Securing Agent data
You can implement authorization levels on each agent node to allow or disallow access to that node and control privileges for users who are allowed access.
Setting authorization levels enforces security and controls resource usage. Authorization is implemented through the Authorization.cfg file, which is installed to BMCSoftware\Patrol3\BEST1\version\local\setup.
The Authorization.cfg file is read by the agent and service daemon on startup. At installation, the contents of Authorization.cfg are as follows:
PERMISSION = MANAGE
END_AUTHORIZATION
This authorization default grants all users a MANAGE (full) authorization to all information about all computers they can reach on the network. However, you can edit this file on a per-user basis by assigning any of four permission levels: MANAGE, MODIFY, VIEW, and NONE.
The following table describes the privileges afforded by each level. Refer to Editing the Authorization.cfg Filefor information about editing the Authorization.cfg file to customize user access.
Agent Authorization Levels
Editing the Authorization.cfg File
To limit access to a node, edit Authorization.cfg on that node, using the example authorization file reproduced below, as a guide. The Authorization.cfg file is stored in C:\BMC Software\Patrol3\BEST1\version\local\setup.
Your customized Authorization.cfg file is not overwritten when you reinstall or upgrade Gateway Server. It is, however, a good idea to keep a backup copy of this file in case it becomes corrupted. The example authorization file is commented and illustrates how to define access privileges by building a list of zero or more computers, each of which has a list of zero or more users, thus forming a tree.
Permissions at a deeper level in the tree override permissions at upper levels. In the example, the global authorization is set to PERMISSION = VIEW. (Note the spaces before and after the equal signs.) However, users in the subnet 172.31.14.* have MODIFY privileges. To block certain users within that subnet, you could set their permissions to NONE.
Specific user/node authorization is order-dependent, and the first instance of a user/node permission setting is upheld. For example, if you define a user/node permission as MODIFY at the beginning of the file, and that same user/node is set to NONE farther down in the file, the NONE is ignored. When you specify a group of computers, you can use a wildcard of * for any of the four quartets of a dotted decimal notation IP address.
Example Authorization.cfg file
# Global permission is set if there is no other match at a lower level
PERMISSION = VIEW
BEGIN_COMPUTER
# Wildcard example for a Class C address space
# All users in 172.13.14.* subnet will have MODIFY privilege
COMPUTER = 172.31.14.*
# Permission used for any user in this Class C address space overrides the global permission
PERMISSION = MODIFY
END_COMPUTER
BEGIN_COMPUTER
# Computers can be known by their full IP address in dotted decimal form
COMPUTER = 172.31.11.47
PERMISSION = MODIFY
# Two users listed here
BEGIN_USER
USER_NAME = dkeefe
# Permission used for this user on this computer overrides the global permission and the computer permission
PERMISSION = MANAGE
END_USER
BEGIN_USER
# Limiting a user by overriding upper level permissions
USER_NAME = jrocco
PERMISSION = VIEW
END_USER
END_COMPUTER
BEGIN_COMPUTER
# Computers can be annotated by a name viewable in DNS
# This name is converted to an IP address internally when the table is read.
COMPUTER = sunbgs6
PERMISSION = VIEW
END_COMPUTER
END_AUTHORIZATION