Creating or modifying ACL Push Jobs

An ACL Push Job converts the access control list defined for a server into the users configuration file on that server's RSCD agent. The users file controls user access to the server.

This topic contains the following sections:

Typically you run an ACL Push Job on a server when a role granted access to that server has new user information or you have changed agent ACL information for that role. For more information about the contents of an agent ACL, see Controlling-server-access-with-agent-ACLs.

If you are using Windows user mapping to control user permissions on agents, you may not have to use ACL Push Jobs to push ACLs to agents. For more information, see Windows user mapping and agent ACLs.

An ACL Push Job generates users file entries that grant a variety of permissions, including permissions for commands. The job uses the following algorithm to create users file entries relating to command authorizations:

  • If no command authorizations are specified on the server and no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
  • If no command authorizations are specified on the server but command authorizations are specified for a role, those command authorizations are pushed to the agent. This means the role is authorized to perform those commands on the agent.
  • If command authorizations are specified on the server but no command authorizations are specified for a role, no command authorizations for that role are pushed to the agent. This means the role has full authorization to use any Network Shell and nexec commands on that server.
  • If command authorizations are specified on the server and command authorizations are specified for the role, the command authorizations common to both are pushed to the agent. This means the role is authorized to perform only those commands on the agent.

Tip

To prevent a user from using any interactive Network Shell and nexec commands set the Default NSH Role on the Role Selection tab for the user object to No Default NSH Role.
no_default_nsh.PNG

The ACL Push Job and Agent ACL Preview resolve the ACLs that are necessary to grant users access to the server object based on the authorizations explicitly associated with the server object and any associated ACL policies, as well as the authorizations and ACL policies associated with any components linked to the server object.

Note

To deny NSH access to a server when a role has permissions only on an associated component, use the following blasadmin setting from the ACLPushJob component:

Component and command

Values

Description

RevokeNshAccessWhen
OnlyComponentAccessGranted
  • true
  • false (default)

Enables you to revoke NSH access to agents via the agent ACL file, for environments where a role has no direct access to a server, but only has access granted through components. If this command is set to true, the Server.Read authorization is ignored for such environments.

You can configure several additional special settings for all ACL Push Jobs at the Application Server level using the TrueSight Server Automation Application Server Administration console (the blasadmin utility). The following blasadmin commands are available for the ACLPushJob component:

Component and command

Values

Description

UserWildcardOnAclPush
  • true
  • false (default)

Enables you to use the Role:* system authorization for ACL Push entries instead of individual Role:User entries. This means that adding a new user to an existing role that already has access will not require an ACL Push to let the new user access the server.

LogOnlyErrors
OrWarningOnAclPush
  • true
  • false (default)

Enables you to disable all log messages for ACL Push jobs, except for error or warning messages. Disabling all logging except errors and warnings reduces the amount of database space consumed by job runs of this type.

For more information about running commands through the blasadmin utility, see Changing-the-basic-Application-Server-settings.

To create an ACL Push Job

  1. Do one of the following:
    • Open the Server folder and select a server. Right-click and select Administration Task > Agent ACLs from the pop-up menu. A dialog box prompts you to push ACLs immediately or to schedule a job. Click Schedule Job.
      If you prefer, you can push ACLs without scheduling a job. For more information, see Previewing and pushing agent ACLs.
    • Open the Jobs folder and select a job folder. Right-click and select New > Administration Task > ACL Push Job from the pop-up menu.
      The New ACL Push Job wizard opens.

  2. Define the ACL Push Job, as described in the following topics:

  3. After completing the last step of the wizard, click Finish.

To modify an ACL Push Job

Do any of the following:

  • To modify the definition of an existing ACL Push Job, open the Jobs folder and navigate to an existing job. Right-click the job and select Openfrom the pop-up menu. The content editor displays a series of tabs that correspond to panels in the New ACL Push Job wizard. Use the tabs to modify the job definition. The following topics describe the contents of the tabs:
  • To see or modify any properties, permissions, or audit trail information that apply to this job, select the Properties, Permissions, or Audit Trail tab group.

Where to go from here

ACL-Push-Job-General

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*