Run As Accounts and Run As Profiles in Operations Manager 2007
Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1
Rules, tasks, monitors, and discoveries defined in a management pack require credentials to run on a targeted computer. By default, rules, tasks, monitors, and discoveries run using the default action account for the agent or server. For example, if the action is run on an agent, the credentials used for the action will come from the agent action account. For more information about the action account, see Account Information for Operations Manager 2007 in this guide.
Run As accounts and Run As profiles allow you to run different rules, tasks, monitors, or discoveries under different accounts on different computers. Management packs no longer share the same identity and therefore allow you to use a low privilege account as your action account. Run As accounts support the following account types:
Windows - Windows credentials, for example, domain\user name, or user name@FullyQualifiedDomainName, and the associated password
Community String - SNMP version 2 community string
Basic Authentication - standard basic Web authentication
Simple Authentication - any generic user name and password combination, for example, Web form, SQL authentication, or anything else that accepts user name and password
Digest Authentication - standard digest Web authentication
Binary Authentication - user-defined authentication
Action account - Windows credential that can only be assigned to the action account profile
A Run As account allows you to specify the necessary privileges for use with rules, tasks, monitors, and discoveries targeted to specific computers on an as-needed basis.
Data is encrypted between the root management server and the targeted computer when credentials are being transferred and the credentials are securely stored on the targeted computer.
A particular task, rule, monitor, or discovery can be associated with a Run As profile. This association is made when the management pack is created. The Operations Manager Administrator has the option of associating other Run As accounts for the particular Run As profile on a targeted computer.
For example, Alice is working on a SQL management pack and is creating a Get DB Statistics task. Alice knows that the action account will not have sufficient rights to run this task; however, Bob, the SQL Administrator, does. Alice needs to configure the task to run with Bob’s credentials.
While authoring the management pack, Sam creates a Run As profile called DB Operators and associates it with the task module. When the SQL management pack containing the Get DB Statistics task is imported into Operations Manager 2007, the Run As profile associated with the task will be included in the import and DB Operators will appear in the list of available Run As profiles.
The Operations Manager 2007 administrator will create a Run As account configured with Alice’s credentials. The Run As account is then associated with the Run As profile that the task will use. The target computer on which the Run As account will be used is explicitly specified in the Run As profile.
Note
The default account for the Run As profile is the action account. Give appropriate thought to what the action account should be and choose an account with appropriate permissions. In most instances, a domain administrator would not be a good choice.
Operations Manager 2007 administrators can associate different Run As accounts for different target computers with each Run As profile. This association is useful in cases in which the Run As profile is used on a different computer when each computer requires a different credential. Alice has user rights to run the task on computer 1 running SQL Server, while Bob has user rights on computer 2 running SQL Server. In this situation, separate Run As accounts are created for Alice and Bob and both are associated with the single Run As profile. This assignment must be made on two separate computers.
Run As Profiles in Operations Manager 2007
In addition to the Run As profiles you can create, Operations Manager 2007 includes the Run As profiles described in the following table. These profiles are used by Operations Manager 2007 itself
| Name | Description | Run As account |
|---|---|---|
Active Directory Based Agent Assignment Account |
Account used by Active Directory–based agent assignment module to publish assignment settings to Active Directory. |
Local System Windows Account |
Automatic Agent Management Account |
This account will be used to automatically diagnose agent failures. |
None |
Client Monitoring Action Account |
If specified, used by Operations Manager 2007 to run all client monitoring modules. If not specified, Operations Manager 2007 uses the default action account. |
None |
Connected Management Group Account |
Account used by the Operations Manager management pack to monitor connection health to the connected management groups. |
None |
Data Warehouse Account |
If specified, this account is used to run all Data Warehouse collection and synchronization rules instead of the default action account. If this account is not overridden by the Data Warehouse SQL Server Authentication account, this account is used by collection and synchronization rules to connect to the Data Warehouse databases using Windows integrated authentication. |
None |
Data Warehouse Report Deployment Account |
This account is used by Data Warehouse report auto-deployment procedures to execute various report deployment-related operations. |
Data Warehouse Report Deployment Account |
Data Warehouse SQL Server Authentication Account |
If specified, this login name and password is used by collection and synchronization rules to connect to the Data Warehouse databases using SQL Server authentication. |
Data Warehouse SQL Server Authentication Account |
Default Action Account. |
The default Health Service Action Account. |
The account credentials provided during setup. |
MPUpdate Action Account |
This account is used by the MPUpdate notifier. |
None |
Notification Account |
Windows account used by notification rules. Use this account's e-mail address as the e-mail and instant message 'From' address. |
None |
OperationsManager Database Account |
This account is used to read and write information to the OperationsManager database. |
None |
Privileged Monitoring Account |
This profile is used for monitoring, which can only be done with a high level of privilege to a system; for example, monitoring that requires Local System or Local Administrator permissions. This profile defaults to Local System unless specifically overridden for a target system. |
None |
Reporting SDK SQL Server Authentication Account |
If specified, this login name and password is used by SDK Service to connect to the Data Warehouse databases using SQL Server authentication. |
Reporting SDK SQL Server Authentication Account |
Reserved |
This profile is reserved and must not be used. |
None |
Validate Alert Subscription Account |
Account used by the validate alert subscription module that validates that notification subscriptions are in scope. This profile needs administrator rights. |
Local System Windows Account |
Windows Cluster Action Account |
This profile is used for all discovery and monitoring of Windows Cluster components. This profile defaults to used action accounts unless specifically populated by the user. |
None |
WS-Management Action Account |
This profile is used for WS-Management access. |
None |
Run As accounts and Run As profiles in Operations Manager 2007 R2
With the release of Operations Manager 2007 R2, the following additional features have been added for Run As accounts and Run As profiles: distribution and targeting. The following sections explain distribution and targeting and the effects these features have on security.
