefined user groups are not affected by SA upgrades. See the SA 10.51 Use section for more information.