Role - Agent ACL

The Agent ACL panel lets you enter information that determines how a user establishes a connection to an RSCD agent on a remote server.

BMC Server Automation allows you to perform certain functions when that connection is established, and the definitions you provide on this page control those functions. For example, you can specify that a user with this role has privileges equivalent to root on the remote server. You can associate a Windows automation principal with a role. Or, you can specify that a user with this role only has access to a particular directory on the remote server.

The Agent ACL panel provides most of the same functionality as the users configuration file on an RSCD agent. For more information about the users file, see Configuring the users or users.local files.

After you have defined a role, you should run an ACL Push Job on servers that the role is authorized to access. The ACL Push Job copies access control list (ACL) information derived from the role definition and uses it to overwrite the users configuration file. After you have pushed ACL information to an agent, the settings you have defined for the role are used to control all incoming connections to that agent. For more information about pushing ACLs, see Controlling server access with agent ACLs.

Field definitions

Field

Description

User must exist on agent

Check to instruct a server to allow a connection from a user only when an account with the same user name exists on the server. This option is analogous to the exists option in the users configuration file.

Allowed Hosts

Specify the hosts from which a user can connect to a server. Separate host names or IP addresses (either IPv4 or IPv6) with a colon, such as host1:host2:host3.

Note: For any host that you specify using its IPv6 address, enclose the IPv6 address in square brackets. For example, [2001:db8::1:2].

As an alternative to specifying a string of hosts in this field, you can import a text file that contains your list of hosts. To import the list file, click the green plus icon to the right of this field, and then select the list file through the Role - Import Hosts dialog box.

Read Only and Read/Write

Specify whether all users in the role are granted either read-only or read/write permission on servers. You cannot use a role to give read-only permission to some users and read/write permission to others. Use the users.local file to create a more fine-grained set of permissions. For more information, see Configuring the users or users.local files.

Map to user name 

Check to force a user connecting to a server to have the same permissions as a local user with that same name on the server. For example, if you check this option and user betty connects to a server, she has the same permissions as those already defined for local user betty on the server. If you check this option, a user cannot connect to a server unless an identical local user name is already defined on the server.

Note: This option is relevant only for mapping to a local user account. It does not work with an Active Directory account.

Platform Related

Define permissions that vary by platform. Click the UNIX tab and enter the following values as they apply to UNIX servers. Then click the WINDOWS tab and enter the following values as they apply to Windows servers:

  • User Map — Define a user name to which incoming connections on a server should be mapped by doing one of the following:
    • Select Map to and enter a user name.
    • Select Use property and enter a property name or use Select Property, which displays a list of server properties.

 User mapping forces users who have assumed this role to operate with the same permissions as the user name to which they are mapped. For example, you might enter root or anon for UNIX systems or Administrator or Guest for Windows. If you do not specify a user name to which incoming connections should be mapped and you have not checked the Map to user name flag, RBAC automatically maps each incoming user to a user with the same name on the server. For example, incoming user "joe" is automatically mapped to user joe on the server. If joe does not exist on the server, RBAC maps joe to nobody on UNIX systems and Anonymous on Windows. 

Using a property rather than a name allows you to map a role to different user names on different servers. For example, if you map to a property called ADMIN_USER, that property could be defined as Administrator on one server and a different name on another server. If you specify a property that identifies an automation principal, the role of the incoming user is mapped to the user specified in the automation principal. For more information on mapping to an automation principal, see Using server properties to map automation principals for Windows user mapping.

For more information about user mapping, see Impersonation and privilege mapping.

  • Root Directory — Enter the highest directory that the user can see. The user is able to see that directory and all of its subdirectories. This option applies exclusively to Network Shell-only user entries that are generated and pushed to agents. The Root Directory option is analogous to the rootdir option in the users configuration file.
  • Flags — For UNIX, the following flags are available:
    • Silently ignore setting of setuid and setgid bits — Instructs a UNIX server to prevent users from setting the setuid or setgid bits when creating a file or changing a file's permissions. This option is analogous to the nosuid option in the users configuration file. It is only available on the UNIX tab.
    • Fail on mknod(2) system call — Instructs a UNIX server to prevent users from making calls to the mknod system call. This option is analogous to the nomknod option in the users configuration file. It is only available on the UNIX tab.
  • Automation Principal — Select an automation principal that should be mapped to this role or select None. For more information about automation principals, see Automation principals and server management. The Automation Principal option is only available on the WINDOWS tab.
    Note that if you create a role by copying an existing role and that role includes an automation principal, the newly created role does not include the automation principal.

Where to go from here

Role - Users

Was this page helpful? Yes No Submitting... Thank you

Comments