An ACL Push Job converts the access control list defined for a server into the users configuration file on that server's RSCD agent. The users file controls user access to the server.
This topic contains the following sections:
Typically you run an ACL Push Job on a server when a role granted access to that server has new user information or you have changed agent ACL information for that role. For more information about the contents of an agent ACL, see Controlling server access with agent ACLs.
If you are using Windows user mapping to control user permissions on agents, you may not have to use ACL Push Jobs to push ACLs to agents. For more information, see Windows user mapping and agent ACLs.
An ACL Push Job generates users file entries that grant a variety of permissions, including permissions for commands. The job uses the following algorithm to create users file entries relating to command authorizations:
Tip
To prevent a role from using any Network Shell and nexec commands on a server, you can create a dummy nexec command (see Adding or modifying an nexec command). Then, add an authorization for the dummy command to the definition of a role. Do not add any other command authorizations to the role. Finally, run an ACL Push Job, which pushes the authorization for the dummy command to the agents you specify in the job. On those agents, the role is only authorized to perform the dummy command and no other Network Shell and nexec commands.
Note
You can configure several special settings for all ACL Push Jobs at the Application Server level using the BMC Server Automation Application Server Administration console (the blasadmin
utility). The following blasadmin
commands are available for the ACLPushJob
component:
Component and command | Values | Description |
---|---|---|
UserWildcardOnAclPush |
| Enables you to use the Role:* system authorization for ACL Push entries instead of individual Role:User entries. |
LogOnlyErrors |
| Enables you to disable all log messages for ACL Push jobs, except for error or warning messages. |
RevokeNshAccessWhen |
| Enables you to revoke NSH access to agents via the agent ACL file, for environments where a role has no direct access to a server, but only has access granted through components. If this command is set to true , the Server.Read authorization is ignored for such environments. |
For more information about running commands through the blasadmin
utility, see Changing the basic Application Server settings.
Do any of the following: