Creating a Patching Job

This topic describes how to create a Patching Job. A Patching Job identifies missing patches on your servers.

It includes the following sections:

• Contents of the Patching Job
• Before you begin
• To create a Patching Job
• Where to go from here

Contents of the Patching Job

A Patching Job includes the following:

• Analysis — The Patching Job checks the configuration of target servers and determines which patches are needed.
• (Optional) Creation of remediation artifacts — The Patching Job performs the following actions:
  
  1. (Microsoft Windows, Solaris only) Downloads the required payload.
  2. Packages the payload as a BLPackage.

  3. Creates a Deploy Job.

     Note

     The Patching Job creates the Deploy Job. The Deploy Job executes according to the schedule you define for Deploy Jobs. 
     By default, the patching job creates the Deploy Job but does not run it. However, if users schedule a Deploy Job as part of a Patching Remediation Job to execute immediately (using the Execute Now option), the Deploy Jobs are chained to the parent Patching Job, and the parent Patching Job is marked as complete only after the Deploy Job finishes execution.
     If you have permission for the analysis part of a Patching Job, then you also have permission for the remediation part of the job.

Before you begin

• You need to enable the required permissions for anyone responsible for creating and executing the patching job, see Role-based-permissions-for-creating-and-running-a-patching-job for the list of permissions. In addition, ensure that anyone who can view results of the Patching Job, has the DepotObject.Read permission enabled for the patch catalog that is used for the analysis.
• Make sure that the libnsl.so.1 package is installed on the RHEL and CentOS targets.

• (Solaris Only) For an agent, running on a target server in single-user mode, to mount a source location using the NFS transmission protocol, the following must be done prior to deployment:

  • Enable NFS client services on the target server.
  • Change the server property setting, DEPLOY_ALLOW_NFS_DURING_SUM, to true.

  For more information, see Using NFS to mount a location while running single-user mode.

To create a Patching Job

1. In the Jobs folder, navigate to the folder where you want to create a Patching Job.
2. Do one of the following actions:
   • Right-click and select New > Patching Job >platformNamePatching Job. For example, Microsoft Windows Patching Job, Solaris Patching Job.
   • Right-click a specific server and select Patch Analysis.
   • Right-click a catalog and select Analyze Using This Catalog.

