An ACL Push Job converts the access control list defined for a server into the users configuration file on that server's RSCD agent. The users file controls user access to the server.
This topic contains the following sections:
Typically you run an ACL Push Job on a server when a role granted access to that server has new user information or you have changed agent ACL information for that role. For more information about the contents of an agent ACL, see Controlling server access with agent ACLs.
If you are using Windows user mapping to control user permissions on agents, you may not have to use ACL Push Jobs to push ACLs to agents. For more information, see Windows user mapping and agent ACLs.
An ACL Push Job generates users file entries that grant a variety of permissions, including permissions for commands. The job uses the following algorithm to create users file entries relating to command authorizations:
- If no command authorizations are specified on the server and no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
- If no command authorizations are specified on the server but command authorizations are specified for a role, those command authorizations are pushed to the agent. This means the role is authorized to perform those commands on the agent.
- If command authorizations are specified on the server but no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
- If command authorizations are specified on the server and command authorizations are specified for the role, the command authorizations common to both are pushed to the agent. This means the role is authorized to perform only those commands on the agent.
To prevent a role from using any Network Shell and nexec commands on a server, you can create a dummy nexec command (see Adding or modifying an nexec command). Then, add an authorization for the dummy command to the definition of a role. Do not add any other command authorizations to the role. Finally, run an ACL Push Job, which pushes the authorization for the dummy command to the agents you specify in the job. On those agents, the role is only authorized to perform the dummy command and no other Network Shell and nexec commands.
You can configure several special settings for all ACL Push Jobs at the Application Server level using the BMC Server Automation Application Server Administration console (the
blasadmin utility). The following
blasadmin commands are available for the
|Component and command||Values||Description|
|Enables you to use the Role:* system authorization for ACL Push entries instead of individual Role:User entries.|
|Enables you to disable all log messages for ACL Push jobs, except for error or warning messages.|
|Enables you to revoke NSH access to agents via the agent ACL file, for environments where a role has no direct access to a server, but only has access granted through components. If this command is set to |
true, the Server.Read authorization is ignored for such environments.
For more information about running commands through the
blasadmin utility, see Changing the basic Application Server settings.
To create an ACL Push Job
- Do one of the following:
- Open the Server folder and select a server. Right-click and select Administration Task > Agent ACLs from the pop-up menu. A dialog box prompts you to push ACLs immediately or to schedule a job. Click Schedule Job.
If you prefer, you can push ACLs without scheduling a job. For more information, see Previewing and pushing agent ACLs.
- Open the Jobs folder and select a job folder. Right-click and select New > Administration Task > ACL Push Job from the pop-up menu.
The New ACL Push Job wizard opens.
- Define the ACL Push Job, as described in the following topics:
- After completing the last step of the wizard, click Finish.
To modify an ACL Push Job
Do any of the following:
- To modify the definition of an existing ACL Push Job, open the Jobs folder and navigate to an existing job. Right-click the job and select Openfrom the pop-up menu. The content editor displays a series of tabs that correspond to panels in the New ACL Push Job wizard. Use the tabs to modify the job definition. The following topics describe the contents of the tabs:
- To see or modify any properties, permissions, or audit trail information that apply to this job, select the Properties, Permissions, or Audit Trail tab group.
Where to go from here
ACL Push Job - General