Excluding IPs from Discovery credential

Jbelter · ‎08-02-2023

Hi all,

I am trying to determine how I can remove the use of a credential for particular IPs. We have databases that don't have the ServiceNow MID Server service account on them, however we still want to discover them. I am trying to find a way where we could stop discovery from using the MID Server service account credentials for these databases, while still discovering them (I know this will bring in less data for these CIs due to the lack of credentials in the exploration phase). We are getting tons of errors on the database server for failed log in attempts, and would like to avoid this.

Harsh Vardhan · ‎08-02-2023

Hi @jbel ; Have you tried using credential alias ? If not please try it.

Without credential aliases, Discovery schedules can access all credentials that are defined in the instance. This behavior might not be desirable in some circumstances, particularly for credentials with elevated privileges. Credential aliases provide more control over which credentials a Discovery schedule is allowed to use and prevents the unnecessary exposure of credentials with elevated privileges.

Reference:

Credential aliases for Discovery

Thanks,

Harsh

Jbelter · ‎08-02-2023

I definitely see the value here, but it doesn't quite fit my use case. The databases that we are bringing in are scattered across different subnets, so if it is possible to define a specific IP address that could be excluded from a particular credential (like the opposite of credential affinities) that would be ideal. If this is not possible, then we would probably exclude these IPs from the IP range and then create a new schedule that has no credentials attached to it.

pratiksha5 · ‎08-02-2023

You can try creating a schedule using some specific mid-server for those IPs. The credentials which you want to use for some of the databases should be accessible from the mid-server only.

OR create a global exclusion list. That will be applicable to all the schedules.