Configuring the file server agent ACLs

The TrueSight Server Automation file server requires special agent ACLs because non-administrative users might require write access to the Depot storage directory on the file server. Traditionally, the file server has been configured with very open ACLs to allow for this. However, this might pose a security problem. The solution is to use property values for the RBAC Role mapping to give non-administrative users write access to the Depot file storage location. In this way, more granular access can be granted to the TrueSight Server Automation file server storage directory in a secure fashion.

The following example steps for the configuration of file server agent ACLs assume that you have a basic TrueSight Server Automation environment set up and configured, and you have some general knowledge of using Configuration Manager. The example shows steps for both Windows and UNIX environments.

Before You Begin

Determine which RBAC Roles need administrative access to the file server, and which roles need write access to the Depot storage location but do not need administrative access to the file server itself.

To configure file server agent ACLs

1. Create a local, non-privileged user account with read/write access to the file server storage location. Use the following example commands:
   • (Windows) net user blfsrw /add
   • (UNIX) useradd blfsrw
2. Assign local file permissions to the Depot Store. The following examples for this step assume a file server storage location of C:\storage on Windows and /storageon UNIX.
   • (Windows) Set permissions through the Security tab in the Properties dialog box.
     

   • (UNIX) Use the following sample command: chown -R blfsrw /storage
     If you also need to modify the permissions on this directory, run the following commands:

     find /storage -type f | xargs -i chmod 644 {}
     find /storage -type d | xargs -i chmod 755 {}
     
3. To enhance security on the file server, configure the following files:

   1. Configure the exports file.
      An Application Server does not need an agent to run. An Application Server needs to connect to a File Server in order to run, and it is the file server that needs a valid and licensed agent. The exports file on the file server is configured differently from the exports file on a remote host, as all incoming connections from the Application Servers should be mapped to the same user. This ensures that file permission issues do not arise for Console users that try to open depot objects that have inconsistent ownerships on the file server.
      Use the following sample code:<application server 1>,<application server 2>,<application server n...> rw,user=blfsrw

      Note

      • To ensure a more secure environment, allow incoming connections only from the Application Server.
      • To specify Application Servers, you can use either DNS names or IP addresses.

   2. Configure the users.local file to ensure that it contains the following code (on the file server only):
      System:System rw,map=<blfsrw>
       Where blfsrw is the local and non-privileged user account with read or write access to the file server storage location. The System:System role:user is an internal account that the TrueSight Server Automation Application Server will use to initially communicate with the file server while the application server processes start up.

      Note

      For the file server, do not include the nouser entry in the users.local file or in the users file. For more information about the options in the users.local and users files, see Configuring-the-users-or-users-local-files.