Discovery - Windows Credential Permissions to function
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2017 07:34 AM
Hey everyone! I had a question on what is the minimal permissions that Discovery needs to gather data on window devices. We are using CyberArk as an external storage and the security team refuse to provide the permissions that ServiceNOW recommends. I wanted to check with the community and see if I might have missed something on minimal requirements for Discovery to find CI's for the CMDB.
- A domain administrator.
- A domain user with local administrator access on the target Windows hosts.
- A user who meets the requirements of Discovery Windows probes and permissions (Discoveryonly).
- A user who meets the requirements of the Orchestration activity to be run (Orchestration only).
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2017 12:30 PM
Hi, Did you get a chance to consolidate the credential permissions. If yes, Please let us know, We had a similar situation and waiting for access permissions. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 08:12 AM
Hey,
Sorry for the late reply, but we ended up integrating CyberArk in Servicenow. This cut a ton of credential gathering from teams for servers. I think we are focusing on phase 1 discovery with servers. The next step would be laptops, printers and other IP devices. Please feel free to reach out.
I am working with our security team and we are using namespaces to limit the access the probe has to other folders on the server. Let me know if you want this information and I can post it later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 08:43 AM
I would certainly be interested in those details!
I know about integrating external credentials (and am aware of the steps to enable CyberArk)... but to have the low-down from someone with hands-on experience would be very informative, thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2017 07:52 AM
Same situation here as well. Service accounts are not allowed for interactive logon privileges (windows devices). For AIX, rlogin is set as false for account in use. Seems because of these restrictions on service accounts, credentials test keeps on failing. With all the listed security related restrictions, is there any other way to authenticate?
Also, is there any document with outlines what minimal permissions are required for discovery to run? Servicenow Wiki seems to be more oriented towards commands that probes are going to run, but practically that doesn't give the concise view when going for permissions related discussion with stakeholders.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2017 07:42 AM
Hi Rodelio,
As mentioned in other posts "A domain user with local administrator access on the target Windows hosts" is what you are looking for in order to gather all information from your windows machines. However, if you want to be extremely specific and not collect on all data points then you can find below a wiki post to all the commands run against devices, this will give you the ability to create an account allowing those specific commands.
My recommendation is to create a local domain admin account to reduce complexity and frustration.
