Why would you not use BSA's RBAC which is already in place for change tracking?
Why do you need to use username password to access machines?
Scenario - Currently administrators are doing unauthorized changes using these pwd using BSA.
-> bladelogic does not require a password to perform action as a user. the agent runs as root, and uses 'suid' to run whatever is requested as the local account the incoming connection is mapped to. bsa also does not use sudo.
Is there any way to track pwd in BSA ? who/when used Root/Sudo pwd ?
-> no, because bsa does not perform user logins on unix or use sudo
Is there way to automate server access realignment and drift automation?
-> yes, using snapshot jobs of import configurations it would be possible to detect if something was changed and revert it.
can you clarify what the problem is here? you are having users perform actions through bsa (from the bsa application or via nsh -> rscd directly). if it's the later you can lock down access so you must come through the bsa application server where more granular permissions can be enforced. if it 's the former then as saif mentions you need to look at your rbac setup in bsa.