Orchestrator Security Scenarios
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
The following information provides best practices for using Orchestrator securely. This information is provided in the format of scenarios. The following scenarios are available:
The Orchestrator password data contained in runbooks can be securely shared between different instances of Orchestrator. For example, one may wish to export runbooks built in a development environment and import them into a test environment or export tested runbooks into a production environment. This export and import process would need to secure the encrypted data in each phase of the export in such a way that the exported data could be imported into a different Orchestrator environment.
This is accomplished using the Import/Export functionality available in the Runbook Designer. The export and import features are available from the Actions item on the Runbook Designer menu bar or by right-clicking a runbook folder. The export feature is also available by right-clicking a runbook tab, a feature commonly referred to as a “single runbook export.”
Regardless of how a runbook is exported, the encrypted data contained in runbooks will be stored securely in the resulting XML export file. This is accomplished by providing a password upon export. When Orchestrator exports the runbooks and their related configuration, any encrypted data contained in Runbooks is decrypted and encrypted again upon export using the provided password.
When an export file is re-imported the import requires a password be provided. If the password matches then the encrypted data contained in export will be imported and re-encrypted for storage in the Orchestrator database by using the encryption key.
Orchestrator has two core user roles: Runbook Authors and Operators. These user roles have different rights in Orchestrator. Runbook Authors are individuals that have rich administrative access to Orchestrator including its database and configuration. Runbook Authors grant access to Runbook Operators. Runbook Operators have access to the Orchestration Console and Web Service based on rights granted to them by Runbook Authors.
Membership in the Orchestrator Users Group (see below)
Runbook Folder permissions granted by Runbook Authors in the Runbook Designer
Placing a user account in the Orchestrator Users group identifies this user account as being an administrator of Orchestrator. All Orchestrator users are essentially equally-privileged administrators with full access to Orchestrator and the data contained in the database. This would include access to encrypt and decrypt data contained in the Orchestrator database.
Orchestrator manages security through membership in two security groups created at installation time. These are the Orchestrator Users group and the Orchestrator System group. Membership in either or both of these groups identifies accounts that are considered administrators of Orchestrator ("trusted personas"). Administrative rights include the ability to update runbooks and their related configuration data, update the configuration of runbook servers, interact with external systems via integration packs, install and deploy integration packs, interact programmatically with the Orchestrator database, update the database configuration and encrypt/decrypt encrypted data stored in the Orchestrator database.
Membership in either or both of these groups grants full administrative access to Orchestrator including access to all data contained in the Orchestrator database and full encrypt/decrypt rights.
Security group purpose
Orchestrator Users Group
Runbook authors and anyone who deploys integration packs
This security group defines user accounts that will be able to launch the Runbook Designer, Deployment Manager and Data Store Configuration utility. Membership in this group grants privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data.
Orchestrator System Group
None (used for service accounts)
This security group defines the service accounts that require privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data.
The following user roles are considered trusted/untrusted personas in Orchestrator.
"Invoke Runbook" Alternate Credentials
Full encrypt & decrypt
Orchestrator Systems Group in Active Directory / Credentials on "Invoke Runbook" Runbook Activity
Data Store Configuration
Full encrypt & decrypt
Orchestrator Users Group in Active Directory
No explicit access to encrypted or decrypted data.
User rights defined in the Runbook Designer by the Runbook Author role
MS SQL Server 20008 R2
Full Encrypt & decrypt
Rights to SQL Server as a DBA with rights to the Orchestrator database
Windows Server 2008 R2
No explicit rights are granted, however Windows administrators are considered trusted personas.
Rights to Windows