It is does not matter wethere it is just Permissions or Authorizations encapsulated within ACL Policies, All aplied Authorizations should get deployed when you run ACL Push Job.
Ok...that was my understanding.
So, now the question is why are the policies not getting pushed.
Are you getting any error for ACL push Job?
If job is successfull and not getting applied, then send below info I can find out the reason:
- Screenshot of permission tab of Server (Access Control List and ACL Policy)
- ACL Policy Screenshot
- RSCD log file
- Export and User.local file.
Also, might sound like an obvious question but does the role/s contain the authorisations defined in the ACL Policy?
when you say the acl policies aren't being pushed, you mean that a server object has an acl policy associated with it, the acl policy contains a role and permissions for Server objects and that should result in an entry in the users file, but you don't see that pushed to the system ?
Correct. The policy contains roles and authorizations for server objects. I need to correct one thing from my original statement. The authorizations do seem to get pushed to the server through the Administration Task "Agent ACLs" command. They are not being pushed when the ACL push job runs each night. I have tried recreating the job (several times) with no change in behavior. The job, however, reports that the ACLs were pushed successfully, but when I look at the /etc/rsc/users file on the server, I don't see any of the authorizations that are part of policies. Only authorizations explicitly applied to the server object (on the Access Control List tab of the permissions view). This doesn't happen for ALL servers, it seems isolated to a few servers.
I did just notice that, on the servers in question, the /etc/rsc/exports file had this entry:
which seems to be the norm on all our other servers.
Could this have any effect?
1 of 1 people found this helpful
The exports file is used to lockdown connections to specific servers. A typical exports entry would look like this:
* rw (Allow connections from any server and give read/write access)
* ro (Allow connections from any server and give read only access)
appserver1 ro (Only accept connections from appserver1, appserver2, etc and give read only access)
Then the users and users.local files are used to give further permissions to specific roles and users. Having your exports file entry as (* rw,map=root) is a bad practice in my opinion. You are giving connection access to any server and mapping them to root (full admin access), which overrides your users and users.local files.
what's in the users and users.local files on the boxes in question ?
also - can you export the job run log for the acl push and note the servers that are not working ? it's possible the job is failing and not showing correct status.
Did this get resolved?
If so, please can you update the discussion thread with details so that is can be marked as answered.
Thanks & Regards,
Jim (Forum Manager/Facilitator)