User accounts

• Component: Windows RSCD Agent
• Purpose: Run RSCD service on Windows Systems
• Type: OS
• Privileges: Log on as Batch Job

• Default password: Random (24 alpha-numeric and special characters)
• Password change forced: NA
  If the password is set to expire due to GPO settings then you must ensure that a NSH Script job is created to run the chapw command periodically to reset the password before the password expires, on all systems. Alternatively the password expiration can not be set on this account and the chapw job can still be run periodically to reset the password and avoid the possibility that the account will be locked out by the policy.

• Password encryption: Windows encryption

The default random password length can be configured using chapw/agentctl command. Refer Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

Password can be changed using the chapw command. The password is stored in the registry using the CryptProtectData function.

If an Automation Principal is used exclusively, you can remove this user account using chapw.

During RSCD Agent installation on a domain controller, user must provide a password for BladeLogicRSCDDC user. As BladeLogicRSCDDC account is shared across all domain controllers in the domain, the same password must be provided when installing RSCD Agent on all domain controllers in that domain.

• Component: Smart Agent on supported UNIX platforms
• Purpose: Run the Smart Agent service on UNIX systems
• Type: OS
• Privileges : Own application files

• Default password: NA (locked on install)
• Password change forced: NA
• Password encryption : NA

Account is created with a locked password. The Smart Agent process starts as a root user and it changes to the truesight user immediately. Therefore, the Smart Agent runs with the truesight user for most of the time. When the Smart Agent requires to perform the operations that need super user privileges, it changes to the root user to perform the operations. After these operations are completed, it changes back to the truesight user.

bluser

• Component: Application Server on Windows and Linux
• Purpose: Run externally spawned processes
• Type: OS
• Privileges:
  • Owns few application files
  • (Windows) Log on as Batch Job

This user account is used for restricting access to the Application Server file system.

As part of execution of few jobs, the Application Server needs to spawn some of the external commands or scripts on the Application Server hosts. Therefore, these commands or scripts (wherever required) are spawned with this user account so that those commands or scripts run with this user's privileges.

On Windows, the account is created during the Application Server service startup and removed during the Application Server uninstallation.

On Linux, the account is created during the Application Server installation and removed during the Application Server uninstallation.

If you don’t want to use the Application Server file system access restriction feature, you can delete this user account. Later, if you want to use this feature, enable it first. After you enable it, on Linux, you need to create this user account manually. On Windows, the user account is created automatically during the Application Server service startup. For more information, see Restricting-access-to-the-Application-Server-file-system.

bladmin

• Component: Application Server on Linux
• Purpose: Run Application Server and spawner processes
• Type: OS
• Privileges : Owns application files

• Default password: NA (locked on install)
• Password change forced: NA
• Password encryption: NA

Account is created with a locked password.

The Application Server init scripts run a 'su - bladmin' to drop privileges.

• Component: Oracle Database
• Purpose: All Application Server to DB communication happens as this account
• Type: Database

• Privileges : Schema owner for TrueSight Server Automation and several other privileges listed in List of required database permissions

• Default password: configurable during install by dba
• Password change forced: Dependent on DB password policy
• Password encryption : DB default

BLAdmin

• Component: TrueSight Server Automation Application
• Purpose: Initial Application Administrator account
• Type: Application
• Privileges : Full access to all resources granted via Role. Implicit Read on all objects

• Default password: password
• Password change forced: Configurable in application settings (blasadmin / link)
• Password encryption : Non-reversible Hash stored in the database

During install the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdmin

• Component: TrueSight Server Automation Application
• Purpose: Initial Application Administrator account
• Type: Application
• Privileges : Full access to all RBAC objects and implicit Read and ModifyAcls on all objects

• Default password: password
• Password change forced: Configurable in application settings (blasadmin / link)
• Password encryption : Non-reversible Hash stored in DB

During installation, the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.