User Accounts

BladeLogicRSCD

Windows RSCD Agent

Run RSCD service on Windows Systems

OS

Log on as Batch Job

Random since 8.1.00

No

Windows encryption

Password can be changed using the chapw command or removed if the Automation Principal is exclusively used.

If the RSCD agent is installed on a domain controller, a default password is used, because the account is shared across all domain controllers in the domain. The password can be changed as discussed in Changing-the-BladeLogicRSCD-account-password-on-domain-controllers.

bladmin

Application Server on Solaris and Linux

Run Application Server and spawner processes

OS

Owns application files

NA (locked on install)

NA

NA

Account is created with a locked password. The application server init scripts run a 'su - bladmin' to drop privileges.

bladelogic

Oracle Database

All Application Server to database communication happens as this account

Database

Schema owner for Bladelogic

configurable during install by dba

dependent on Database password policy

database default

BLAdmin

BladeLogic Application

Initial Application Administrator account

Application

Full access to all resources granted via Role. Implicit Read on all objects

no

Configurable in application settings (blasadmin / link)

non-reversible Hash stored in database

During install the BLAdmin account is created and a password is set. Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdmin

BladeLogic Applicatoin

Initial Application Security Administrator account

Application

Full access to all RBAC objects. Implicit Read and ModifyAcls on all objects

no

Configurable in applications settings (blasadmin / link)

non-reversible Hash stored in database

During install the BLAdmin account is created and a password is set. Because BladeLogic assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

root

RSCD Agent on Unix

 RSCD Agent runs as this user

OS

root

NA

NA

NA

RSCD service must run as root for UPM as discussed in Impersonation-and-privilege-mapping. Password is not stored or used by the agent.

Automation Principal

BSA Application

Agent installation, Target Server Access, Active Directory User Sync

OS

Log on As Batch Job

NA

NA

AES 128 Bit

The Automation Principal account is created by the user on the target server or Windows domain and the credentials are stored in the BladeLogic database and used when the application is configured to use an AP for the noted purposes.

Local server account

RSCD / UPM

Actions performed via BSA act as this account on the target server

OS

Whatever is required to perform the desired functions via BladeLogic

NA

NA

NA

The User Impersonation function is used (link) and BSA does not know the account password.

bladelogic

SqlServer Database user

All Application Server to database communication happens as this account

Database

dbo for BladeLogic Database

configurable during install by dba

dependent on Database password policy

database default

Application Users

BladeLogic Application

Application User accounts

Application

Defined by RBAC Administrators

no

Configurable in applications settings (blasadmin / link)

Variable - SRP, AD, etc

Authentication is available with the built-in SRP authentication type or configurable to external authentication sources such as LDAP, Active Directory, PKI, and RSA.