Role - Agent ACL
The Agent ACL panel lets you enter information that determines how a user establishes a connection to an RSCD agent on a remote server.
BMC Server Automation allows you to perform certain functions when that connection is established, and the definitions you provide on this page control those functions. For example, you can specify that a user with this role has privileges equivalent to root on the remote server. You can associate a Windows automation principal with a role. Or, you can specify that a user with this role only has access to a particular directory on the remote server.
The Agent ACL panel provides most of the same functionality as the users configuration file on an RSCD agent. For more information about the users file, see Configuring the users or users.local files.
After you have defined a role, you should run an ACL Push Job on servers that the role is authorized to access. The ACL Push Job copies access control list (ACL) information derived from the role definition and uses it to overwrite the users configuration file. After you have pushed ACL information to an agent, the settings you have defined for the role are used to control all incoming connections to that agent. For more information about pushing ACLs, see Controlling server access with agent ACLs.
User must exist on agent
Check to instruct a server to allow a connection from a user only when an account with the same user name exists on the server. This option is analogous to the exists option in the users configuration file.
Specify the hosts from which a user can connect to a server. Separate host names or IP addresses (either IPv4 or IPv6) with a colon, such as
Note: For any host that you specify using its IPv6 address, enclose the IPv6 address in square brackets. For example,
As an alternative to specifying a string of hosts in this field, you can import a text file that contains your list of hosts. To import the list file, click the green plus icon to the right of this field, and then select the list file through the Role - Import Hosts dialog box.
Read Only and Read/Write
Specify whether all users in the role are granted either read-only or read/write permission on servers. You cannot use a role to give read-only permission to some users and read/write permission to others. Use the users.local file to create a more fine-grained set of permissions. For more information, see Configuring the users or users.local files.
Map to user name
Check to force a user connecting to a server to have the same permissions as a local user with that same name on the server. For example, if you check this option and user betty connects to a server, she has the same permissions as those already defined for local user betty on the server. If you check this option, a user cannot connect to a server unless an identical local user name is already defined on the server.
Note: This option is relevant only for mapping to a local user account. It does not work with an Active Directory account.
Define permissions that vary by platform. Click the UNIX tab and enter the following values as they apply to UNIX servers. Then click the WINDOWS tab and enter the following values as they apply to Windows servers:
User mapping forces users who have assumed this role to operate with the same permissions as the user name to which they are mapped. For example, you might enter root or anon for UNIX systems or Administrator or Guest for Windows. If you do not specify a user name to which incoming connections should be mapped and you have not checked the Map to user name flag, RBAC automatically maps each incoming user to a user with the same name on the server. For example, incoming user "joe" is automatically mapped to user joe on the server. If joe does not exist on the server, RBAC maps joe to nobody on UNIX systems and Anonymous on Windows.
Using a property rather than a name allows you to map a role to different user names on different servers. For example, if you map to a property called
For more information about user mapping, see Impersonation and privilege mapping.