Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Users and users.local files overview

The users and users.local files grant access permissions to specific users connecting to a server. The permissions granted in the users and users.local files override any permissions defined on a per-client basis in the exports file. The permissions in the users and users.local files are defined on a per-user basis.

The users file is primarily used to implement user permissions that are defined through RBAC. (For more information about RBAC, see Managing-access.) With RBAC you define the characteristics of a role and assign users to that role. You can apply RBAC decisions to a server by running an ACL Push Job in the BMC Server Automation Console. Running an ACL Push Job automatically converts your role definitions and role assignments into entries in the users file on that server. Together these entries are called an access control list (ACL).

Typically the users.local file is used for granting permissions on a per-server basis rather than granting system-wide user privileges. Administrators might want to modify the users.local file to override RBAC policy on a particular server. Both the users and users.local files have the same format, but the users.local file is scanned before the users file. If the same users have entries in both users.local and users, entries in the users.local file take precedence.

The agent on a server enforces user permissions defined in an ACL by mapping incoming users to users defined on the server. The agent accomplishes this by doing the following:

  • Incoming users are matched to a user name on the server. In other words, when user betty attempts to connect to a server, she must operate with the privileges already assigned to user betty on that server. In this scenario, a user cannot connect to a server unless a matching user name has been defined on a server.
  • Incoming users are mapped to a specified user name. For example, all users connecting to a UNIX system can be mapped to root, while users connecting to a Windows system can be mapped to Administrator.
  • If neither of the two previous techniques are possible, incoming users are automatically mapped to a user with downgraded permissions. UNIX users are mapped to user nobody and Windows users are mapped to Anonymous.

An ACL Push Job generates users file entries that grant a variety of permissions, including permissions for commands. The job uses the following algorithm to create users file entries relating to command authorizations:

  • If no command authorizations are specified on the server in the BMC Server Automation Console:
    • And no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
    • But command authorizations are specified for a role, those command authorizations are pushed to the agent. This means the role is authorized to perform those commands on the agent.
  • If command authorizations are specified on the server in BMC Server Automation Console:
    • But no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
    • And command authorizations are specified for the role, the command authorizations common to both are pushed to the agent. This means the role is authorized to perform only those commands on the agent.

When you make changes to the users or users.local files, the RSCD agent automatically detects your new settings and uses them for all subsequent client connections. You do not have to restart the agent or otherwise instruct it to read the new users or users.local files.

The users and users.local files reside in different locations in Windows and UNIX systems, as described in the following table.

 

The users and users.local files do not grant permissions on Windows servers to roles that are set up for Windows user mapping. For information about Windows user mapping, see th Windows-user-mapping-and-agent-ACLs. However, the users or users.local files should still include an entry for each role so that role can be granted access to a Windows server. Only the user mapping information in the users and users.local files is ignored for roles that employ Windows user mapping through automation principals. All other settings still apply. Consequently, even if you are using Windows user mapping, you should still push agent ACLs to servers when you add or modify user or role information in the BMC Server Automation Console.

The following topics provide more information about configuring the users and users.local files:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*