- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 12:05 PM
I am looking for a straightforward answer to this that I can provide my Security team. We initially implemented Powershell JEA enabled Discovery last fall since, understandably, they were hesitant with granting the admin access to 500+ servers if there was other ways to make it work. Discovery has been working great but we are now looking to do the final phase of Service Mapping. From my training with SM fundamentals and implementation courses, there is no such workaround for JEA or something else. From my best understanding, it needs local admin access, opposed to what JEA currently does for Discovery, to read data from whatever the determined identification rule is such as a config file. Is that correct?
Solved! Go to Solution.
- Labels:
-
Discovery
-
Service Mapping
- 2,623 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 08:02 PM
Admin access is ideal way to run smooth discovery - If not its very cumbersome to give such atomic access so that WMI quries, Registry entries etc can be accessed.
Also need read write access on $ADMIN Share - on a windows machine, but Full 'Read & execute' Access and 'Write' access only on $admin share. Regarding admin share both read/write access would be required as some probes run commands and redirect the output to the admin share which is then read by Discovery. This temporary file then get deleted by one of discovery probe which runs on target machine.
Full list is below - If windows team can grant such atomic permissions which can fulfill below list- which is not.
This is why we need ADMIN Permission on host.
Regards
RP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 05:23 PM
are you able to download this PDF - https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white-paper/wp-itom-visibility-security-overview.pdf
It covers the security around ITOM Visibility (discovery & service mapping)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 08:02 PM
Admin access is ideal way to run smooth discovery - If not its very cumbersome to give such atomic access so that WMI quries, Registry entries etc can be accessed.
Also need read write access on $ADMIN Share - on a windows machine, but Full 'Read & execute' Access and 'Write' access only on $admin share. Regarding admin share both read/write access would be required as some probes run commands and redirect the output to the admin share which is then read by Discovery. This temporary file then get deleted by one of discovery probe which runs on target machine.
Full list is below - If windows team can grant such atomic permissions which can fulfill below list- which is not.
This is why we need ADMIN Permission on host.
Regards
RP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2021 11:31 AM
Thanks for this info and explanation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2021 08:40 AM
Hi Leonard,
I am in the exact same struggle here... We have JEA implemented and discovery seems to be working well! However now that our CMDB is populated with good server and network hardware data, the next step is Service Mapping which consistently fails with the JEA rights... Did you ever find a solution to using Service Mapping with JEA? Or is the answer simply that local admin rights are required on the target devices?
Thanks,
- Derek
