Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

User accounts

The TrueSight Server Automation product creates various user accounts during component installation:

Account
Name
DetailsPasswordNotes

BladeLogicRSCD

On a domain controller:
BladeLogicRSCDDC

  • Component: Windows RSCD Agent
  • Purpose: Run RSCD service on Windows Systems
  • Type: OS
  • Privileges : Log on as Batch Job
  • Default password: Random since 8.1.00 (16 alpha-numeric and special characters)
  • Password Change Forced: No.
    If the password is set to expire due to GPO settings then you must ensure that a NSH Script job is created to run the chapw command periodically to reset the password before the password expires, on all systems.  Alternatively the password expiration can not be set on this account and the chapw job can still be run periodically to reset the password and avoid the possibility that the account will be locked out by the policy.
  • Password Encryption : Windows encryption

Password can be changed using the chapw command. The password is stored in the registry using the CryptProtectData function.

If an Automation Principal is used exclusively, you can remove this user account using chapw.

If the RSCD agent is installed on a domain controller, a default password is used, because the account is shared across all domain controllers in the domain.

The password of the RSCD agent on a domain controller can be changed using the chapw command or the agentctl utility, as discussed in Changing the BladeLogicRSCDDC account password on domain controllers.

BLAdmin
  • Component: Application Server on Solaris and Linux
  • Purpose: Run Application Server and spawner processes
  • Type: OS
  • Privileges : Owns application files


  • Default password: NA (locked on install)
  • Password Change Forced: NA
  • Password Encryption : NA

Account is created with a locked password.

The application server init scripts run a 'su - bladmin' to drop privileges.

BladeLogic

  • Component: Oracle Database
  • Purpose: All Application Server to DB communication happens as this account
  • Type: Database
  • Default password: configurable during install by dba
  • Password Change Forced: Dependent on DB password policy
  • Password Encryption : DB default
 
BLAdmin
  • Component: TrueSight Server Automation Application
  • Purpose: Initial Application Administrator account
  • Type: Application
  • Privileges : Full access to all resources granted via Role. Implicit Read on all objects
  • Default password: No
  • Password Change Forced: Configurable in application settings (blasadmin / link)
  • Password Encryption : Non-reversible Hash stored in the database

During install the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdmin
  • Component: TrueSight Server Automation Application
  • Purpose: Initial Application Administrator account
  • Type: Application
  • Privileges : Full access to all RBAC objects and implicit Read and ModifyAcls on all objects


  • Default password: No
  • Password Change Forced: Configurable in application settings (blasadmin / link)
  • Password Encryption : Non-reversible Hash stored in DB

During install the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.


TrueSight Server Automation uses various accounts during operation:

Account NameDetailsPasswordNotes
root
  • Component: RSCD Agent on UNIX
  • Purpose: RSCD Agent runs as this user
  • Type: OS
  • Privileges: root
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: NA


RSCD service must run as root for UPM as discussed in Impersonation and privilege mapping. Password is not stored or used by the agent.
Automation Principal
  • Component: TrueSight Server Automation Application
  • Purpose: Agent installation, Target Server
    Access, Active Directory User Sync
  • Type: OS
  • Privileges: Log on As Batch Job
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: AES 128 Bit
The Automation Principal account is created by the user on the target server or Windows domain and the credentials are stored in the TrueSight Server Automation database and used when the application is configured to use an AP for the noted purposes.
Local server account
  • Component: RSCD / UPM
  • Purpose: Actions performed
    via TrueSight Server Automation act as this account on the
    target server
  • Type: OS
  • Privileges: Whatever is required to
    perform the desired functions
    via TrueSight Server Automation
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: NA
The User Impersonation function is used (link) and TrueSight Server Automation does not know the account password.
bladelogic
  • Component: SqlServer Database user
  • Purpose: All Application Server
    to database communication happens as this account
  • Type: OS
  • Privileges: Member of the db_owner role
    with access to the dbo schema
    for the TrueSight Server Automation Database (for more information, see List of required database permissions)
  • Default Password: Configurable during install by Database Administrator
  • Password Change Forced: Dependent on database password policy
  • Password Encryption: database default
 
Application Users
  • Component: TrueSight Server Automation Application
  • Purpose: Application User
    accounts
  • Type: Application
  • Privileges: Defined by RBAC Administrators
  • Default Password: No
  • Password Change Forced: Configurable in applications settings (blasadmin / link)
  • Password Encryption: Variable - SRP, AD
Authentication is available with the built-in SRP authentication type or configurable to external authentication sources such as LDAP, Active Directory, PKI, and RSA.

Was this page helpful? Yes No Submitting... Thank you

Comments