1 2 Previous Next 15 Replies Latest reply on May 8, 2012 2:05 PM by Bill Robinson

    Regarding using Domain account to Map RBAC user on Windows

      Hi,

      We are trying to deploy Bladelogic RSCD Agent 8.1 SP4 on a huge environment. Now Customer has a Group in AD in which he has added the admin Windows users. Now Customer wants once these administrators log into Bladelogic Console they would have the Admin access on the endpoint Servers. He wants to Map the RBAC user to the respective Domain id of administrators instead of using Local Administrator. For example if we have 2 users with AD name A and B he wants :

      1.) The User Name A and B to be automatically added to Bladelogic Console .( For this I beielve there is Synch LDAP user Blcli already in place). After adding the user to Bladelogic he wants these users to be automatically assigned to Wintel Role.

       

      2.) Customer now wants Instead of mapping Bladelogic user A and B to Local administrator in Exports and users file ,he wants them to be mapped to Domain user A and Domain User B respectively on Server. I beleive we can use automation principle for this.

       

      Does mapping RBAC user to Domian account  or using Automation principle  recommended by BMC? Have we seen any known issues in doing so? 

        • 1. Re: Regarding using Domain account to Map RBAC user on Windows
          Bill Robinson

          All user mapping and the Aps is at the role level so you cannot map roleA:userA to WindowsA and roleA:userB to WindowsB which seems to be what you are asking.

          • 2. Regarding using Domain account to Map RBAC user on Windows

            Hi Bill,

            Can't I use Automation principle to so. Under Role-> Agent ACL if I select automation principle then I can atleast Map user A to domain User A. For User B I would have to create New role.

            • 3. Re: Regarding using Domain account to Map RBAC user on Windows
              Bill Robinson

              User mapping is by the role not user.  so you can map RoleA to WindowsA and RoleB to WindowsB.  Stop thinking in terms of the bsa users and instead think in terms of roles.  in the example below you mentioned only a single role that usersA and B would be in (Wintel role).

              • 4. Regarding using Domain account to Map RBAC user on Windows

                Yes I understand that. What I meant to say is If I would assign BL Users A and B to a Role and i am using automation principle created for user A inthe same role then both user would be mapped to domain user A.

                 

                In order to map to their respective Domain Names I would have to create 2 Roles and Assign User A to one and User B to another (in addition to create 2 automation principle for A and B).

                 

                Also second query that I asked Does mapping RBAC user to Domian account  or using Automation principle  recommended by BMC? Have we seen any known issues in doing so? I have heard there is some problem related to Advanced repeater or normal repeater while using domain mapping or Automation principle.

                • 5. Re: Regarding using Domain account to Map RBAC user on Windows
                  Bill Robinson

                  Yes – you would need two role.

                   

                  I’m not sure I understand the difference here between Domain account and Automation principal – what do you mean there?

                   

                  You cannot use the AP w/ a repeater – the mapping will revert to the OS mapping I think so you’d need a mapping entry on the targets behind the repeater for like ‘root’ or ‘Administrator’ from the repeater to the targets I think.

                  • 6. Re: Regarding using Domain account to Map RBAC user on Windows
                    Soundappan Shanmugam

                    Hi Bill,

                     

                    The below says in docs about the limitation of using Automation Principles. Could you comment on whether to use it or for a huge environment where there are multiple forests and having more than 30 Remote locations and more than 5 locations having firewalls

                     

                    LIMITATIONS IN THE USE OF WINDOWS AUTOMATION PRINCIPALS

                     

                    Although automation principals allow remote operations under a given user’s identity, the spawned process is not an interactive one. Any mapped drives remain unavailable to the spawned process. In some cases, these drives are accessible through UNC paths, though NSH does not support UNC path syntax. If necessary, use .BAT files or the NSH nexec command to reach drives available only through UNC paths.

                     

                    For an automation principal to work, the Windows user whose credentials are carried in an automation principal must have the “Log on as a batch job” privilege. This privilege is not normally among those applied to a new user account. An administrator must explicitly add the privilege to the user’s account.

