Configuring remote access

Remote access to devices is configured in two different ways:

• First you might need to have the remote user's permission to access his or her device (system authentication).
• Secondly you might need identify yourself to remotely control the device or you might even be completely denied access to specific devices (access permissions)

To configure System Authentication

By default, any administrator with a valid BMC Client Management login can remotely access all devices in the network that he has access permissions to. You may, however, limit these accesses by requiring specific local access credentials to the remote devices. This can be configured via the Security tab of the System Variables node.

By activating any combination of the Request System Credentials for Linux Remote Access, Request System Credentials for Mac OS Remote Access or Request System Credentials for Windows Remote Access system variables you can require that administrators trying to remotely access devices of the respective operating system need to provide access credentials.

In this case a pop-up window appears when you select the Direct Access node or try to establish a remote control session. At the same time a window appears of the target device requesting access acknowledgment from the local user. You need to click the OK button to close this window and then refresh the view. If the user acknowledged your request the connection is established and you have access to the remote device. If the user did not acknowledge, the pop-up window appears again on the screen.

When you try to access the Remote Manager functionalities to a client you will be asked to provide the login and password to the remote computer to verify you have access permissions. You can provide the login as one of the following possibilities:

• as the "simple" login name of a local user of the remote computer, such as Administrator as \\domain\logon
• for a domain login of the administrator, such as \\LAB\TEST. The domain part can be set to dot (.) to indicate the local computer.

If you are not sure that your local administrator login has the same passwords for all targets, use the domain logon. For domain logons to work correctly, the necessary domain trust relationships must already were set up between the different domain controllers.

To configure access permissions via dynamic objects

BMC Client Management remote control access permissions are assigned to the devices via the Security Profile of the administrator accessing the device. You can specify the access permissions either for static or for dynamic objects. As static objects the access is defined individually per device, for dynamic objects it is assigned to the result of the object, that is, to all members of a specific group or query.

For example, to provide an administrator with read access to the master but refuse remote control and direct access to it proceed as follows:

1. Go to Global Settings > Administrators and select the administrator.
2. Select the Security Profile node and the Static Objects tab.
3. Verify that in the list of static objects you have the Device Groups top node with at least read access defined.
   1. If this is not the case click the Add Object  icon.
   2. Leave the Top Nodes value selected in the Object Type drop-down box.
   3. Select the Device Groups option and click the Add  button to the right.
   4. In the Properties window make the necessary changes to the Write Access and Assign Access options, but leave the Read Access set to Allow and click OK.
      The entry is now added to the Selected Objects list box.
4. Now select the Device Group/Device value in the Object Type drop-down box.
5. Click the All  icon in the left window bar.
6. Select the master from the list of all devices and device groups that is now displayed.
7. Click the Add  button.
8. In the Properties window select the Deny radio buttons in the Direct Access Acknowledgement and Remote Control Acknowledgement sections.
9. Click OK to confirm the denial and click OK again to confirm the new static objects.
   The administrator now has full access to the master but he cannot remotely access or control it.

To prohibit remote control access to all devices but the clients proceed as follows:

1. Go to Global Settings > Administrators and select the administrator.
2. Select the Security Profile node and the Static Objects tab.
3. Verify that in the list of static objects you have the Device Groups top node with at least read access defined.
   1. If this is not the case click the Add Object  icon.
   2. Leave the Top Nodes value selected in the Object Type drop-down box.
   3. Select the Device Groups option and click the Add  button to the right.
   4. In the Properties window make the necessary changes to the Write Access and Assign Access options, but leave the Read Access set to Allow and click OK.
      The entry is now added to the Selected Objects list box.
   5. Click OK again to confirm all static objects.
4. Select the Dynamic Objects tab.
5. Click the Add Query  icon.
6. Click the All  icon in the left window bar.
7. Select the All Devices query from the list.
8. Click OK.
9. In the Properties window select the Deny radio buttons in the Direct Access Acknowledgement and Remote Control Acknowledgement sections.
10. Now select the Client Devices query in the Out of the Box > BMC Client Management Architecture folder and click OK.
11. In the Properties window select the Not Required radio button in the Direct Access Acknowledgement and Remote Control Acknowledgement sections.
12. Click OK to confirm the settings and click OK again to confirm the new dynamic objects.
    The administrator can now see all devices but only remotely control or directly access the clients, that is, all devices apart from the master and the relays.