3. Provide information for the Patching Job as described in the following topics.

   Panel	Description
   Patching Job - General	On the General tab, you can enter following basic information about a Patching Job: Name Enter the name of the Patching Job. NEW IN 21.02(For Windows Patching jobs) When you create an Analysis job with the auto remediate option enabled, name of the created remediation job is appended with the date and timestamp values. If the characters in the name exceed 260, the Remediation job fails. To avoid this issue, the remediation job name after 30 characters is truncated. Description Enter some information about the Patching Job. Save in Select a folder where you would want the job to be stored. Specify a Catalog Browse to and select a patch catalog. Unlimited Select this to have the job to run in parallel on as many target servers as possible. Limited Select this to have the job to run in parallel on a specific number of target servers. Set Execution Override Select when the Patching Job always execute as the user, BLAdmin, and the role, BLAdmins. Clear Execution Override Select when the Patching Job always execute using the user and role that scheduled the job.
   Patching Job - Analysis Options	Complete one of the following panels, based on patch platform.
   	Patching Job - Analysis Options for Microsoft Windows	A Patching Job checks the configuration of patches on specific servers according to the filters defined as part of the job definition. You can select List and create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box. You can specify the patches that you want to include or exclude, or you can specify a .txt file that contains a list of QNumbers for these patches. We recommend adding only those patches that you want to test against the target to the include list because adding additional patches might increase the time taken to analyze the target. If you want to use the Include and Exclude patch lists in combination for superseded patches, use the Filter Exclude List Before Analysis check box: If you select this check box, the patches in the Exclude list are removed from the patches in the Include list. This revised patch list is used for patch analysis. If you do not select this check box, the patches from the Include list are used for analysis and the patches specified in the Exclude list are filtered from the analysis results. Example scenario You have two patches as P1 and P2 where P2 supersedes P1, and you performed these steps: Create the smart groups; SG1 for P1, SG2 for P1 and P2, and SG3 for P2 Create a new Patch Analysis Job. On the Analysis Options tab, do the following: Add SG2 in the Include list and SG3 in the Exclude list. Select the Filter Exclude List Before Analysis check box.  Run the Patch Analysis Job. Result: P1 is shown as missing in the Object view. If you perform these steps without selecting the Filter Exclude List Before Analysis check box, no patches are shown as missing. If you do not select List, you can choose from one of the following analysis options: Click here to see a description of the options. Field definitions Security patches (Recommended) Analyze patches that address security vulnerabilities. The Patching Job performs analysis against all patches in the patch catalog. Any security patch in the catalog that is found to be missing from the target being tested will show as missing in the Job Run Log. Security tools Analyze patches that prevent or clean up malicious software. Non-security patches Analyze performance-related fixes, fixes for known bugs, and hardware drivers. Exclude Service Packs (Optional) Select when you do not want to include service packs in the analysis results.
   	Patching Job - Analysis Options for Solaris	You can select List and create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box, or choose from one of the following options: Click here to see a description of the options. Field definitions Analyze all Patches Select to analyze all patches contained in the patchdiag.xref file. Analyze Recommended patches Select to analyze patches that were recommended by the vendor according to information contained in the patchdiag.xref file. Analyze Security patches Select to analyze patches that address security vulnerabilities. Analyze Without Dependencies Analyze the patches from the Include List without analyzing associated dependencies.
   	Patching Job - Analysis options for AIX	A Patch Analysis Job on AIX does not show any fileset or BFF file dependency issues in the analysis log files and the Deploy Job might fail. You must ensure that all the required filesets and BFF files are installed on the target computer. You can create an Include/Exclude List for specific patch containers (PTFs or APARs) through the Include-or-Exclude-Selection dialog box, or choose from one of the following options: Click here to see a description of the options. Analysis Option Choose one of the following options for the Patch Analysis: Stop Analysis if any applied fileset found Stop analysis on any target server that has filesets in the applied state (installed but not committed). Use Patch global configuration settings Use the settings in the Global configuration parameters. Continue Analysis if any applied fileset found Continue analysis on any target server that has filesets in the applied state (installed but not committed). Analysis Mode Choose either Install Mode or Update Mode. For AIX, the Patch Analysis Job fails in the Install Mode because of missing rpms in the repository. A single repository will contain updates for all available packages. The Install Mode is intended to install new packages on the target. Hence, BMC recommends the use of Install Mode on selective packages, rather than using the Install Mode on the complete repository. Upgrade Installp during analysis   Depending on how you want to upgrade the ‘bos.rte.install’ package, choose one of the following options: Skip: The ‘bos.rte.install’ package on the target is not