Controlling access at the agent level
BMC Server Automation lets you control access to servers at the agent level. Configuration files on the RSCD agent let you define who can access servers and how users communicate with those servers.
For many BMC Server Automation installations, you do not have to modify the agent configuration files. The system's default configuration provides sufficient functionality and appropriate user permissions. If your installation requires additional refinement, you should understand the default configuration of BMC Server Automation.
When you install BMC Server Automation on clients and servers, the following permissions and security configurations are set by default for each RSCD agent:
- All clients are granted read/write access to all servers.
- All clients and servers are set to communicate using protocol 5, a BMC Server Automation protocol for secure communication based on Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL). With protocol 5, TLS automatically negotiates the strongest form of encryption that clients and servers can support.
- Users are granted permissions on managed servers through two different processes:
- For Windows servers, users can be granted permissions through a process called Windows user mapping. This process enables a role to be mapped to a local or domain user who has permissions for a Windows server. For more information about Windows user mapping, see Windows user mapping and agent ACLs.
- In all other situations, users can be granted permissions through a process of user impersonation (for all UNIX servers) or user privilege mapping (for Windows). For either of these approaches, when a user attempts to connect to an agent, the agent maps the user to an identity using the following steps:
- First the agent determines if the user has an equivalent identity on the server machine. If so, the connecting user is granted the permissions of that equivalent user. However, root users on UNIX are not automatically mapped to root, and members of the Administrator group in Windows are not automatically mapped to Administrator.
- If a user does not have an equivalent local identity on the server, the agent maps the incoming user to a default user with downgraded permissions. On UNIX, users are mapped to user "nobody." On Windows, users are mapped to user "Anonymous." Incoming users can be granted the permissions of a specified user, but that requires modification of the configuration files.
For a description of how users are granted permissions on servers, see How BMC Server Automation grants access to RSCD agents.