RBACAdmin doesn't automatically map to root when you install an agent. At install time, you're asked if you want to set up any user mappings. This would add an entry to users.local. The standard procedure is to add an entry RBACAdmins:RBACAdmin with rw,map=root. This is so you can push ACLs via the RBAC console. If the RBACAdmin user, or other designated user, is not mapped to a user that has write access to the directory and files containing the agent ACLs then you'll get "permission denied" when you try to push ACLs. When you successfully push ACLs via RBAC there is always an entry in the users file for RBACAdmins:RBACAdmin with rw,map=root. You could change this mapping by going to the RBACAdmin role properties and changing the user map setting in the Agent ACL Setup tab. I wouldn't recommend making changes to the RBACAdmin role before discussing what you're trying to achieve with support or a PS resource if there is one onsite.
As to the question of edits from CM, I don't believe that "live" edits of a file via CM are trackable.
In terms of RBAC authorizations, the ones that control this functionality are:
2) Blade.configFile.modify (for files that are defined and parsed as config files in BladeLogic)
Thank you for your prompt reply.
You're post answered everything very clearly in a way even I can comprehend! Thanks!
The "Live" editting concerns me a little - in case of typos, etc but I will do some tests around restricting the functionality through RBAC (as you have shown the Auths to restrict).
Regaring the RBACAdmins modification - I think that this will cause us a few problems because in our production environment setup we a using bladelogic to manage servers for multiple customers.
This is potentially an internal issue for us while we roll out to the customers since our entire rollout team has RBACAdmin access, and the customer may be concerned about so many new people gaining root access to their servers.
This RBACAdmin access will be stripped from the rollout team after the rollout project so this probably will only be a minor issue - however I never appreciated how powerful the RBACAdmin user will be until now.
Thanks again for you're help,