upgraded. Apply: The ‘bos.rte.install’ package on the target is upgraded to the later version available in the catalog during the analysis. ‘bos.rte.install’ is deployed on the target in the applied state. Apply and Commit: The ‘bos.rte.install’ package on the target is upgraded to the later version available in the catalog during the analysis. ‘bos.rte.install’ is deployed on the target in the committed state. Note: Using Apply and Apply and Commit options, the Patch analysis is done in one pass only. Additional Installp option (Optional)   Enter any additional options that you want to use with the Installp command. By default, TrueSight Server Automation passes the following options: -V -e -p -a -Y -g -d -f to the Installp command. Warning: The options that you enter here are passed in addition to the default options passed by TrueSight Server Automation. You cannot modify these default options. The options entered in this field are directly passed to the Installp command. New in 8.9.03.001Analyse with efix/ifix Select this option if you want to run the patch analysis job when an eFix/iFix is installed on the target machine. The efix must be part of a service pack. By default, the checkbox is not selected. Note: If the eFix on the target server machine is not part of a service pack, BMC recommends you to remove the efix and execute the analysis job. Group Select to use the entire patch catalog for patch analysis. List Create an Include List or an Exclude List, depending on your requirements. For an APAR or PTF-based catalog, you can create an Include List for specific APAR or PTF IDs. You can also create an Exclude List for a specific fileset. Use this option if inclusion of the fileset would lead to deployment failure, such as if the fileset had dependency issues, whereas exclusion of the fileset would result in successful analysis and deployment. Analysis of a specific APAR or PTF includes the entire service pack. Therefore, the version of the target server is upgraded to the same version as the service pack that was analyzed. Note: Exclusion is the only action you can perform at the fileset level.
   	Patching Job — Analysis Options for Red Hat Enterprise Linux, Oracle Linux Public Repo or SUSE Linux Enterprise	Click here to see a description of the options. On the Basic Options tab, you can perform the following actions: (Additional step for SuSE Patching only) Select whether you want to perform patching using the Zypper or yum tool. Click here for more information about the Zypper patching tool. An improved packaging framework called Zypper has been introduced in SUSE Linux 10.3 and later versions. TrueSight Server Automation now supports patching using the Zypper packaging framework. Because Zypper is an improved packaging framework, BMC strongly recommends using the Zypper tool for patching instead of the existing YUM patching tool. When using YUM, you might encounter dependency issues. Important Ensure that you have Zypper 1.3.7 or later is installed on your SuSE repository server, before you use Zypper for patching. BMC strongly recommends using Zypper when creating a patching job for a patch catalog that was created using the Subscription Management Tool (SMT). Choose one of the following options: Install Mode - Analyze for missing RPMs and updates available for installed RPMs on a target server Notes Do not choose Install Mode if you are including all errata or all RPMs from the catalog. Various conflicts and dependency issues between RPMs may occur because Install Mode attempts to install RPMs for which the base versions or earlier versions are not present. You are not required, nor is it recommended, to include the default RPMs Patch smart group that is part of the catalog. If no includes are specified, the analysis will check for the missing patches for the target server OS version and platform. If the include list is specified, there will be an explicit check for each rpm in the patch smart group. Update Mode - Analyze only for updates available for installed RPMs on a target server (Additional option for Red Hat Enterprise Linux) Security Mode - Analyze for security updates available for installed RPMs on target server. Select from one of the following options: Update: Analyze all available security updates. This option analyzes the last version available of any package with at least one security errata, thus can analyze non-security erratas if they provide a more updated version of the package. Update-minimal: Analyzes the packages that have a security errata use. Important After you upgrade to version 21.3, ensure that you update the patch catalog for the Security Mode option to take effect. (Additional option for SuSE if you are patching with Zypper) Dist-Upgrade Mode - Analyze only for distribution upgrade or service pack upgrade. Important If you have created a SuSE patch catalog in the online mode, you can only update your target from the existing OS level to the next OS level. For example, to update a target from SuSE Linux Enterprise 11 SP2 to SuSE Linux Enterprise 11 SP4, you must first update your target to SUSE Linux Enterprise 11 SP3, and only then upgrade to SUSE Linux Enterprise 11 SP4. Note Zypper supports updates for distributions and service packs, which is not supported by the YUM patching tool. The Zypper method of analysis automatically skips distribution and service pack upgrade-related rpms during normal package updates (Install mode and Update mode). In yum method of analysis, however, the distribution and service pack upgrade-related rpms must be manually excluded during the normal package updates. As a result, you may find a difference in the analysis results of Zypper and yum. Your selection between Zypper and Yum is captured in the job property OTHER_LINUX_ANALYSIS_PATCHING_TOOL, with a value of 0 for Zypper or 1 for Yum (the default). This job property is available as of TrueSight Server Automation 8.9.01. Click here to see steps to for upgrading SuSE 11 SP1 to SuSE 11 SP2 using