7 Replies Latest reply on Mar 19, 2013 6:30 AM by Esam Eid

    Using BSA to manage users accounts


      Anyone using BSA to manage user accounts on target servers?


      Use-cases I see are:

      • Creating users
      • Modify users
      • Delete users
      • Update user passwords


      Even though BSA isn't a Identity Management solution it has some of the features built in. Can you share how BSA helps with user account managment?



        • 1. Re: Using BSA to manage users accounts
          Siddu angadi

          Hi Jesper,


          Yes you can all those things very easily in bladelogic.


          BBSA provides out of box Local user and Local Group object. To access these live browse any one windows box and look for these objects.


          From you can take snapshot, create standard single package to carry user management tasks.




          1 of 1 people found this helpful
          • 2. Re: Using BSA to manage users accounts

            Yes, I know this can all be achieved, what I'm looking for is experience in how this is used in practice. Do we have anyone using the property dictionary to store username and passwords for example, like password vault solution or is that to stretch the usage of BSA?

            • 3. Re: Using BSA to manage users accounts
              Siddu angadi

              Hi Jasper,


              It depends on the requirement.


              You can create custom properties class and associate instances.  To store Password, use encrypted string type password.


              Either refer these instances during run time or refer it to the target object.




              • 4. Re: Using BSA to manage users accounts

                I got a little more information about the use-case. How would you use BSA as a password vault? Let's say you use a Server Property to store User names and encrypted passwords. What if you need to retrieve a password in clear text (for example if you have lost connection to the server and need to logon to the server through a physical console), how can this be done in a secure way? Can you use blcli to retrieve the password in clear text?

                • 5. Re: Using BSA to manage users accounts
                  Siddu angadi

                  Hi Jesper,


                  Here you go,  if you mention the Property Dictionary to store password as encrypted, bladelogic will decrypt and run the command. This will display as clear text string in log file. Also you can use blcli command to retrieve the password in clear text.


                  To avaoid all of these security conecerns, follow the below steps:


                  1. Use Proper RBAC model to lock down the property class (where password is stored),so that it shoudl be accessable only for right users.


                  2  BMC has provided the patch to echo off the password from command line within BLPackage. Apply that patch based on your version of Bladelogic. Again if user put @ECHO ON, password will be displayed in clear text


                  3.  Do not use the NSHScript to manage the user account. I believe you can not use the Decrypt command unless you enabled it,


                  4.  This best option, if you intergarte any thrid party encruyption utlity.






                  • 6. Re: Using BSA to manage users accounts

                    I don't think I understand exactly what you mean here. Can you give an example of paragraph 2?

                    • 7. Re: Using BSA to manage users accounts
                      Esam Eid

                      you can write the commands in text file, then you using file deploy jo move it to the target servers, finally in the advanced opetion you can run your commands from the post command . for examle ./tmp/blade/commandXXX