Closed BassieZ closed 3 years ago
Great question BassieZ!
I am also in a very similar boat.
I want to restrict the permissions of the account used in my scripts however unlike BassieZ I don't mind having to enter MFA codes as my scripts are run on a manual basis. I just want to limit any damage my scripts could cause if I make a slip up with a loop or if they are edited by a colleague.
At the moment I'm struggling to find out what is needed to be able to run the Compare-AutomateControlStatus function as I keep getting the below error.
If I run the script using my normal account with LTAdmin access I do not have the issue.
I hope this doesn't come across as me stealing from your original post, our issues are so alike that I didn't want to make another issue thread.
If Gavsto knows what permissions we need to set to run the PowerShell API functions and could let us know that would be amazing!
You must be a full admin, as the module is working with the Automate extension in Control and it requires full admin rights. CTaylor has a module that doesn't use the Automate extension and can be used with lower permission levels.Darren -------- Original message --------From: Eld3rForce @.> Date: 3/23/21 12:10 PM (GMT-08:00) To: gavsto/AutomateAPI @.> Cc: Subscribed @.***> Subject: Re: [gavsto/AutomateAPI] Required Permissions (#61) Great question BassieZ! I am also in a very similar boat. I want to restrict the permissions of the account used in my scripts however unlike BassieZ I don't mind having to enter MFA codes as my scripts are run on a manual basis. I just want to limit any damage my scripts could cause if I make a slip up with a loop or if they are edited by a colleague. At the moment I'm struggling to find out what is needed to be able to run the Compare-AutomateControlStatus function as I keep getting the below error.
If I run the script using my normal account with LTAdmin access I do not have the issue. I hope this doesn't come across as me stealing from your original post, our issues are so alike that I didn't want to make another issue thread. If Gavsto knows what permissions we need to set to run the PowerShell API functions and could let us know that would be amazing!
—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.
If you use the API token, you don't need to create any additional Control users. Darren -------- Original message --------From: BassieZ @.> Date: 3/22/21 2:35 AM (GMT-08:00) To: gavsto/AutomateAPI @.> Cc: Subscribed @.***> Subject: [gavsto/AutomateAPI] Required Permissions (#61) Hi Gavsto, Great work! Very usefull to integrate Control a bit better in Automate. I'm scripting some checks now so I can monitor them. Starting with this in powershell, it will ease the login procedure to automate the functions. If running from Automate Script, you can even set the login details in Automate and pass them as a variable to the script.
$Pass = ConvertTo-SecureString '(Password)' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential ("(User)", $Pass) Import-Module AutomateAPI Connect-AutomateAPI -clientid '(clientid)' -server '(Automate URL)' -Credential $Cred Connect-ControlAPI -credential $cred -Server '(Control URL)'
But now the big question: Say I want to make a service account in both Automate and Control to use it in the script. What are the minimum permissions required to accomplish this? Because I want to script this, I dont want it to use MFA. So my only option seems like to check the Integrator Checkbox in Automate. However, this account needs to be Super Admin to be able to access computers. So a Super admin with this username and password permissions without MFA is not the best choise. Any advise? Same is for Control. But it seems like the control user can be limmited to view only.
—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.
Closing as answered
Hi Gavsto,
Great work! Very usefull to integrate Control a bit better in Automate. I'm scripting some checks now so I can monitor them. Starting with this in powershell, it will ease the login procedure to automate the functions. If running from Automate Script, you can even set the login details in Automate and pass them as a variable to the script.
But now the big question: Say I want to make a service account in both Automate and Control to use it in the script. What are the minimum permissions required to accomplish this? Because I want to script this, I dont want it to use MFA. So my only option seems like to check the Integrator Checkbox in Automate. However, this account needs to be Super Admin to be able to access computers. So a Super admin with this username and password permissions without MFA is not the best choise. Any advise?
Same is for Control. But it seems like the control user can be limmited to view only.