zypper For an online catalog: Create a SuSE online catalog for SuSE 11 SP2 by selecting following repositories during filter selection: SLES11-SP2-Update SLES11-SP2-Pool SLES11-SP1-Update SLES11-SP2-Pool Run the patch analysis job using the patch catalog created above. For an offline catalog: Provide URLs for the following repositories in SuSE downloader config xml and run the offline downloader SLES11-SP2-Update SLES11-SP2-Pool SLES11-SP1-Update SLES11-SP2-Pool Create the offline catalog by providing repository created by offline downloader. Run the patch analysis job using the patch catalog created above. Create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box to override the default, which includes the entire Patch catalog in the analysis. (only for 8.9 SP1 and later releases) For more information about Include/Exclude list optimizations in Red Hat patch analysis using the By Complete Package Name and By Package Name only options, click the following link: Click here to expand information about optimizations in the Include/Exclude list for Red Hat TrueSight Server Automation can automatically select the appropriate rpm version or versions while including or excluding an rpm package in an RHEL patch analysis job. To enable this version optimization, select the By Package Name Only option while including or excluding patches. Whenever any rpm package is selected with the By Package Name Only option, TrueSight Server Automation automatically performs the following: In case of an include patch operation—includes the latest rpm version of the package from the catalog, even if that version is not manually selected In case of an exclude patch operation—excludes all rpm versions of the package from the catalog, even if all versions are not manually selected You can still individually specify rpm versions for include or exclude by selecting the By Complete Package Name option. When this option is selected, TrueSight Server Automation does not automatically include or exclude any rpm version that is not manually selected by the user from the catalog. Whenever any rpm package is selected with the By Complete Package Name option, TrueSight Server Automation automatically performs the following: In case of an include patch operation—includes the latest rpm version of the package, from the selected rpm packages In case of an exclude patch operation—excludes all rpm versions of the package, from the selected rpm packages Important The exclude operation takes precedence over the include operation. Therefore, If a package is excluded with the By Package Name Only option, all versions of the package will be excluded from analysis, even if specific versions are manually included. Examples: When a selection is made with the By Complete Package Name option you can manually select each version to include or exclude from the catalog. Manually select each version from the catalog Specific versions displayed in the Include/Exclude list When a selection is made with the By Package Name Only option, you can select any one version of the rpm packages and TrueSight Server Automation automatically selects the appropriate versions for the packages.   Select any one version of the rpm packages  Only package names are displayed in the Include/Exclude list On the yum.conf tab, perform either of the following actions: Select the Use Patch Global Configuration File check box if you want to use a yum.conf file with default settings provided with TrueSight Server Automation. Or Deselect the Use Patch Global Configuration File check box if you want to use a custom yum.conf file. You can customize the yum.conf file to configure the different patch analysis and deployment parameters. Your desired entries should be added in the text box provided.  Click here to see a sample of a yum.conf file. [main] debuglevel=4 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=RedHat-release tolerant=1 obsoletes=1 plugins=0 gpgcheck=0 bootloader=1 Notes The system default /etc/yum.conf file is not used in either of the above cases.  In addition to the options listed in the sample yum.conf above, if you want to avoid the removal of old RPMs during patch analysis when a native yum is used, you can include the installonly_limit option in the yum.conf file. For more information, see the description of this issue in Troubleshooting Patch Management issues. For more information about all the options that you can include in the yum.conf file, see the yum.conf man page. The yum.conf tab applies only to Red Hat Enterprise Linux, Oracle Enterprise Linux, and SUSE Linux Enterprise servers. You can also customize the yum.conf file from the Patch Global Configuration option. For more information, see Global-Configuration-parameter-list.
   	Patching Job - Analysis Options for Ubuntu	Click here to see a description of the options. A Patching Job checks the configuration of patches on specific servers according to filters defined as part of the job definition. Choose one of the following options: Analyze for missing patches and updates available for installed patches on a target server (Install Mode). Analyze only for updates available for installed patches on a target server (Update Mode). Create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box to override the default of including the entire patch catalog in the analysis. Note Depending on which mode you have selected, you cannot perform the following operations: If Install Mode is selected, you cannot exclude a patch or smart group. If Update Mode is selected, you cannot include a patch or smart group.
   	Patching Job - Analysis Options for Debian	Click here to see a description of the options. A Patching Job checks the configuration of patches on specific servers according to filters defined as part of the job definition. Choose from one of the following options: Analyze for missing patches and updates available for installed patches on a target server (Install Mode) Analyze only for updates available for installed patches on a target server (Update Mode) Create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box, to override the default of including the entire patch catalog in the analysis. Note Depending on which mode you have selected, you cannot perform the following operations: If Install Mode is selected, you cannot exclude a patch or smart group. If Update Mode is selected, you cannot include a patch or smart group.
