9 Replies Latest reply on Jul 23, 2012 1:27 PM by Bill Robinson

    Root Equivalency Use Case Scenario

      Hi all,


      I'm installing BladeLogic Server Automation for the first time with a customer. One step of the installation of the ApplicationServer+RSCDAgent+NSH asks me to define root equivalency.

      I really don't get the meaning of it in BL. I read documentation and attended Foundations Course Part 2, but still it is not clear to me the meaning of this feature.


      Could you gently provide me a use case scenario in which root equivalency is useful?



        • 1. Root Equivalency Use Case Scenario
          Jim Wilson



          Take a look at the Root equivalency explanation here:




          Thanks & Regards,


          • 2. Root Equivalency Use Case Scenario

            That's exactly the explanation I didn't get

            My problem is: when do I need root equivalency?

            • 3. Root Equivalency Use Case Scenario
              Ashitosh Wagh

              Hi  Stefano,


              Take a Use Case : To execute NSH script which runs on client and do things which only allow to root user.


              So, if you want to do things on client and  root equivalency configuration is not done then you will get failures.




              • 4. Root Equivalency Use Case Scenario

                Maybe I've found the answer myself. This is the explanation of root equivalency given during RSCD agent installation:

                By default the RSCD Agent does not give root permissions to

                root clients. To be able to perform some functions, such as

                remotely updating configuration files and/or installing software,

                you will need to have root privileges. If you would like, the

                Install script can now setup an initial host from which the root

                user will have root privileges (called root equivalency) on this

                host giving you an initial root privileged entry point.


                Root client mentioned here is the application server? Does that mean that if I don't set up root equivalency, BSA Server will never be able to install software nor modify configurations on my RSCD Agent machine?

                • 5. Root Equivalency Use Case Scenario
                  Bill Robinson

                  BladeLogic maps incomming connections to the RSCD agent to local users on the system the agent is running on.  it determines these mappings by looking at the exports, users and users.local files in the 'rsc' folder.  you can make this very open - * rw,user=root in exports - which would map anyone connecting w/ a nsh client to root on the target - or very restrictive ROLE:USER rw,map=root - in the users / users.local. 


                  all permissions are handled by ROLE in bsa, so other than allowing the appserver to connect and do an initial creation of the ACL files, all connections from the appserver should send across the role and user of the person trying to act on the target and those actions would be mapped to a local user. 


                  for most actions against a target - like patching, compliance checking, etc you need to be root.


                  during the initial install it asks you to setup a mapping so that you will be able to do the initial acl push to the target, after that the role mappings will take precedence over the host mapping that was initiall setup.

                  • 6. Root Equivalency Use Case Scenario


                    thanks for your explanation. It made the whole scenario much more clearer.

                    So, if I'm installing BSA AppServ on a Linux box, I need to install RSCD Agent to enable communication with the file server, and I can simply modify the exports to allow only BLAdmin to be able to make config changes and apply patches on my BSA Server.


                    Thank you again,


                    • 7. Root Equivalency Use Case Scenario
                      Bill Robinson

                      NSH Is part of the appserver install and it is what talks to the file server agent, not RSCD.


                      is your file server on your appserver or on another system?

                      • 8. Root Equivalency Use Case Scenario

                        It's on the appserver.

                        • 9. Root Equivalency Use Case Scenario
                          Bill Robinson

                          so this is a special case.

                          typically we recommend that you use the agent on the file server for only managing the file server files. to do this you don't want to map everyone to root. you want to map everyone (actually just all connections from the appserver) to a non-privledged account that owns all the file server files. if you map only a few roles to root and everyone else to some other account you will have file permission problems on the back end if in the front end the roles can share content. if you map everyone to root on the file server agent, then anyone can do stuff to the file server OS.

                          so if you need to both have a system be the file server agent and manage the OS of that system you need to install two RSCD agents on that host, one for the file server and one to manage the OS.


                          i will try and pm you a pdf that describes how to setup multiple agents on a single host.