Securing Agent data

You can implement authorization levels on each agent node to allow or disallow access to that node and control privileges for users who are allowed access.

Setting authorization levels enforces security and controls resource usage. Authorization is implemented through the Authorization.cfg file, which is installed to BMCSoftware\Patrol3\BEST1\version\local\setup.

The Authorization.cfg file is read by the agent and service daemon on startup. At installation, the contents of Authorization.cfg are as follows:

BEGIN_AUTHORIZATION
 PERMISSION = MANAGE
END_AUTHORIZATION


This authorization default grants all users a MANAGE (full) authorization to all information about all computers they can reach on the network. However, you can edit this file on a per-user basis by assigning any of four permission levels: MANAGE, MODIFY, VIEW, and NONE.

The following table describes the privileges afforded by each level. Refer to Editing the Authorization.cfg File for information about editing the Authorization.cfg file to customize user access.

Agent Authorization Levels

Function

Permission

Explanation

Investigate functions

Activate policies

MODIFY

Requires remote read and write privileges.

Stop policies

MODIFY

Stop policies that belong to the user activated.

Stop policies

MANAGE

Stop all policies regardless of who activated them.

Policy updates

VIEW

Get status change of all policies that have been activated.

Charting

VIEW

Can only get data if agent is running.

Drill Downs

VIEW

Can only get data if agent is running.

Start agents

MODIFY

Requires remote write privileges.

Stop agents

NONE

If the agent was started by user and there are no requests for data for other users.

Stop agent

MANAGE

Stop agent regardless of current requests.

System Collect functions

start

MODIFY

Requires remote write privileges.

query

NONE

The Query is performed by the service daemon.

stop

MODIFY

Stop the collect request if it was started by the user.

pull

MODIFY

The Query is performed by the service daemon.

push

MODIFY

Remote data is deleted.

Editing the Authorization.cfg File

To limit access to a node, edit Authorization.cfg on that node, using the example authorization file reproduced below, as a guide. The Authorization.cfg file is stored in C:\BMC Software\Patrol3\BEST1\version\local\setup

Your customized Authorization.cfg file is not overwritten when you reinstall or upgrade Gateway Server. It is, however, a good idea to keep a backup copy of this file in case it becomes corrupted. The example authorization file is commented and illustrates how to define access privileges by building a list of zero or more computers, each of which has a list of zero or more users, thus forming a tree. 

Permissions at a deeper level in the tree override permissions at upper levels. In the example, the global authorization is set to PERMISSION = VIEW. (Note the spaces before and after the equal signs.) However, users in the subnet 172.31.14.* have MODIFY privileges. To block certain users within that subnet, you could set their permissions to NONE. 

Specific user/node authorization is order-dependent, and the first instance of a user/node permission setting is upheld. For example, if you define a user/node permission as MODIFY at the beginning of the file, and that same user/node is set to NONE farther down in the file, the NONE is ignored. When you specify a group of computers, you can use a wildcard of * for any of the four quartets of a dotted decimal notation IP address.

Note

Your customized Authorization.cfg file is not overwritten when you reinstall or upgrade Gateway Server. It is, however, a good idea to keep a backup copy of both the original Authorization.cfg file and your customized, edited Authorization.cfg file so you will be able to restore it. If the Authorization.cfg file is renamed, moved, deleted, or corrupted, the Agent will not start.


Example Authorization.cfg file

BEGIN_AUTHORIZATION 
# Global permission is set if there is no other match at a lower level
PERMISSION = VIEW
BEGIN_COMPUTER
# Wildcard example for a Class C address space
# All users in 172.13.14.* subnet will have MODIFY privilege
COMPUTER = 172.31.14.*
# Permission used for any user in this Class C address space overrides the global permission
PERMISSION = MODIFY
END_COMPUTER
BEGIN_COMPUTER
# Computers can be known by their full IP address in dotted decimal form
COMPUTER = 172.31.11.47
PERMISSION = MODIFY
# Two users listed here
BEGIN_USER
USER_NAME = dkeefe
# Permission used for this user on this computer overrides the global permission and the computer permission
PERMISSION = MANAGE
END_USER
BEGIN_USER
# Limiting a user by overriding upper level permissions
USER_NAME = jrocco
PERMISSION = VIEW
END_USER
END_COMPUTER
BEGIN_COMPUTER
# Computers can be annotated by a name viewable in DNS
# This name is converted to an IP address internally when the table is read.
COMPUTER = sunbgs6
PERMISSION = VIEW
END_COMPUTER
END_AUTHORIZATION
Was this page helpful? Yes No Submitting... Thank you

Comments