Controlling server access with agent ACLs

You can use agent access control lists (ACLs) to control access to a server.

When you define permissions for a server, you are controlling access to the server within the BMC Server Automation system. The BMC Server Automation Application Server enforces these permissions. However, you can also manage servers using Network Shell and the BLCLI. To completely control access to a server, you must modify configuration files on each server's RSCD agent.

Several methods exist to control access using agent configuration files. (For an extended discussion of this subject, see Setting up configuration files. The following topics provide additional information:

If you are using Microsoft Windows user mapping, see Windows user mapping and agent ACLs.) Typically, you control agent access by letting BMC Server Automation automatically translate the permissions you have defined for a server in the BMC Server Automation Console into a users configuration file on the agent. You accomplish this by running an ACL Push Job on a server, which overwrites the users file for that server's RSCD agent (see Creating or modifying ACL Push Jobs). After you have pushed ACLs, the users file settings control all incoming connections to that agent.

When BMC Server Automation generates entries for a users file, it creates an entry for each user associated with each role that has access to the server. BMC Server Automation does not generate an entry for disabled users. An entry is formed by pairing a role and a user using the format role:user. In the example users file shown below, DBAdmins is the role and george and betty are users assigned to the DBAdmins role.

In addition to generating role:user entries, BMC Server Automation also creates another type of users file entry for Network Shell users. Because Network Shell does not recognize roles, the RBAC Manager folder asks you specify a role that functions as the default Network Shell role for each user (see User - Role Selection). Using this information, BMC Server Automation generates a users file entry that does not include role information for each user. A users file entry is not generated for disabled users.

For example, in the users file shown above, the users george and betty have their default Network Shell role set to DBAdmins. In addition to the role:user entries for george and betty, BMC Server Automation generates entries for george and betty that are not paired with any role but are based on the same information as the DBAdmins role. These entries are default Network Shell roles, and they let george and betty access the server using Network Shell.

The users file that BMC Server Automation pushes to an agent can also include a nouser entry. Including this entry instructs a server to allow a connection from a user only when that user has been explicitly defined in the users configuration file. BMC Server Automation places a nouser entry in the users file of a particular server if the server property called PUSH_ACL_NO_USERS_FLAG is set to true.

Administrators can create a users.local file on agents to create a set of user permissions that are more fine-grained than is possible with the users file entries that BMC Server Automation automatically generates. For example, with RBAC you cannot specify some users as read only and others as read/write, but you can easily accomplish that by manually editing the users.local file. The RSCD agent reads the users.local file before it reads the users file, and the users.local settings supersede any corresponding settings in the users file. If the users file includes entries that are not superseded, those entries still apply.


BMC recommends adding an entry for RBACAdmins:RBACAdmin and BLAdmins:BLAdmin to the users.local file for every server. Because these roles cannot be deleted, they provide a way to access a server in case you accidentally revoke everyone else's permissions for that server. If you choose to rename the RBACAdmins or BLAdmins roles, the entries you make in the users.local file should reflect those naming decisions.

Before you push agent ACLs to a server, you can preview the entries to be created in the users file (see Previewing and pushing agent ACLs). When you define permissions for a server, you can also preview agent ACLs (see Adding a server to the system.

Was this page helpful? Yes No Submitting... Thank you