Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuration files overview

BMC Server Automation provides the following configuration files:

  • exports
  • users
  • users.local
  • secure
  • securecert

The exports, users, users.local, secure, and securecert files reside on each server (that is, each machine where an RSCD agent is installed). The secure and securecert files are also installed for each client installation, even if there are multiple client installations on the same machine. The secure files on both the client and server configure how clients communicate with servers.

When a client connects to a server, the client user can be granted permissions on the server using two approaches: through configuration files on the agent (a process called user privilege mapping) or through Windows user mapping.

In BMC Server Automation, the standard approach to granting user permission on managed servers is user privilege mapping. It uses a combination of the exports, users, and users.local configuration files. Together, these files define what permissions apply during the connection. This approach should always be used in situations when a user:

  • Is accessing any UNIX server.
  • Is accessing a Windows server and the user's role is not mapped to a Windows user through an automation principal.
  • Runs a Network Shell client to connect directly to a server.
  • Is using a Network Shell client to connect to servers using a stand-alone Network Shell proxy server.
  • Is running a Network Shell script defined to use the first and second script types and the appserver_protocol setting in the secure file is not set to ssoproxy. For more information about configuring clients to use a Network Shell proxy server, see Setting-up-a-Network-Shell-client-to-run-in-proxy-mode.

The alternative to user privilege mapping is to implement Windows user mapping. Using this technique, you can grant permissions to roles that are mapped to local or domain users who are authorized for a Windows server. For information about implementing Windows user mapping, see Windows-user-mapping-and-agent-ACLs.

Note

Only Windows servers running BMC Server Automation 8.0 or later can recognize automation principals.

When you are using Windows user mapping to grant permissions to roles, you must still create entries for the users, users.local, or exports files. The information in these entries defines whether users can access a server. Any user mapping information in these entries is ignored for roles that employ Windows user mapping through automation principals. Consequently, even if you are using Windows user mapping, you should still push agent ACLs to servers when you add or modify user or role information in the BMC Server Automation Console.

The following topics provide additional information about configuration files:

Disabling user privilege mapping

BMC Server Automation provides a mechanism for disabling user privilege mapping on Windows servers. For more information, see the man page for the chapw command.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*