Creating automation principals
You can create an automation principal, which defines a user credential that can be used for accessing external systems. Automation Principals are used primarily by agents to map access using a specific credential, most commonly a user name and password, on an endpoint, instead of using the traditional impersonation method.
You can define an automation principal to access a server running any supported operating system. Some common uses for automation principals are:
- Microsoft Windows user mapping — Map one or more RBAC roles to a local or domain user on a managed server.
- Agent installation — Access servers where you want to run agent installations.
- Atrium Orchestrator — Integrate Workflow Jobs with BMC Atrium Orchestrator.
- LDAP server access — Access an LDAP server such as an Active Directory server.
If your principal will be used to map to an Active Directory account, the managed host needs to be a member of the appropriate Active Directory domain. Non-AD Automation Principals can use local authentication.
This procedure lets you map multiple roles to an automation principal. Alternatively, you can also map a particular role to an automation principal (see Role - Agent ACL). Rather than mapping automation principals to roles, you can accomplish the same mapping on a server-by-server basis using server properties. For information, see Using server properties to map automation principals for Windows user mapping.
You might need to create an automation principal that provides credentials for a superuser on UNIX systems. A superuser automation principal is the same as any other automation principal. It simply includes credentials for a superuser.
Only servers running BMC Server Automation version 8.0 or later can recognize automation principals. Only Windows servers running BMC Server Automation version 8.0 or later can recognize automation principals used for Windows user mapping.
Automation principals cannot be used with repeaters.
For information about modifying automation principals, see Modifying automation principals. For more general information about automation principals, see Considerations for automation principals and Windows user mapping.
Before you begin
If you are creating an automation principal for Windows user mapping or to use only for explicit agent authentication to a local or domain account instead of impersonation (from LocalSystem on Windows) for all agents, your Application Server environment must be configured to use a Network Shell proxy server for all agent connections. For a detailed description of that configuration, see Setting up a Network Shell proxy server.
To create an automation principal
- In the RBAC Manager folder, select Automation Principals.
- Create a new automation principal by right-clicking and selecting New > Automation Principal from the pop-up menu. The Automation Principal Creation wizard appears.
- Provide information for the automation principal as described in the following topics:
- To close the wizard and save your changes, click Finish at any time.
Alternatively, you can create a new automation principal by copying an existing automation principal and pasting it into the Automation Principals node. The password of the original automation principal is not copied into the new automation principal, so you must set the password while editing the new automation principal.