What authorizations are set in the user's role?
ApprovalType.Manual Authorization Change Management Manual Approval
AuditJob.Cancel Authorization Cancel job
AuditJob.Create Authorization Create audit job
AuditJob.Execute Authorization Execute audit job
AuditJob.Modify Authorization Modify job
AuditJob.ModifyProperties Authorization Modify job properties
AuditJob.ModifySchedule Authorization Modify job schedule
AuditJob.ModifyTargets Authorization Modify job targets
AuditJob.Read Authorization Read audit job
BatchJob.Cancel Authorization Cancel job
BatchJob.Execute Authorization Execute batch job
BatchJob.Modify Authorization Modify batch job
BatchJob.ModifyProperties Authorization Modify job
BatchJob.ModifySchedule Authorization Modify job schedule
BatchJob.ModifyTargets Authorization Modify job targets
BatchJob.Read Authorization Read batch job
BLPackage.Create Authorization Create new BLPackage
BLPackage.Modify Authorization Modify BLPackage
BLPackage.ModifyProperties Authorization Modify BLPackage properties
BLPackage.Read Authorization Open BLPackage
Component.* Authorization Component authorizations
Component.Audit Authorization Allow audits on this component
ComponentGroup.* Authorization Component authorizations
ComponentTemplate.* Authorization Component template authorizations
ComponentTemplateFolder.* Authorization Component Template authorizations
ComponentTemplateGroup.* Authorization Component Template authorizations
DeployJob.Cancel Authorization Cancel job
DeployJob.Execute Authorization Execute deploy job
DeployJob.ModifyProperties Authorization Modify job properties
DeployJob.ModifySchedule Authorization Modify job schedule
DeployJob.ModifyTargets Authorization Modify job targets
DeployJob.Read Authorization Read deploy job
DiscoveryJob.Cancel Authorization Cancel job
DiscoveryJob.Create Authorization Create new Discovery job
DiscoveryJob.Execute Authorization Execute Discovery job
DiscoveryJob.Modify Authorization Modify job
DiscoveryJob.ModifyProperties Authorization Modify job properties
DiscoveryJob.ModifySchedule Authorization Modify job schedule
DiscoveryJob.ModifyTargets Authorization Modify job targets
DiscoveryJob.Read Authorization Read Discovery job
JobFolder.Read Authorization Open job folder
JobFolder.Write Authorization Add objects to job folder
JobGroup.Read Authorization Open job group
PropertyInstance.Read Authorization Read Instance
Server.* Authorization Server authorizations
Server.Audit Authorization Allow audits on this server
Server.Browse Authorization Browse aserver assets
Server.Deploy Authorization Allow deploys on this server
Server.Discover Authorization Discover this server
Server.ExecuteNSHScript Authorization Execute NSH Scripts on server
Server.Read Authorization Read server properties and other meta data
ServerGroup.Read Authorization Open server group
Those look ok. Have the acls been pushed to the server? As that user/role can you run a 'agentinfo' against the server? What's in the users, users.local and exports files on the target servers?
one thing I've just noticed: when logged on using that
role I don't see Depot at all in the console and if I try to modify permissions for
Depot to add the read for the role I can't select in the dropdown with Roles, could this be an indication of what is wrong here?
ACLs have been pushed multiple times
users seem to contain all the normal acls including the role's users
users.local contain bladmins and system entries
exports only "* rw,user=<local admin account>
agentinfo runs fine for the role
this could be an issue or maybe the role doesn't have access to the file server?
I've tried giving it fileserver.*
No difference. I've pretty much gone through all authorizations bladmins have and compared and tried them all with this new role - no luck
Also opened a case with bmc support a few minutes ago
Again when I run the same job as bladmin (same server) - no issues
fileserver.* doesn't apply yet.
on the file server agent, what's in the users, users.local files?
on the file server in windows\rsc directory
users.local has only bladmin and system entries
users has lots of stuff seems different from what I see in users on other agents but the role in question is inluded in it
actually, the section was there but it was incomplete - the id I'm using to test which has this role was not listed in the server's copy of users
I added it manually and I'm no longer getting that "No authorization" error so I think you got it!
the question is why this is happening and why do I have to update the file manually, how do I keep it in sync with the changes I make in RBAC manager?
you should never push acls to the file server agent. you should create a non-privileged account that owns the 'storage' directory and map all connections from the appserver to that user in the exports file. in the users.local file you should have only an entry for 'System:System rw,map=root' (or administrator). you should not register the file server in the gui (that will keep acls from getting pushed).
Thank you so much for all your help
i have the fileserver registered in the gui for inventory purposes. how can i be sure that acls dont get pushed by an operator error?
on the file server in user.local I have:
BLAdmins:<bladmin name> rw,map=<local admin account>
System:System rw,map=<local admin account>
in exports I have:
127.0.0.1 rw,user=<local admin account>
IP 1 of the server rw,user=<local admin account>
IP 2 of the server rw,user=<local admin account>
hostname of the server rw,user=<local admin account>
Why did I have to modify users file to grant a specific role access to the package, shouldn't BL use <local admin account> to access the storage?