User accounts

• Component: Windows RSCD Agent
• Purpose: Run RSCD service on Windows Systems
• Type: OS
• Privileges : Log on as Batch Job

• Default password: Random (24 alpha-numeric and special characters)
• Password Change Forced: No.
  If the password is set to expire due to GPO settings then you must ensure that a NSH Script job is created to run the chapw command periodically to reset the password before the password expires, on all systems.  Alternatively the password expiration can not be set on this account and the chapw job can still be run periodically to reset the password and avoid the possibility that the account will be locked out by the policy.

• Password Encryption : Windows encryption

The default random password length can be configured using chapw/agentctl command. Refer Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

Password can be changed using the chapw command. The password is stored in the registry using the CryptProtectData function.

If an Automation Principal is used exclusively, you can remove this user account using chapw.

During RSCD Agent installation on a domain controller, user must provide a password for BladeLogicRSCDDC user. As BladeLogicRSCDDC account is shared across all domain controllers in the domain, the same password must be provided when installing RSCD Agent on all domain controllers in that domain.

• Component: Smart Agent on supported UNIX platforms
• Purpose: Run the Smart Agent service on UNIX systems
• Type: OS
• Privileges : Own application files

• Default password: NA (locked on install)
• Password Change Forced: NA
• Password Encryption : NA

Account is created with a locked password. The Smart Agent process starts as a root user and it changes to the truesight user immediately. Therefore, the Smart Agent runs with the truesight user for most of the time. When the Smart Agent requires to perform the operations that need super user privileges, it changes to the root user to perform the operations. After these operations are completed, it changes back to the truesight user.

bluser

• Component: Application Server on Windows and Linux
• Purpose: Run externally spawned processes
• Type: OS
• Privileges:
  • Owns few application files
  • (Windows)
    Log on as a batch job
    Deny log on locally

• Windows:
  • Default password: Random (20 alpha-numeric and special characters)
  • Password Change Forced: No.

If the password is set to expire due to GPO settings then you must ensure that password is reset periodically before it expires, on all systems. And new password is updated in TSSA using blcli (See blcli LowPrivUser).

• • Password Encryption : Windows encryption

• Linux:
  • Default password: NA (locked on install)
  • Password Change Forced: NA
  • Password Encryption : NA

This user account is used for restricting access to the Application Server file system.

On Windows, the account is created during Application Server service startup.

On Linux, the account is created during the Application Server installation.

As a part of some of the Job execution, the Application Server needs to spawn some of the external commands/scripts on the Application Server hosts. So these commands/scripts (wherever required) are spawned with this user account so that those commands/scripts runs with this user's privileges.

The user account gets removed during the Application Server uninstallation.

If you don’t want to use the Application Server file system access restriction feature, you can delete this user account. Later, if you want to use this feature, enable it first. After you enable it, on Linux, you need to create this user account manually. On Windows, the user account is created automatically during the Application Server service startup. For more information, see Restricting-access-to-the-Application-Server-file-system.

bladmin

• Component: Application Server on Linux
• Purpose: Run Application Server and spawner processes
• Type: OS
• Privileges : Owns application files

• Default password: NA (locked on install)
• Password Change Forced: NA
• Password Encryption : NA

• Component: Oracle Database
• Purpose: All Application Server to DB communication happens as this account
• Type: Database

• Privileges : Schema owner for TrueSight Server Automation and several other privileges listed in List of required database permissions

• Default password: configurable during install by dba
• Password Change Forced: Dependent on DB password policy
• Password Encryption : DB default

BLAdmin

• Component: TrueSight Server Automation Application
• Purpose: Initial Application Administrator account
• Type: Application
• Privileges : Full access to all resources granted via Role. Implicit Read on all objects

• Default password: password
• Password Change Forced: Configurable in application settings (blasadmin / link)
• Password Encryption : Non-reversible Hash stored in the database

During install the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdmin

• Component: TrueSight Server Automation Application
• Purpose: Initial Application Administrator account
• Type: Application
• Privileges : Full access to all RBAC objects and implicit Read and ModifyAcls on all objects

• Default password: password
• Password Change Forced: Configurable in application settings (blasadmin / link)
• Password Encryption : Non-reversible Hash stored in DB

During install the BLAdmin account is created and a password is set.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.