- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 12:05 PM
I am looking for a straightforward answer to this that I can provide my Security team. We initially implemented Powershell JEA enabled Discovery last fall since, understandably, they were hesitant with granting the admin access to 500+ servers if there was other ways to make it work. Discovery has been working great but we are now looking to do the final phase of Service Mapping. From my training with SM fundamentals and implementation courses, there is no such workaround for JEA or something else. From my best understanding, it needs local admin access, opposed to what JEA currently does for Discovery, to read data from whatever the determined identification rule is such as a config file. Is that correct?
Solved! Go to Solution.
- Labels:
-
Discovery
-
Service Mapping
- 2,635 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2021 08:02 PM
Admin access is ideal way to run smooth discovery - If not its very cumbersome to give such atomic access so that WMI quries, Registry entries etc can be accessed.
Also need read write access on $ADMIN Share - on a windows machine, but Full 'Read & execute' Access and 'Write' access only on $admin share. Regarding admin share both read/write access would be required as some probes run commands and redirect the output to the admin share which is then read by Discovery. This temporary file then get deleted by one of discovery probe which runs on target machine.
Full list is below - If windows team can grant such atomic permissions which can fulfill below list- which is not.
This is why we need ADMIN Permission on host.
Regards
RP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2021 09:24 AM
Unfortunately, not. The primary problem is that JEA would not be able to access the actual file system to read data from anything that needs admin rights. We ended up having to iron everything out with our Security Team and ServiceNow reps over documentation on different security related processes. We ended up just getting rid of JEA since we created a designated Service Account for all 3 of our instances and sub-prod. The security team then put logging in place around the accounts with our tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2021 09:29 AM
What a bummer... we spent so much time and effort getting JEA going! Thanks for this post!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2024 08:03 PM
Hi @leonard_gilbert ,
I know I am responding quite late but just for info I have implemented Service Mapping recently using JEA and it is working fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 08:20 AM
Could you please explain how did you make this work ? Since JEA has limitation probing in to Citrix delivery controllers using JEA , how did you work in getting those permissions with JEA ? or did you implement Service Mapping on Web applications only ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 07:19 PM
Hi @kironk
I have implemented on Web application only.
I will further update for Citrix delivery controllers.
