3 Replies Latest reply on May 6, 2013 1:13 AM by Ravi Prakash Polumuru

    How does the "ACL Push Job" work ?

    Ravi Prakash Polumuru

      Hi all,


      I want to understand how the "ACL Push Job" works.


      Here is what we know,


      The users file is automatically generated by the Configuration Manager RBAC console.

      The users file gets replaced on the server/s.


      Questions :


      How does the format get generated for the Agent ACL Preview / what file is used to get the format for Agent ACL preview.

      Where does it get the info about the NSH-only ACLs ?

        • 1. Re: How does the "ACL Push Job" work ?

          1. No File is used to get the format of the file seen in Agent ACL Preview.  It is BMC's file and they decided on the format.  So, the code just generates the correct format of the file everytime and the file you see in the Agent ACL Preview is what gets created and pushed to the agent


          2. To generate the details in the file, the Application Server does a Union of the authorizations on any Components for the server and the authorizations on the server itself to determine which roles are included in the file.  And to determine which local user to map roles to in the file it checks the configuration of the role which will either give it an explict username or a server property to use.  If it is a server property, it resolves the property to a username.


          3. To determine which users have an "NSH-only" entry in the file, the Application Server first finds all of the users associated to the roles that have access (#2).  Then it checks the "Default Network Shell Role" configuration option of the user, available in RBAC, and if the role configured for that option matches any of the roles that have access to the server (#2 again), it adds an "NSH-only" reference in the users file.

          • 2. Re: How does the "ACL Push Job" work ?



            You are correct in your understanding.

            Whenevr a ACL push action is performed on a server,

            the Server Permissions are taken into account , as in which all roles have got what permissions/authorizations on the Server object, together with permissions on any Components discovered for that server.

            The user file content is generated using this information and the ROLE information from the RBAC configuration.

            The ROLE information contains all the users which are in that specific role and the user mapping or automation principal.

            for NSH , the NSH commands related permissions from the role is used.


            There isnt any file /temp file generated behind the scenes as far as I know.

            The appserver ACL push code does this and then using the RSCD daemon on the agent and rscd , it wirtes the users file on remote agent.

            1 of 1 people found this helpful
            • 3. Re: How does the "ACL Push Job" work ?
              Ravi Prakash Polumuru

              Thanks for your Answers Tim & Rohit.