10 Replies Latest reply on Nov 27, 2013 8:22 AM by Bill Robinson

    Include a value in a role -> Agent ACL -> Windows -> Use Property

      We have defined a server property called "WinAdmin_User" to know which is the user in each Windows we want to map to.

      We use this property in roles.

      Image2.JPG

      Now, we are trying to automate the creation of roles to have a map with this property using blcli.

       

      We have tried several options but we only can set the user in the Map to Option.

       

      Image1.JPG

      Any blcli to do it?

      We have tried:

      RBACRole createRole introducing windows user

      RBACRole setAgentAclUserEquiv with window os

       

      We use question marks to define property, but it is not enough.

       

      Thanks and regards,

      Jon

        • 1. Include a value in a role -> Agent ACL -> Windows -> Use Property
          Bill Robinson

          copy the xml below into a file like NSH/br/xml/cli/RBACRole-PS-Additional.xml  on the system you are running the blcli from.

           

          run run it like:

          RBACRole createRoleWithWIndowsPropertyMap <role> <desc> <acl flags> <unix max> <PROPERTY_NAME>

           

          (no ?? in the property name)  or you can see the sequence of commands to run below and roll your own.

           

           

           

          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE command_inventory SYSTEM "file://bladelogic.com/dtds/Command-Inventory.dtd">

          <command_inventory>

              <name_space name="RBACRole">

                  <complex_command command_id="createRoleWithWindowsPropertyMap-CREATE-0001" published="yes" release="yes">

                      <name>createRoleWithWindowsPropertyMap</name>

                      <description>

                          <author>Bill Robinson</author>

                          <paragraph/>

                          <return_value_info/>

                      </description>

                      <argument_list>

                          <argument desc="name of role to be created" name="roleName">java.lang.String</argument>

                          <argument desc="description of role to be created" name="roleDesc">java.lang.String</argument>

                          <argument desc="agent acl flags" name="flags">int</argument>

                          <argument desc="unix user map" name="unixUser">java.lang.String</argument>

                          <argument desc="windows role map" name="winProp">java.lang.String</argument>

                      </argument_list>

                      <commands_to_execute>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>createInstance</name>

                              <input/>

                       <store_result><name>role</name></store_result>

                          </command_invocation>

            <command_invocation>

                              <namespace_ref>Utility</namespace_ref>

                              <name>setTargetObject</name>

                              <input>role</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>setName</name>

                              <input>$roleName$</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>setDescription</name>

                              <input>$roleDesc$</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>getAgentAcl</name>

                              <input></input>

                              <store_result><name>agentAcl</name></store_result>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>Utility</namespace_ref>

                              <name>setTargetObject</name>

                              <input>agentAcl</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>AgentAcl</namespace_ref>

                              <name>setFlags</name>

                              <input>$flags$</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>AgentAcl</namespace_ref>

                              <name>setServerPropertyUsed</name>

                              <input>true 1</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>AgentAcl</namespace_ref>

                              <name>setUserMapServerPropertyName</name>

                              <input>$winProp$ 1</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>AgentAcl</namespace_ref>

                              <name>setUserEquivalancy</name>

                              <input>$unixUser$ 2</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>Utility</namespace_ref>

                              <name>setTargetObject</name>

                              <input>role</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>create</name>

                              <input/>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>RBACRole</namespace_ref>

                              <name>getDBKey</name>

                              <input/>

                          </command_invocation>

                      </commands_to_execute>

                  </complex_command>

              </name_space>

          </command_inventory>

          • 2. Include a value in a role -> Agent ACL -> Windows -> Use Property

            Thanks Bill.

            I have tried the xml option and It works!

             

             

            Only one comment: Be careful with the lower case in "Windows". Instead

            RBACRole createRoleWithWIndowsPropertyMap <role> <desc> <acl flags> <unix max> <PROPERTY_NAME>

            you need to run

            RBACRole createRoleWithWindowsPropertyMap <role> <desc> <acl flags> <unix max> <PROPERTY_NAME>

             

            Great work!

             

            Regards,

            Jon

            1 of 1 people found this helpful
            • 4. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property

              Hello Bill,

              Like Jon, I need to use a property for mapping roles.
              Blcli control that you create for Windows works but how to make it work for UNIX?

               

              Regards,

              Jean-Henri

              • 5. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property
                Bill Robinson

                you should be able to modify this section in the above:

                 

                <command_invocation>

                <namespace_ref>AgentAcl</namespace_ref>

                <name>setUserEquivalancy</name>

                <input>$unixUser$ 2</input>

                </command_invocation>

                 

                to use do this instead:

                 

                <command_invocation> 

                <namespace_ref>AgentAcl</namespace_ref>

                <name>setServerPropertyUsed</name>

                <input>true 2</input>

                </command_invocation>

                <command_invocation>

                <namespace_ref>AgentAcl</namespace_ref>

                <name>setUserMapServerPropertyName</name>

                <input>$unixProp$ 2</input>

                </command_invocation>

                 

                and then change the corresponding input variable for the unix property.

                • 7. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property
                  Kate Fell

                  Hi Bill, I am doing the same thing on 8.2, the windows one works great but I am having some issues with the Unix side of things... I need to be able to map both Unix and Windows to a property via blcli during the creation of the accounts..

                  The error I get with Unix is:

                  Command execution failed. com.bladelogic.om.infra.mfw.util.BlException: java.lang.NullPointerException

                  • 8. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property
                    Bill Robinson

                    what command are you using to try and set the unix role to use a property map ?

                    • 9. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property
                      Kate Fell

                      blcli_execute RBACRole createRoleWithUnixPropertyMap Test2 "" "8" "" "_ADMIN_ACCOUNT"

                      • 10. Re: Include a value in a role -> Agent ACL -> Windows -> Use Property
                        Bill Robinson

                        I lifted the below from a script that creates roles based on a bunch of input.  That’s all the blcli you’d need to run to create a role w/ a unix property map, or user map, and a windows property map or user map.

                         

                        Blcli_execute RBACRole createRole “${syncRolename}” “${syncRoleName}”

                         

                        blcli_execute RBACRole findByName "${syncRoleName}"

                        blcli_execute Utility storeTargetObject rbacRole

                        blcli_execute RBACRole getAgentAcl

                        blcli_execute Utility setTargetObject

                        blcli_execute Utility storeTargetObject agentAcl

                        blcli_execute AgentAcl setFlags ${myRoleFlags}

                         

                        if [[ "${myRoleWinUPMType}" = "property" ]]

                        then

                        blcli_execute AgentAcl setServerPropertyUsed true 1

                        blcli_execute AgentAcl setUserMapServerPropertyName "${myRoleWinUPM}"

                        elif [[ "${myRoleWinUPMType}" = "user" ]]

                        then

                        blcli_execute AgentAcl setUserEquivalancy "${myRoleWinUPM}" 1

                        fi

                         

                        if [[ "${myRoleUnixUPMType}" = "property" ]]

                        then

                        blcli_execute AgentAcl setServerPropertyUsed true 2

                        blcli_execute AgentAcl setUserMapServerPropertyName "${myRoleUnixUPM}"

                        elif [[ "${myRoleUnixUPMType}" = "user" ]]

                        then

                        blcli_execute AgentAcl setUserEquivalancy "${myRoleUnixUPM}" 2

                              fi

                         

                        blcli_execute Utility setTargetObject rbacRole

                        blcli_execute RBACRole update NAMED_OBJECT=rbacRole