Understanding Distribution and Targeting
Both Run As account distribution and Run As account targeting must be correctly configured for the Run As profile to work properly.
When you configure a Run As profile, you select the Run As accounts you want to associate with the Run As profile. After you create that association, you can specify the class, group, or object for which the Run As account is to be used for running tasks, rules, monitors, and discoveries against.
Distribution is an attribute of a Run As account, and you can specify which computers will receive the Run As account credentials. You can choose to distribute the Run As account credentials to every agent-managed computer or only to selected computers.
Example of Run As account targeting: Physical computer ABC hosts two instances of Microsoft SQL Server, instance X and instance Y. Each instance uses a different set of credentials for the sa account. You create a Run As account with the sa credentials for instance X, and you create a different Run As account with the sa credentials for instance Y. When you configure the SQL Server Run As profile, you associate both Run As account credentials—for example, X and Y—with the profile and specify that the Run As account instance X credentials are to be used for SQL Server instance X and that the Run As account Y credentials are to be used for SQL Server instance Y. Then you must also configure each set of Run As account credentials to be distributed to physical computer ABC.
Example of Run As account distribution: SQL Server1 and SQL Server2 are two different physical computers. SQL Server1 uses the UserName1 and Password1 set of credentials for the SQL sa account. SQL Server2 uses the UserName2 and Password2 set of credentials for the SQL sa account. The SQL management pack has a single SQL Run As profile that is used for all SQL Servers. You can then define one Run As account for UserName1 set of credentials and another Run As account for the UserName2 set of credentials. Both of these Run As accounts can be associated with the one SQL Server Run As profile and can be configured to be distributed to the appropriate computers. That is, UserName1 is distributed to SQL Server1 and UserName2 is distributed to SQL Server2. Account information sent between the management server and the designated computer is encrypted.
Run As Account Security
In Operations Manager 2007 SP1, Run As account credentials are distributed to all agent-managed computers (the less secure option). In Operations Manager 2007 R2, Run As account credentials are distributed only to computers that you specify (the more secure option). If Operations Manager automatically distributed the Runs As account according to discovery, a security risk would be introduced into your environment as illustrated in the following example. This is why an automatic distribution option was not included in Operations Manager.
For example, Operations Manager 2007 identifies a computer as hosting SQL Server 2005 based on the presence of a registry key. It is possible to create that same registry key on a computer that is not actually running an instance of SQL Server 2005. If Operations Manager were to automatically distribute the credentials to all agent managed computers that have been identified as SQL Server 2005 computers, the credentials would be sent to the imposter SQL Server and they would be available to anyone with administrator rights on that server.
When you create a Run As account using Operations Manager 2007 R2, you are prompted to choose whether the Run As account should be treated in a Less secure or More secure fashion. “More secure” means that when you associate the Run As account with a Run As profile, you have to provide the specific computer names that you want the Run As credentials distributed to. By positively identifying the destination computers, you can prevent the spoofing scenario that was described before. If you choose the less secure option, you will not have to provide any specific computers and the credentials will be distributed to all agent-managed computers.
Note
With all versions of Operations Manager 2007, the credentials you select for the Run As account must have logon-locally rights; otherwise, the module will fail.
See Also
Concepts
Account Information for Operations Manager 2007
Role-based Security in Operations Manager 2007