Adding users to built-in roles for AD Kerberos

The TrueSight Server Automation user database comes preprovisioned with two default SRP users: RBACAdmin and BLAdmin. These default users are assigned to the default roles RBACAdmins and BLAdmins, respectively. If the TrueSight Server Automation administrator intends to support AD/Kerberos authentication exclusively and disable SRP user authentication, then, prior to disabling SRP, the administrator should log in as a user authorized for the RBACAdmins role and ensure that each of the four built-in roles — RBACAdmins, BLAdmins, GlobalReportViewers, and GlobalReportAdmins — has at least one registered domain user assigned to that role. Otherwise, when SRP authentication is disabled, no user will be able to access the built-in roles.

In a default installation, the RBACAdmins role has the authorizations necessary to manage users and roles. If you are using that default setup, you can assign a fully qualified domain user name (for example, RBACAdmin_ADK@SUB2.DEV.MYCOMPANY.COM) to the RBACAdmins role. In this example, the user would also have to be registered in the Active Directory user registry for the domain SUB2.DEV.MYCOMPANY.COM.

The same issue applies to the BLAdmins role, the GlobalReportAdmins role, which has built-in authorizations to see data for all BMC Service Automation Reporting and Analytics sites, and the GlobalReportViewers role, which has read access to all reports at all sites in a TrueSight Server Automation installation. To allow a user to log into:

  • The BLAdmins role, you must use RBAC to add a fully qualified user name to the BLAdmins role.
  • The GlobalReportAdmins role, you must use RBAC to add a fully qualified user name to the GlobalReportAdmins role.
  • The GlobalReportViewers role, you must use RBAC to add a fully qualified name to the GlobalReportViewers role.

Where to go from here

Do one of the following:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*