                     

                    Use of an automation principal requires a Network Shell Proxy Server to be connected to the BMC BladeLogic Server Automation database. A standalone Network Shell Proxy Server, that is, a Network Shell Proxy Server without access to the BMC BladeLogic Server Automation database, cannot retrieve necessary credentials from the database.

                     

                    BMC BladeLogic Server Automation repeaters and Advanced Repeaters also do not support automation principals. The repeater must contact the target agent without benefit of access to the BMC BladeLogic Server Automation database.

                     

                    Automation principals are supported by RSCD agents running version 8.0 and later.

                     

                    Adding a server to the BMC BladeLogic Console contacts a remote server to obtain initial configuration information. This task does not support the use of automation principals.

                    When BMC BladeLogic cannot use Windows user mapping, it uses user privilege mapping to establish the operational context on remote servers. In other words, it uses the BladeLogicRSCD user and mapped privileges to perform tasks. If BMC BladeLogic is able to perform a task using this method, it logs the authentication method in the agent or Application Server log file.

                     

                    ___

                    Cheers…

                    Soundappan Shanmugam

                    HP:  +91 9711156098

                    • 7. Re: Regarding using Domain account to Map RBAC user on Windows
                      Bill Robinson

                      I don't think the env size has anything to do w/ it, nor does the number of forests, etc ,etc.

                       

                      if you need to use repeaters i think the mapping will revert to the OS user on the repeater talking to the target agent, though you should test out the behaviour.

                       

                      otherwise i don't see any issues assuming you can work out the role to AP relationship.

                      • 8. Re: Regarding using Domain account to Map RBAC user on Windows
                        Soundappan Shanmugam

                        Hi Bill

                         

                        Could you please help on these below limitations as per the documents of BMC

                         

                         

                        1.     Although automation principals allow remote operations under a given user’s identity, the spawned process is not an interactive one. Any mapped drives remain unavailable to the spawned process. In some cases, these drives are accessible through UNC paths, though NSH does not support UNC path syntax. If necessary, use .BAT files or the NSH nexec command to reach drives available only through UNC paths.

                         

                        2.     BMC BladeLogic Server Automation repeaters and Advanced Repeaters also do not support automation principals

                         

                        3.     Adding a server to the BMC BladeLogic Console contacts a remote server to obtain initial configuration information. This task does not support the use of automation principals.

                         

                        When BMC BladeLogic cannot use Windows user mapping, it uses user privilege mapping to establish the operational context on remote servers. In other words, it uses the BladeLogicRSCD user and mapped privileges to perform tasks. If BMC BladeLogic is able to perform a task using this method, it logs the authentication method in the agent or Application Server log file.

                         

                         

                         

                         

                        ___

                        Cheers…

                        Soundappan Shanmugam

                        HP:  +91 9711156098

                        • 10. Re: Regarding using Domain account to Map RBAC user on Windows
                          Soundappan Shanmugam

                          Having all the below limitation is it good to go ahead with the automation principle for Domain authentication?

                           

                          ___

                          Cheers…

                          Soundappan Shanmugam

                          HP:  +91 9711156098

                          • 11. Re: Regarding using Domain account to Map RBAC user on Windows
                            Bill Robinson

                            I’m not sure what you mean by “Automation Principal for Domain authentication” – can you explain that?

                             

                            Why do you want to use the AP ?

                            • 12. Re: Regarding using Domain account to Map RBAC user on Windows
                              Soundappan Shanmugam

                              My bad, It’s just Automation principle only

                               

                              ___

                              Cheers…

                              Soundappan Shanmugam

                              HP:  +91 9711156098

                              • 14. Re: Regarding using Domain account to Map RBAC user on Windows
                                Soundappan Shanmugam

                                If Automation principles has limitations w.r.t repeaters etc.. is it the best practice ..

                                 

                                ___

                                Cheers…

                                Soundappan Shanmugam

                                HP:  +91 9711156098

                                1 2 Previous Next