User accounts

This topic was edited by a BMC Contributor and has not been approved.  More information.

The BMC Server Automation product (formerly known as BladeLogic) creates various user accounts during component installation:

Account
Name
ComponentPurposeTypePrivilegesDefault PasswordPassword Change ForcedPassword EncryptionNotes

BladeLogicRSCD

On a domain controller:
BladeLogicRSCDDC

Windows RSCD AgentRun RSCD service on Windows SystemsOSLog on as Batch Job

Random since 8.1.00

16 alpha-numeric and special characters

NoWindows encryption

Password can be changed using the chapw command. The password is stored in the registry using the CryptProtectData function.

If an Automation Principal is used exclusively, you can remove this user account using chapw.

If the RSCD agent is installed on a domain controller, a default password is used, because the account is shared across all domain controllers in the domain.

The password of the RSCD agent on a domain controller can be changed using the chapw command or the agentctl utility, as discussed in Changing the BladeLogicRSCDDC account password on domain controllers.

bladminApplication Server on Solaris and LinuxRun Application Server and spawner processesOSOwns application
files
NA (locked on install)NANA

Account is created with a locked password.

The application server init scripts run a 'su - bladmin' to drop privileges.

bladelogicOracle DatabaseAll Application Server to DB communication happens as this accountDatabase

Schema owner
for Bladelogic
and several other privileges listed in List of required database permissions

configurable during install by dbaDependent on DB password policyDB default 
BLAdminBladeLogic ApplicationInitial Application Administrator accountApplicationFull access to all resources granted via Role. Implicit Read on all objectsnoConfigurable in application settings (blasadmin / link)Non-reversible Hash stored in DB

During install the BLAdmin account is created and a password is set.

Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdminBladeLogic ApplicatoinInitial Application Security Administrator accountApplication

Full access to all RBAC objects.

Implicit Read and ModifyAcls on all objects

noConfigurable in applications settings (blasadmin / link)Non-reversible Hash stored in DB

During install the BLAdmin account is created and a password is set.

Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

BMC Server Automation uses various accounts during operation:

Account NameComponentPurposeTypePrivilegesDefault PasswordPassword Change ForcedPassword EncryptionNotes
rootRSCD Agent on UNIXRSCD Agent runs as this userOSrootNANANARSCD service must run as root for UPM as discussed in Impersonation and privilege mapping. Password is not stored or used by the agent.
Automation PrincipalBSA ApplicationAgent installation, Target Server
Access, Active Directory User Sync
OS

Log on As Batch Job

NANAAES 128 BitThe Automation Principal account is created by the user on the target server or Windows domain and the credentials are stored in the BladeLogic database and used when the application is configured to use an AP for the noted purposes.
Local server accountRSCD / UPMActions performed
via BSA act as this account on the
target server
OSWhatever is required to
perform the desired functions
via BladeLogic
NANANAThe User Impersonation function is used (link) and BSA does not know the account password.
bladelogicSqlServer Database userAll Application Server
to database communication happens as this account
Database

Member of the db_owner role
with access to the dbo schema
for the BladeLogic Database (for more information, see List of required database permissions)

Configurable during install by DBADependent on DB password policydatabase default 
Application UsersBladeLogic ApplicationApplication User
accounts
ApplicationDefined by RBAC AdministratorsnoConfigurable in applications settings (blasadmin / link)Variable - SRP, AD, etcAuthentication is available with the built-in SRP authentication type or configurable to external authentication sources such as LDAP, Active Directory, PKI, and RSA.
Was this page helpful? Yes No Submitting... Thank you

Comments