Have a look at the blcli command “RBACRole : syncUsers”.
As per blcli doc, “This command synchronizes users belonging to an external directory group to the specified role”
There should be a ‘group query’ in the user sync setup for the role so that the members of an AD group will be pulled into the rbac role. is that what you are looking for ? there is no way to directly add an AD Group object into a RBAC role – you can only add users into the rbac role.
In case I define LDAP connection in Bladelogic Console will it keep on querying the Domain Group for user. For example in AD if I have 3 users A,B,C and i have setup the LDAP connection so in case i delete one User A from AD then do I need to synch again or it would be automatically synched as soon as user is deleted.
Also I wanted to understand the automation principle role in this. If suppose my user X does not have administrative privledges on server and has rights on specific directory and I create Automation principle using account X then even If I give a user Server.* in RBAC that user would only have rights applicable to the user (rights specific on few directories)..
In your example you would need to re-synch to pick up any additions or deletions from the directory. There are also a few variations of this command (see the blcli help) that allow you to disable or remove users not found in the directory. Ideally you would trigger this blcli command upon a deletion (provide your domain admins with an NSH script job for example).
Your understanding of the automation principal is correct. You'll likely see staging or simulate failures in BSA if you try to deploy packages that the automation principal user doesn't have access to. It is usually a good idea to use the RBAC security to prevent users from encountering these issues in such restricted environments.
I would also note that if you delete a user in AD, that user will not be able to authenticate to bladelogic even if the RBAC user object still exists.