6 Replies Latest reply on May 6, 2015 8:26 AM by Bill Robinson

    How can I recreate the default out of the box BLAdmins and RBACAdmins roles?

    Yanick Girouard

      I'm looking for a way to recreate the default, out of the box BLAdmins and RBACAdmins roles in BSA 8.5. I know how to create a new auth profile or role using blcli, that is not the question, but rather how can I get the list of authorizations that I should use for each if I wanted to recreate the default ones that ship with the product?

        • 1. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
          Bill Robinson

          you can install blade somewhere and look..

           

          the below is from one of my test VMs that i'm 99% sure i haven't messed w/ the role setups for these two.

           

          blcli_execute RBACRole getSetupSummary RBACAdmins

          Users:

          RBACAdmin

           

          Authorizations:

          Authorization,Source

          ACLPolicy.*,Direct

          ACLPushJob.*,Direct

          ACLTemplate.*,Direct

          AuthProfile.*,Direct

          Authorization.*,Direct

          AutomationPrincipal.*,Direct

          BL_Administration.Read,Direct

          LdapConnection.*,Direct

          LdapQuery.*,Direct

          Reports.Viewer,Direct

          Role.*,Direct

          Server.PushACL,Direct

          User.*,Direct

           

           

          blcli_execute RBACRole getSetupSummary BLAdmins 

          Users:

          BLAdmin

           

          Authorizations:

