Orchestrator Security Scenarios


Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

The following information provides best practices for using Orchestrator securely. This information is provided in the format of scenarios. The following scenarios are available:

The Orchestrator password data contained in runbooks can be securely shared between different instances of Orchestrator. For example, one may wish to export runbooks built in a development environment and import them into a test environment or export tested runbooks into a production environment. This export and import process would need to secure the encrypted data in each phase of the export in such a way that the exported data could be imported into a different Orchestrator environment.

This is accomplished using the Import/Export functionality available in the Runbook Designer. The export and import features are available from the Actions item on the Runbook Designer menu bar or by right-clicking a runbook folder. The export feature is also available by right-clicking a runbook tab, a feature commonly referred to as a “single runbook export.”

Regardless of how a runbook is exported, the encrypted data contained in runbooks will be stored securely in the resulting XML export file. This is accomplished by providing a password upon export. When Orchestrator exports the runbooks and their related configuration, any encrypted data contained in Runbooks is decrypted and encrypted again upon export using the provided password.

System_CAPS_ICON_note.jpg Note

  1. The encryption key used for the export is different from that used to store the data in the Orchestrator database. Essentially, the "export" feature decrypts the encrypted data and re-encrypts it in the export file. The export file contains the encrypted password.
  2. The export process does not protect the runbook itself nor the non-encrypted data contained in Runbooks. The export only protects encrypted data contained in Runbooks.

When an export file is re-imported the import requires a password be provided. If the password matches then the encrypted data contained in export will be imported and re-encrypted for storage in the Orchestrator database by using the encryption key.

System_CAPS_ICON_note.jpg Note

  1. The Export/Import password feature does not support password complexity rules that may be required by your organization. A blank value for the password is permitted, although not recommended for exports that contain sensitive data that has been encrypted.
  2. If the password for your export is lost one can still perform an import of the runbooks and their related configuration. On the Import screen simply clear the Import Orchestrator encrypted data option. Any Orchestrator platform-encrypted data will not be imported and created with blank values in the Orchestrator database.

Orchestrator has two core user roles: Runbook Authors and Operators. These user roles have different rights in Orchestrator. Runbook Authors are individuals that have rich administrative access to Orchestrator including its database and configuration. Runbook Authors grant access to Runbook Operators. Runbook Operators have access to the Orchestration Console and Web Service based on rights granted to them by Runbook Authors.

User RoleIdentified byRights
Runbook AuthorMembership in the Orchestrator Users Group (see below)- Administrators of Orchestrator
- Read, write, update Orchestrator configuration
- Full control of the Orchestrator database
- Full encrypt/decrypt rights
- Access to Runbook Activities that can interact with external systems via Integration Packs
Runbook OperatorRunbook Folder permissions granted by Runbook Authors in the Runbook Designer- Non-administrative rights to Orchestrator
- Access to the Orchestration Console and Web Service
- View and invoke runbooks based on rights granted by Runbook Authors
- No access to the Orchestrator database
- No encrypt/decrypt rights
System_CAPS_ICON_note.jpg Note

Placing a user account in the Orchestrator Users group identifies this user account as being an administrator of Orchestrator. All Orchestrator users are essentially equally-privileged administrators with full access to Orchestrator and the data contained in the database. This would include access to encrypt and decrypt data contained in the Orchestrator database.

Orchestrator manages security through membership in two security groups created at installation time. These are the Orchestrator Users group and the Orchestrator System group. Membership in either or both of these groups identifies accounts that are considered administrators of Orchestrator ("trusted personas"). Administrative rights include the ability to update runbooks and their related configuration data, update the configuration of runbook servers, interact with external systems via integration packs, install and deploy integration packs, interact programmatically with the Orchestrator database, update the database configuration and encrypt/decrypt encrypted data stored in the Orchestrator database.

System_CAPS_ICON_note.jpg Note

Membership in either or both of these groups grants full administrative access to Orchestrator including access to all data contained in the Orchestrator database and full encrypt/decrypt rights.

Security groupAssociated personaSecurity group purpose
Orchestrator Users GroupRunbook authors and anyone who deploys integration packsThis security group defines user accounts that will be able to launch the Runbook Designer, Deployment Manager and Data Store Configuration utility. Membership in this group grants privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data.
Orchestrator System GroupNone (used for service accounts)This security group defines the service accounts that require privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data.

The following user roles are considered trusted/untrusted personas in Orchestrator.

Security domainContextCryptography rightsIdentified byTrusted persona
Run TimeOrchestrator Services

"Invoke Runbook" Alternate Credentials
Full encrypt & decryptOrchestrator Systems Group in Active Directory / Credentials on "Invoke Runbook" Runbook ActivityYes
Design TimeRunbook Designer

Deployment Manager

Data Store Configuration
Full encrypt & decryptOrchestrator Users Group in Active DirectoryYes
OperatorOrchestration Console

Web Service
No explicit access to encrypted or decrypted data.User rights defined in the Runbook Designer by the Runbook Author roleNo
Database AdministratorMS SQL Server 20008 R2Full Encrypt & decryptRights to SQL Server as a DBA with rights to the Orchestrator databaseYes
Windows AdministratorWindows Server 2008 R2No explicit rights are granted, however Windows administrators are considered trusted personas.Rights to WindowsYes