1 2 Previous Next 19 Replies Latest reply on May 17, 2005 8:39 AM by Andrew Mitchell

    blcli methods to access RBAC objects?

      Is it possible to enumerate the resource profiles in RBAC using the BLCLI? Other objects?

        • 1. Re: blcli methods to access RBAC objects?

          The BLCLI does not contain much functionality with regards to resource profiles. The BLCLI can handle users and roles, but merely via creation and adding users to roles.


          We are presently working on the creation of a robust API for later release. I will recommend this functionality for inclusion in this API.

          • 2. Re: blcli methods to access RBAC objects?



            One of the quarterly manual tasks we have to do is show changes in access for Sarbanes-Oxley audits. Being able to provide a scripted difference report instead of screenshots of the RBAC interface would be very helpful.



            • 3. Re: blcli methods to access RBAC objects?

              So you would want an "export" of the BL users and their access in RBAC?

              • 4. Re: blcli methods to access RBAC objects?

                I suppose that would work, yes. I'm trying to avoid having to write SQL queries directly against the DB.



                • 5. Re: blcli methods to access RBAC objects?

                  Let me look into this for you. Perhaps your TAM could put together a BLCLI/NSH script to do this, building out some BLCLI "complex commands".


                  I'll look into this and add some updated information here. We recommend against making direct SQL calls to the database, as the db schema changes over time and this could break. Access via the BLCLI is guaranteed to work despite schema changes.

                  • 6. Re: blcli methods to access RBAC objects?

                    If you need just user information, username/role, then you should check the BLCLI documentation for RBACUser/RBACRole namespaces.


                    You will find the following commands useful in the RBACUser namespace:




                    If you need further information, your TAM may be able to put together some scripts to return more information about each user via some custom BLCLI commands.


                    Below is a link to our Best Practice documentation for using the BLCLI. I'll send an email to your TAM to let him know that you might be interested in doing something like this.



                    • 7. Re: blcli methods to access RBAC objects?

                      Ah, we're currently running 5.2.8, so you know...


                      We need a bit more than a list of users. Specifically:

                      User additions since

                      User deletions since

                      Addition/deletion from role XXXX since

                      Users not accessed in X days (idle accounts)


                      There are a few other things. I'm doing it all manually now and will work on details, automation and better tools usage after we get 6.2(3?) up and running.



                      • 8. Re: blcli methods to access RBAC objects?

                        Oh, and yes, I understand that if I keep state in a flat file since last report the results of those 2 commands diff'ed against the prior results would go a long way toward providing the needed info. Just need blcli capable systems first, eh?


                        • 9. Re: blcli methods to access RBAC objects?

                          While I would love the input from our TAM, I'd rather learn how to do it myself and produce the working scripts/commands. I find the learn by doing experience to be very enlightening. It's the geek/engineer in me and that whole "give a man a fish / teach a man to fish" thing.


                          -M, the glutton for punishment

                          • 10. Re: blcli methods to access RBAC objects?



                            Upgrading to 6.2/3 would get you leaps and bounds closer to your goal. While the necessary commands remain unreleased in the 6.2/3 versions, we may be able to release them in the 6.3.1 version of BladeLogic.


                            First things first, an upgrade is necessary.

                            Next, we can discuss the necessity of involving your TAM or professional services (during the upgrade) to teach you how to get to where you want to be.


                            So far as I know we do not yet support a way to track the "Users not accessed in X days (idle accounts)". Nonetheless, we can make this an enhancement request.

                            • 11. Re: blcli methods to access RBAC objects?



                              I have ideas about idle accounts, especially since they could be active only in NSH and not using the CM. With an SRP-only proxy using flat files for role data and LDAP for user auth there is no direct DB logging of "last used" data. But, the log rollup activity done when reports are populated could populate the needed information. So, I'm thinking that reports server functionality that targets RBAC information tied to user account usage and history would be the way to go.


                              Currently reports are very host and activity/job centric. Offering a user-centric reports would provide what is needed. It would also be a good step toward making reports more than informational, and turning toward a Decision Support System (DSS) model. Being able to do capacity planning for staffing levels based on rate and volume of change as well as user productivity is just one neat DSS function this could open up. If you're using a tool to manage your environment, why not extract information on utilization of the tool to model/predict the future?


                              OK, enough waxing philosophical...


                              • 12. Re: blcli methods to access RBAC objects?

                                Thanks, Michael. In fact, we are looking at ways to handle better reporting of RBAC information in our BL Reports module. We have seen this come up a lot, recently, with SOx compliance reporting. It's good to see your ideas and requests on this topic. I'll pass them on to the right people.

                                • 13. Re: blcli methods to access RBAC objects?

                                  Not intending on stirring this up any more, I'd like to echo Brad's note on 6.2 adding a considerable amount of functionality. Aside from functional gains across platforms, the blcli extensibility is amazing.

                                  • 14. Upgrading to 6.2(3?)

                                    The hardware for our new appserver, reports server, DB server, SRP proxy server and file server should arrive tomorrow. Then I wait for the infrastructure folks to rack them up, networking to cable them up and the box builders to kickstart them... (Hurry up and wait!)


                                    I'll probably have an initial 6.2 infrastructure built and ready for users shortly before I leave for the BL user Conference in early May. Hopefully I'll get to meet you all and regale you with my stories of our build out.

                                    1 2 Previous Next