          Authorization,Source

          ACLPushJob.*,Direct

          ACLTemplate.*,Direct

          AIXPatchSoftware.*,Direct

          AIXSoftware.*,Direct

          AOConfig.*,Direct

          AgentBundle.*,Direct

          AgentInstallerJob.*,Direct

          ApplicationDiscoveryJob.*,Direct

          ApplicationServer.*,Direct

          ApplicationServer.Create,Direct

          ApplicationServer.Delete,Direct

          ApplicationServer.Modify,Direct

          ApplicationServer.ModifyACL,Direct

          ApplicationServer.ModifyProperties,Direct

          ApplicationServer.Read,Direct

          ApprovalConfig.*,Direct

          ApprovalType.*,Direct

          Atrium2BlSyncConfig.Modify,Direct

          Atrium2BlSyncJob.*,Direct

          AuditJob.*,Direct

          AuthProfile.Read,Direct

          Authorization.*,Direct

          AutomationPrincipal.*,Direct

          BLPackage.*,Direct

          BL_Administration.*,Direct

          BatchJob.*,Direct

          Bl2AtriumCustomization.*,Direct

          BootableStoragePool.*,Direct

          Component.*,Direct

          ComponentGroup.*,Direct

          ComponentTemplate.*,Direct

          ComponentTemplateFolder.*,Direct

          ComponentTemplateGroup.*,Direct

          ConfigFile.*,Direct

          ConfigurationObjectClass.*,Direct

          CustomCommand.*,Direct

          CustomIcon.*,Direct

          CustomSoftware.*,Direct

          DeployJob.*,Direct

          DepotFile.*,Direct

          DepotFolder.*,Direct

          DepotGroup.*,Direct

          DeregisterConfigurationObjects.*,Direct

          Device.*,Direct

          DeviceFolder.*,Direct

          DeviceGroup.*,Direct

          DiscoveryJob.*,Direct

          DistributeConfigurationObjects.*,Direct

          ExecutionTask.*,Direct

          ExtendedObject.*,Direct

          FileServer.*,Direct

          FileServer.Create,Direct

          FileServer.Delete,Direct

          FileServer.Modify,Direct

          FileServer.Read,Direct

          HPUXSoftware.*,Direct

          JobFolder.*,Direct

          JobGroup.*,Direct

          LinuxSoftware.*,Direct

          MacPool.*,Direct

          NSHScript.*,Direct

          NSHScriptJob.*,Direct

          NSH_Proxy.Connect,Direct

          PatchCatalog.*,Direct

          PatchDownloadJob.*,Direct

          PatchGlobalConfig.Modify,Direct

          PatchRemediationJob.*,Direct

          PatchSmartGroup.*,Direct

          PatchingJob.*,Direct

          PropertyClass.*,Direct

          PropertyInstance.*,Direct

          ProvisionConfig.*,Direct

          ProvisionJob.*,Direct

          ProvisionWinPEImageCreation.Create,Direct

          PublishProductCatalogJob.*,Direct

          RemoteHostAuthentication.*,Direct

          Repeater.*,Direct

          Repeater.Create,Direct

          Repeater.Delete,Direct

          Repeater.Modify,Direct

          Repeater.Read,Direct

          Reports.QueryStudio,Direct

          Reports.Viewer,Direct

          Role.Read,Direct

          RoutingPolicy.*,Direct

          RoutingPolicy.Create,Direct

          RoutingPolicy.Delete,Direct

          RoutingPolicy.Modify,Direct

          RoutingPolicy.ModifyACL,Direct

          RoutingPolicy.ModifyProperties,Direct

          RoutingPolicy.Read,Direct

          SCAPComplianceJob.*,Direct

          SCAPContentFile.*,Direct

          ScapDataStream.*,Direct

          Server.*,Direct

          ServerGroup.*,Direct

          SnapshotJob.*,Direct

          SolarisSoftware.*,Direct

          StoragePool.*,Direct

          SystemPackage.*,Direct

          SystemPackageFolder.*,Direct

          SystemPackageType.*,Direct

          TokenizationRuleSet.*,Direct

          UCSIdentityReclaim.Modify,Direct

          UCSProvisionJob.*,Direct

          UCSTemplate.*,Direct

          UpdatePropertiesJob.*,Direct

          UpgradeModelObjects.*,Direct

          User.Read,Direct

          UuidPool.*,Direct

          VMCaptureJob.*,Direct

          VMImportJob.*,Direct

          VSMDiscoveryJob.*,Direct

          VirtualGuestJob.*,Direct

          VirtualGuestPackage.*,Direct

          VirtualGuestPackageCitrixXen.*,Direct

          VirtualGuestPackageHyperV.*,Direct

          VirtualGuestPackageLpar.*,Direct

          VirtualGuestPackageRHELKVM.*,Direct

          VirtualGuestPackageRHEV.*,Direct

          VirtualGuestPackageSolaris.*,Direct

          VirtualGuestTemplateEnrollmentJob.*,Direct

          VirtualizationConfiguration.*,Direct

          WindowsSoftware.*,Direct

          WorkflowJob.*,Direct

          XCCDFBenchmark.*,Direct

          • 2. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
            Yanick Girouard

            Thanks Bill. Just to be safe though, can you check the last modified date of the roles and confirm if they have or haven't been modified? I don't really have the luxury of being able to just install BSA to get it otherwise, so what you gave me would be it. It would be kind of useful though to have a script that comes with BSA to recreate those since they are pretty much essential. Just a suggestion

             

            Ideally, we should have a script that can create a new auth-profile for each of the roles with all the default permissions in it. I'll have to write my own for now using your list, but if you want to suggest it officially, it would be a great tool in the admin scripts that comme with the product IMO.

            • 3. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
              Bill Robinson

              we have the db scripts - if you look in core_data_<db>.sql you'll see a bunch of inserts like:

               

              INSERT INTO role_auth (role_id, bl_auth_id,bl_auth_profile_id) VALUES (1000010,50,0);

               

              that's where it builds the role on install.  so there's a set for BLAdmins (role id 1000010) and RBACAdmins (role id 3).

               

               

              i wouldn't do the inserts again but you can translate that to the auths you need.

               

              but really those are just starter roles in a sense.  the only implicit permissions they have are Read on everything for BLAdmins and RBACAdmins, and modifyAcls on everything for RBACAdmins.  they don't need any of those other permissions that are explicitly granted afaik - you can create other roles w/ the * permissions granted there.

              1 of 1 people found this helpful
              • 4. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
                Yanick Girouard

                Thanks that should help a lot ! I'm at a customer that modified the out of the box roles a bit too much so I'm trying to clean it up, but picking the auths by hand was not really the safe way to go and I would have probably mixed some. Even if they are not used per say, I'd rather have them (the roles) handy if I need to troubleshoot an issue or screw up other roles by mistake. Nobody needs to have access to it except for the srp BLAdmin and RBACAdmin account.

                 

                I'll mark your answer as the correct one.

                • 5. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
                  Yanick Girouard

                  I'm looking for that core_data_<db>.sql file you're referring to, I found a few core_data.sql in the Program Files/BMC Software/BladeLogic/NSH/br/db_scripts/oracle/utility/db_maintenance/module_input folders (per version), but I can't find the query your referring to in there. Is this supposed to be it?

                  • 6. Re: How can I recreate the default out of the box BLAdmins and RBACAdmins roles?
                    Bill Robinson

                    It’s in the external-files.zip in bl_xxx/db_scripts//schema