Limiting "root" access

Setting up domain security, creating service accounts and nativie identities. Also topics involving the workflow approval process.

Moderator: xonaadmin

Limiting "root" access

Postby xonaadmin » Wed Apr 09, 2014 8:34 am

<i>Re-posted from a support call...</i>

I need to run a command as root, but I don't want the whole workflow to run as root. I need to limit that to just one step.
xonaadmin
Site Admin
 
Posts: 42
Joined: Wed Aug 28, 2013 9:20 am

Re: Limiting "root" access

Postby xonaadmin » Wed Apr 09, 2014 8:40 am

In Situate, this is quite easy...

1. Create a service account for the "root" user and add the native identities for the sets of computers as necessary.

2. Adjust the ACL on the root user. Using the right mouse, select "Object Security". Set the "write" and "execute" permissions to a very small set of users. One of these uses will have to approve any workflows that run as this user.

3. In your workflow, select the steps that need to run as root. Then, use the right mouse and create a "Substitite User" group.

4. Right mouse on the group and select the "Run as" to be the "root" service account.

Now, the workflow will only run this small subset of tasks as the privileged user.

Best practices in security are that only those tasks that absolutely "NEED" to run as the privileged user run as the privileged user. The substitute user group task allows you to maintain this fine granularity.

Note: Steps 1 and 2 need only be performed once.
xonaadmin
Site Admin
 
Posts: 42
Joined: Wed Aug 28, 2013 9:20 am


Return to Users, security and the approval process

Who is online

Users browsing this forum: No registered users and 1 guest

cron