Contributor content
This topic was created by a BMC Contributor and has not been approved. More information.
The BMC Server Automation product (formerly known as BladeLogic) creates various user accounts during component installation:
Account Name | Component | Purpose | Type | Privileges | Default Password | Password Change Forced | Password Encryption | Notes |
---|---|---|---|---|---|---|---|---|
BladeLogicRSCD On a domain controller: | Windows RSCD Agent | Run RSCD service on Windows Systems | OS | Log on as Batch Job | Random since 8.1.00 16 alpha-numeric and special characters | No | Windows encryption | Password can be changed using the chapw command. If an Automation Principal is used exclusively, you can remove this user account. If the RSCD agent is installed on a domain controller, a default password is used, because the account is shared across all domain controllers in the domain. The password of the RSCD agent on a domain controller can be changed using the chapw command or the agentctl utility, as discussed in Changing the BladeLogicRSCDDC account password on domain controllers. |
bladmin | Application Server on Solaris and Linux | Run Application Server and spawner processes | OS | Owns application files | NA (locked on install) | NA | NA | Account is created with a locked password. The application server init scripts run a 'su - bladmin' to drop privileges. |
bladelogic | Oracle Database | All Application Server to database communication happens as this account | Database | Schema owner for Bladelogic and several other privileges listed in List of required database permissions | configurable during install by dba | dependent on Database password policy | database default | |
BLAdmin | BladeLogic Application | Initial Application Administrator account | Application | Full access to all resources granted via Role. Implicit Read on all objects | no | Configurable in application settings (blasadmin / link) | non-reversible Hash stored in database | During install the BLAdmin account is created and a password is set. Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account. |
RBACAdmin | BladeLogic Applicatoin | Initial Application Security Administrator account | Application | Full access to all RBAC objects. Implicit Read and ModifyAcls on all objects | no | Configurable in applications settings (blasadmin / link) | non-reversible Hash stored in database | During install the BLAdmin account is created and a password is set. Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account. |
BMC Server Automation uses various accounts during operation:
Account Name | Component | Purpose | Type | Privileges | Default Password | Password Change Forced | Password Encryption | Notes |
---|---|---|---|---|---|---|---|---|
root | RSCD Agent on UNIX | RSCD Agent runs as this user | OS | root | NA | NA | NA | RSCD service must run as root for UPM as discussed in Considerations for automation principals and Windows user mapping. Password is not stored or used by the agent. |
Automation Principal | BSA Application | Agent installation, Target Server Access, Active Directory User Sync | OS | Log on As Batch Job
| NA | NA | AES 128 Bit | The Automation Principal account is created by the user on the target server or Windows domain and the credentials are stored in the BladeLogic database and used when the application is configured to use an AP for the noted purposes. |
Local server account | RSCD / UPM | Actions performed via BSA act as this account on the target server | OS | Whatever is required to perform the desired functions via BladeLogic | NA | NA | NA | The User Impersonation function is used (link) and BSA does not know the account password. |
bladelogic | SqlServer Database user | All Application Server to database communication happens as this account | Database | Member of the db_owner role with access to the dbo schema for the BladeLogic Database (for more information, see List of required database permissions) | configurable during install by dba | dependent on Database password policy | database default | |
Application Users | BladeLogic Application | Application User accounts | Application | Defined by RBAC Administrators | no | Configurable in applications settings (blasadmin / link) | Variable - SRP, AD, etc | Authentication is available with the built-in SRP authentication type or configurable to external authentication sources such as LDAP, Active Directory, PKI, and RSA. |