   	NEW IN 20.02.01Patch Job - Analysis options for CentOS	Click here to see a description of the options. A Patch Analysis Job checks the configuration of patches on specific servers according to filters defined as part of the job definition. Select one of the following options: Analyze for missing patches and updates available for the installed patches on a target server (Install Mode). Analyze only for updates available for the installed patches on a target server (Update Mode). Create an Include/Exclude list for specific patches through the Include-or-Exclude-Selection dialog box to override the default of including the entire patch catalog in the analysis. Note Depending on the mode you have selected, you cannot perform the following operations: If Install Mode is selected, you cannot exclude a patch or smart group. If Update Mode is selected, you cannot include a patch or smart group.
   Patching Job - Remediation Options	If the Patching Job autoremediates after completion of analysis, enter the following information: Create remediation artifacts Select to remediate on completion of analysis. All other options are available only if Create remediation artifacts is selected. Package name prefix Enter text that the Patching Job automatically adds to the name of all BLPackages and Deploy Jobs created. The name of the Patching Job appears as the default. Save package(s) in: Enter a depot location where the remediation package is stored. By default, the location is the same one used to store the Patching Job. Save batch/deploy job(s) in: Enter the folder where the Remediation and Deploy Jobs created by the Patching Job are stored. By default, the location is the same one used to store the Patching Job. ACL Policy for Package(s)/Deploy Job(s): Browse to and select the ACL policy to assign to each BLPackage, Deploy Job, and Batch Job created by the Patching Job. Deploy Job Options Select to open Deploy Job Options. The options defined here are the same ones defined for any Deploy Job. Deploy Job Properties Select to open a list of Deploy Job properties. The properties defined here are the same ones defined for any Deploy Job.
   Patching Job - Targets	Use the Targets panel to choose the servers where this job runs. When first defining and saving a job, you do not have to specify target servers. You can specify target servers at a later time. Field definitions Field Description Available Servers Specify the operating system of the servers you want to select. To display servers running any operating system, select All. By Group, By Name Select servers from a tree or sortable list and click the right arrow to move your selections to the right panel To select servers: Click the By Group tab at the bottom of the window. The left panel displays servers in a hierarchical list arranged by server group. Choose servers by selecting a server group or selecting one or more individual servers. If you select a server group, the job runs against the servers assigned to that group at the time of execution. The servers assigned to smart groups can change dynamically based on their server properties. You can modify static server groups manually by adding or removing servers. Click the By Name tab at the bottom of the window. The left panel lists servers by name in a Group Explorer view. Sort servers in ascending or descending order by clicking on any column header. Select one or more servers.
   Patching Job - Output	The Output panel lets you capture job completion status for the current job and use it to populate a predefined property that you created in the Property Dictionary, within the built-in property class for the job targets — the Server, Component, or Device property class. The list of properties for selection includes all complex properties of the JobRunStatusEnumeration type. It does not include intrinsic and deprecated properties. Using the property that you specify here, you can create smart groups based on the completion status of the current job at the various targets. For example, you can create a smart group that includes all servers at which this job has not yet run or a smart group for all servers at which this job has completed successfully. Such smart groups can serve as the targets either in the current job or in other jobs. When used in a separate job, the smart group targets link the execution of one job with the outcome of a previous job. In fact, you can optionally join both jobs together within a Batch Job.
   Patching Job - Default Notifications	The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications. Default notifications can take the form of emails or SNMP traps. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps. Default notifications are sent when you run a job immediately (that is, you do not schedule the job) or a scheduled job completes but you have not set up email or SNMP notifications for that scheduled occurrence. Patching Job Run Notifications Field Description Send email to Lists email addresses of the accounts to notify when a job completes with the status that you specify. Separate multiple email addresses with semicolons, such as [email protected];[email protected]. After entering email address information, select the statuses that cause an email to be generated. Append patch analysis results to email Indicates emailed notifications should include detailed patch analysis results. Note: This option is relevant only for Patching Jobs and not for Patching Remediation Jobs. You cannot send attachments for Patching Remediation Jobs, or for the child Deploy Jobs of Patching Analysis and Patching Remediation Jobs Limit email body size Limits the size of email that is generated by appending patch analysis results. Enter the maximum size, in kilobytes, in the text box. The default value is 1000 KB. Send SNMP trap to Provides name or IP address of the server to notify when the job completes. After entering server information, select the statuses that should cause an SNMP trap to be generated. TrueSight Server Automation provides a management information base (MIB) that describes its SNMP trap structure. You can use this MIB to create scripts that integrate traps into your trap collection system. The MIB is located at installDirectory/Share/BladeLogic.mib. List failed servers in email notification Indicates email notifications should list all servers on which a job has failed. Create incident on job failure Creates an incident in BMC Remedy ITSM if the job fails. This option is available if this job type was selected to support the creation of ITSM incidents and a connection to BMC Remedy ITSM was set up. For more information, see Enabling-Change-Automation-for-TrueSight-Server-Automation-jobs. Note Email notification settings specified for a Patching Job with the autoremediation option or for a Patching Remediation Job are propagated to its child Deploy Jobs. You can, however, specify different email notification settings in a child Deploy Job to override the settings in the parent job.
   Patching Job - Schedules	The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs. When scheduling a job, you can perform any of the following tasks: Scheduling a job that executes immediately — To schedule a job that executes immediately, select Execute job now. If your system has been configured to require approval for this job type, select Execute on Approval and then click Browse to display the Change Request Information dialog box. For more information, see Patching-Job-Execute-on-Approval-and-Change-Request-settings. Scheduling a job — The Schedule tab lets you schedule a job so it can run one time, recur hourly, daily, weekly, or monthly, or recur at some arbitrary interval. For more information, see Patching-Job-Scheduling. Defining job notifications — The Job Notifications tab lets you set up notifications that are generated when a scheduled job runs. For more information, see Patching-Job-Scheduled-Job-Notifications. Providing Change Request information — The Change Request information tab lets you provide Change Request information. This tab only appears when your system has been configured to require approval for this job type. For more information, see Patching-Job-Execute-on-Approval-and-Change-Request-settings.
   Patching Job - Properties	The Properties panel provides a list of properties automatically assigned to the job being created. In this list, you can modify the value of any properties that are defined as editable. For any property that has a check in the Editable column, select the property and click in the Value column. To set a property value back to its default value, click Reset to Default Value . The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited. Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date. To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property . The following table provides a list of editable properties: Property name Property type Description AUTO_GENERATED Boolean Specifies whether the object was auto generated. DEBUG_MODE_ENABLED Boolean Specifies whether the Debug Mode has been enabled for the patching job. If this property is set to TRUE, the logs that are created while performing a patch analysis job on the targets are saved on the Application Server. Click here for the location.  <ApplicationServerName>/ opt/bmc/bladelogic /NSH/tmp/debug /application_server/ <JobName>/ <TimeAndDateStamp> / <TargetServerIPAddress> JOB_PART_TIMEOUT Integer Specifies the number of minutes the job part or work item should run before it is automatically canceled. JOB_TIMEOUT Integer Specifies the number of minutes the job should run before it is automatically canceled. MAX_PARALLEL_PER_VM_HOST Integer Specifies the maximum number of parallel work items processed per Vitrual Machine host. PRIORITY JobPriorityEnumeration Specifies the priority of the Patching Job RESULTS_RETENTION_TIME Integer Specifies the number of days to retain old job runs and job results for the job.
   Patching Job - Permissions	Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as depot objects. ACLs control access to all objects, including the sharing of objects between roles. For more information, see the following table: Task Description Adding an authorization An authorization grants permission to a role to perform a certain type of action on this object. To add authorization to this object, click Add Entry  in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add. Adding an ACL template An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object. To add an ACL template to the object, click Use ACL Template  in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object. To set the contents of the selected ACL templates so that they replace all entries in the access control list, select Replace ACL with selected templates. If you do not select this option, the contents of the selected ACL templates are appended to existing entries in the access control list. Adding an ACL policy An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location. To add an ACL policy to this object, click Use ACL Policy  in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object. To set the contents of the selected ACL policies so they replace all entries in the access control list, select Replace ACL with selected policies. If you do not select this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

4. After completing the last step of the wizard, click Finish. 
   A Patching Job is stored in the appropriate Jobs folder. You can open the job and edit it.

Where to go from here

Performing-patch-remediation