5 Replies Latest reply on Dec 19, 2011 6:52 PM by Bill Robinson

    RBAC Query

      Hi All,

       

      I had a query on RBAC, I am configuring RBAC in a new greenfield environment and I wanted some clarification.

       

      I have copied and Pasted RBACAdmins role and renamed it to ABC_RBACAdmins, I have created a new user NEW_RBACAdmin and assigned new user to ABC_RBACAdmins. I created a new ACL template and assigned this template (ABC RBAC Template)to ABC_RBACAdmins role.

       

      The new template will add RBACadmin role to any new object created by ABC_RBACAdmins role. I have assigned permissiion to ABC_RBACAdmins on all objects in RBAC (ACL, Autorization, Roles, User etc).

       

      All this works good and when I log on to Bladelogic with user NEW_RBACAdmin and role ABC_RBACAdmins, I can see all the RBAC objects but I cannot see any other Bladelogic folders or objects (Deopt, Component, Jobs, Compnent Templates etc).

       

      My understanding was all these objects (Deopt, Component, Jobs, Compnent Templates etc) except RBAC will have readonly permission to any roles because when I logon using RBACAdmin I can see all these objects and in permission for any of these objects RBACAdmins role has not been mapped on to these objects.

       

      Please can some one clarify how can I see all these objects with my new role ABC_RBACAdmins ? Am I missing something ?

       

      Regards

       

      Santosh

        • 1. RBAC Query
          Bill Robinson

          RBACAdmins and BLAdmins both have an implicit Read on all objects, regardless of the acls granted on the object and to the role.  RBACAdmins also has an implicit ModifyACL on all objects.  BLAdmins and RBACAdmins are special in that regard.

           

          Your new role is not.  If you want to see any objects, the new role must be granted an explicit Read on the object, and there must be an explicit authorization granted to the new role for that object type.

           

          What is the purpose of creating this new role ?

          1 of 1 people found this helpful
          • 2. RBAC Query

            Hi Bill,

             

            The customer does not want to use the Bladelogic standard builtin roles, hence was looking for creating these new roles.

             

            Explicit read means I have to add this new role on every BL object ?

             

            Can we do any changes on backend on this new role to get implicit permission on all the BL objects ?

             

            Regards

             

            Santosh

            • 3. Re: RBAC Query
              Bill Robinson

              Explicit means granting the acl on each object directly.

               

              There is no way to change this.

              1 of 1 people found this helpful
              • 4. Re: RBAC Query

                Hi Bill,

                 

                Thank you for the clarification,  So this means

                 

                1. Somehow (Script\Manual) I have to add acl (read and modifyAcl) on all the existing BL objects for the new role ABC_RBACAdmins
                2. Going forward I have to modify the ACL template and addauthorization (read  and modifyAcl) to ABC_RBACAdmins role, so any new objects created will be having these permission by default.

                 

                 

                Is there any other way or best practice for implementing customized RBACAdmin role ? If so please let me know.

                 

                Once again thanks for your hep, this is most appreciated.

                 

                Regards

                 

                Santosh

                • 5. Re: RBAC Query
                  Bill Robinson

                  Yep – that’s about it.  why don’t they want to use the real RBACAdmins role ?