Why are Admin rights needed for Discovery Credentials?

John Gilaspy · ‎12-14-2016

I have a client that is pushing back on granting the Discovery account administrative rights on certain devices. Can anyone speak to why admin rights are needed, versus a monitor or read-only rights?

anthonybarghout · ‎12-14-2016

Discovery will use various commands to gather Hardware, Software, Application data etc. those commands and the permission needed is a policy\restriction placed by the Operating system. Linux\Unix commands can run with a non-elevated account, but the return information will be limited and not much value. Most customer will create an account and grant permission to the specific commands in discovery through the sudoers files. On the Windows side, it will need a service account with admin level permission on the target endpoint. some customer grant domain admin permission, and others have a domain user with local admin access on the target.

hope this helps.

JBark · ‎12-14-2016

Anthony is correct, when we rolled out Discovery, the biggest push back about admin rights I encountered was with ESX Vcenter, but the results afterwards were impressive

Discovery isn't cheap, let the powers that be know they wasted their money and point them in the appropriate direction. You shouldn't have a issue after that

John Gilaspy · ‎12-14-2016

Jeff and Anthony, thanks for responding. We're at the point where SAN is the only issue, as the devices we're trying to discover need CimIQL, and they're worried about what queries the admin account will have access to.

JBark · ‎12-14-2016

Hey John,

We did not have any luck getting data directly from our SAN infrastructure and I had good buy in from our SAN Admins, but we never could get CIM to work. We did get quite a bit of useful SAN information from the Vcenter and Server Discoveries. Good Luck!