Managing user mappings
This topic provides BMC recommendations for the security configuration files used for RSCD agents. For general information about these configuration files and their role in BMC Server Automation administration, see Setting up configuration files.
Managing the exports file
During testing or development, it might be convenient to use the exports file to map all external users to a common local user (for example, root or Administrator). For production use, however, BMC strongly recommends that the exports file on each target not include mappings of
BMC recommends using the exports file to restrict access to deployed agents. The exports file should allow connections only from job servers and NSH proxy servers.
When the exports file contains symbolic names, access to the agent is granted only if reverse DNS lookup of the connecting IP address (that is, the IP address of the job server or NSH proxy server) successfully matches an entry in the exports file. Because DNS issues in a distributed environment can be difficult to identify and resolve, consider using only numeric IP addresses in the exports file.
Managing the users file
BMC recommends establishing ACL Push jobs for all hosts and running these jobs on a regular basis. An ACL Push job updates the contents of the users file on each managed host according to permissions established for each server.
BMC also recommends setting the PUSH_ACL_NO_USERS_FLAG server property to true (the default) for all servers. This setting causes the ACL Push job to add a
nouser entry to each server's users file.
Managing the users.local file
BMC recommends adding an entry for
BLAdmins:* to the users.local file for every server. Because the BLAdmins role cannot be deleted, this entry provides a level of safety if all other user permissions for a server are revoked.