By convention, I believe it is customary that the BLAdmins role has access to all servers and objects in the BSA console by default. This means that indirectly, it has full admin access to any server present in the console, and could therefore potentially run administrative commands on any server even if it doesn't manage it at the OS level.
Typically, based on what I've seen, the BLAdmins role will have all accesses, but functional roles will only have access to a subset of servers. For example, WindowsAdmins would have access to Windows servers only, and UnixAdmins to Linux and Unix servers.
Let say that the Unix team does not want the BLAdmins role to have access to their servers (BLAdmins role not present in any Unix server's ACL), and does not want my user account to be a member of the UnixAdmins role either. What would be the impact for me as a BSA administrator ?
On top of my head, I can think of the following:
- I would no longer be able to push ACL to any Unix server using a nightly job or ad-hoc
- I wouldn't be able to add or decommission Unix targets
- I would no longer be able to run any job against any Unix server, including admin tasks such as Update Server Property or Update Configuration Objects, etc...
- I wouldn't be able to troubleshoot any issues with any Unix jobs against Unix targets
- I wouldn't be able to run the database cleanup jobs as deleting a job or component BLAdmins doesn't have access to will produce errors
- I wouldn't be able to see Unix jobs running in the "Tasks in progress" window (not sure about that one, can BLAdmins always see all regardless?)
- I wouldn't be able to even see any Unix targets in the console, so no checking of properties, no license counting (unless I use a database query)
- I might encounter issues during a BSA upgrade if BLAdmins doesn't have sufficient permissions to certain objects (seen this before)
... and more...
Has anyone ever done this kind of hardening in BSA to restrict BLAdmins' access, and if so, what has to be done exactly and what was the impact and implications of such a change ?