Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Creating or modifying ACL Push Jobs

An ACL Push Job converts the access control list defined for a server into the users configuration file on that server's RSCD agent. The users file controls user access to the server.

This topic contains the following sections:

Typically you run an ACL Push Job on a server when a role granted access to that server has new user information or you have changed agent ACL information for that role. For more information about the contents of an agent ACL, see Controlling-server-access-with-agent-ACLs.

If you are using Windows user mapping to control user permissions on agents, you may not have to use ACL Push Jobs to push ACLs to agents. For more information, see Windows-user-mapping-and-agent-ACLs.

An ACL Push Job generates users file entries that grant a variety of permissions, including permissions for commands. The job uses the following algorithm to create users file entries relating to command authorizations:

  • If no command authorizations are specified on the server and no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
  • If no command authorizations are specified on the server but command authorizations are specified for a role, those command authorizations are pushed to the agent. This means the role is authorized to perform those commands on the agent.
  • If command authorizations are specified on the server but no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
  • If command authorizations are specified on the server and command authorizations are specified for the role, the command authorizations common to both are pushed to the agent. This means the role is authorized to perform only those commands on the agent.

Tip

To prevent a role from using any Network Shell and nexec commands on a server, you can create a dummy nexec command (see Adding-or-modifying-an-nexec-command). Then, add an authorization for the dummy command to the definition of a role. Do not add any other command authorizations to the role. Finally, run an ACL Push Job, which pushes the authorization for the dummy command to the agents you specify in the job. On those agents, the role is only authorized to perform the dummy command and no other Network Shell and nexec commands.

Note

You can configure several special settings for all ACL Push Jobs at the Application Server level using the BMC Server Automation Application Server Administration console (the blasadmin utility). The following blasadmin commands are available for the ACLPushJob component:

Component and command

Values

Description

UserWildcardOnAclPush
  • true
  • false (default)

Enables you to use the Role:* system authorization for ACL Push entries instead of individual Role:User entries.

LogOnlyErrors
OrWarningOnAclPush
  • true
  • false (default)

Enables you to disable all log messages for ACL Push jobs, except for error or warning messages.

RevokeNshAccessWhen
OnlyComponentAccessGranted
  • true
  • false (default)

Enables you to revoke NSH access to agents via the agent ACL file, for environments where a role has no direct access to a server, but only has access granted through components. If this command is set to true, the Server.Read authorization is ignored for such environments.

For more information about running commands through the blasadmin utility, see Using-the-Application-Server-Administration-console-blasadmin-to-configure-Application-Servers.

To create an ACL Push Job

  1. Do one of the following:
    • Open the Server folder and select a server. Right-click and select Administration Task > Agent ACLs from the pop-up menu. A dialog box prompts you to push ACLs immediately or to schedule a job. Click Schedule Job.
      If you prefer, you can push ACLs without scheduling a job. For more information, see Previewing-and-pushing-agent-ACLs.
    • Open the Jobs folder and select a job folder. Right-click and select New > Administration Task > ACL Push Job from the pop-up menu.
      The New ACL Push Job wizard opens.

  2. Define the ACL Push Job, as described in the following topics:

  3. After completing the last step of the wizard, click Finish.

To modify an ACL Push Job

Do any of the following:

  • To modify the definition of an existing ACL Push Job, open the Jobs folder and navigate to an existing job. Right-click the job and select Openfrom the pop-up menu. The content editor displays a series of tabs that correspond to panels in the New ACL Push Job wizard. Use the tabs to modify the job definition. The following topics describe the contents of the tabs:
  • To see or modify any properties, permissions, or audit trail information that apply to this job, select the Properties, Permissions, or Audit Trail tab group.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*