4 Replies Latest reply on Feb 3, 2015 12:50 PM by Yanick Girouard

    Background process of BladelogicRSCD & Export file mapping

    Rahul Boraste

      Hi Team,


      When RSCD agent is installed on target server, BladelogicRSCD user is created.

      For permissions in Exports file we make entries as


      * rw, user=Administrator


      So here BladelogicRSCD uses administrator rights to access target.


      My Question is:

      How that administrator user in exports file is mapped to BladelogicRSCD user ?

      What Background process take place that gives access as administrator to BladelogicRSCD internal user ?



      Thanks & Regards,


        • 1. Re: Background process of BladelogicRSCD & Export file mapping
          Bill Robinson

          * rw,user=Administrator


          will map any incoming connection to the rscd agent on this box to the local user Administrator.  this os course is a really bad idea... so you should be using ACLs and RBAC to perform specific mappings based on the BladeLogic Role and username.


          on windows the rscd uses a windows feature called 'user impersonation' to 'map' to the user noted in the exports and/or users/users.local


          Impersonation and privilege mapping - BMC Server Automation 8.6 - BMC Documentation

          • 2. Re: Background process of BladelogicRSCD & Export file mapping
            Rahul Boraste

            Hi Bill,


            How many Target Server can one Application server manage ?



            Thanks & Regards,


            • 3. Re: Background process of BladelogicRSCD & Export file mapping
              Bill Robinson

              it depends... i think we say something like 1 appserver per ~2500 targets, but it depends on your use case.  for example - you might have 100 servers and need a job to run in 15 min across all targets and that might require 2 appservers.  or you have 10,000 servers but only do deploys periodically to a handful at a time so a couple appservers might be ok for that..  i'd look through:


              1 of 1 people found this helpful
              • 4. Re: Background process of BladelogicRSCD & Export file mapping
                Yanick Girouard

                First, don't use the exports file like this. You're basically saying "any user that connects, map to the local administrator". This means any user that can have network access to your servers, and can install the Network Shell, could technically have full admin access on your servers.


                As Bill mentioned, you should be using RBAC ACLs with the users.local or users file where only a valid RBAC role:user combo can access the servers.


                As for how the BladeLogicRSCD user is mapping to Administrator, it goes like this:


                1. The agent installer creates a watch dog service (RSCDsvc) that runs as the SYSTEM account.

                2. The BladeLogicRSCD account is created during the first startup of the agent, if it doesn't exist (you can actually delete the account and restart the agent to recreate it).

                3. When the agent starts, the RSCD process is spawned by SYSTEM account (listener on port 4750).
                4. The listenner process will then spawn any new processes as requested and run as the BladeLogicRSCD user, which in turn, will get its privileges from User Impersonation based on what user it's supposed to map to as defined in either the exports, users.local or users.


                A good way to understand this is to use Process Explorer from Microsoft and to monitor the processes spawned by RSCD.exe as you initiate commands on the server (i.e. run a job that initiates a remote command).


                For example, let's say I run this command over NSH against the target:


                nexec -e cmd /c dir tata.txt /s /b


                This is what I would see in process explorer:


                02-03-15 1-47-59 PM.png