Orchestrator Security Scenarios
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
The following information provides best practices for using Orchestrator securely. This information is provided in the format of scenarios. The following scenarios are available:
Scenario: Securely transitioning from development to test to production environments
Scenario: Effectively managing Orchestrator Users group membership
Scenario: Securely transitioning from development to test to production environments
The Orchestrator password data contained in runbooks can be securely shared between different instances of Orchestrator. For example, one may wish to export runbooks built in a development environment and import them into a test environment or export tested runbooks into a production environment. This export and import process would need to secure the encrypted data in each phase of the export in such a way that the exported data could be imported into a different Orchestrator environment.
This is accomplished using the Import/Export functionality available in the Runbook Designer. The export and import features are available from the Actions item on the Runbook Designer menu bar or by right-clicking a runbook folder. The export feature is also available by right-clicking a runbook tab, a feature commonly referred to as a “single runbook export.”
Regardless of how a runbook is exported, the encrypted data contained in runbooks will be stored securely in the resulting XML export file. This is accomplished by providing a password upon export. When Orchestrator exports the runbooks and their related configuration, any encrypted data contained in Runbooks is decrypted and encrypted again upon export using the provided password.
Note
- The encryption key used for the export is different from that used to store the data in the Orchestrator database. Essentially, the "export" feature decrypts the encrypted data and re-encrypts it in the export file. The export file contains the encrypted password.
- The export process does not protect the runbook itself nor the non-encrypted data contained in Runbooks. The export only protects encrypted data contained in Runbooks.
When an export file is re-imported the import requires a password be provided. If the password matches then the encrypted data contained in export will be imported and re-encrypted for storage in the Orchestrator database by using the encryption key.
Note
- The Export/Import password feature does not support password complexity rules that may be required by your organization. A blank value for the password is permitted, although not recommended for exports that contain sensitive data that has been encrypted.
- If the password for your export is lost one can still perform an import of the runbooks and their related configuration. On the Import screen simply clear the Import Orchestrator encrypted data option. Any Orchestrator platform-encrypted data will not be imported and created with blank values in the Orchestrator database.
Scenario: Effectively managing Orchestrator Users group membership
Orchestrator has two core user roles: Runbook Authors and Operators. These user roles have different rights in Orchestrator. Runbook Authors are individuals that have rich administrative access to Orchestrator including its database and configuration. Runbook Authors grant access to Runbook Operators. Runbook Operators have access to the Orchestration Console and Web Service based on rights granted to them by Runbook Authors.
| User Role | Identified by | Rights |
|---|---|---|
| Runbook Author | Membership in the Orchestrator Users Group (see below) | - Administrators of Orchestrator - Read, write, update Orchestrator configuration - Full control of the Orchestrator database - Full encrypt/decrypt rights - Access to Runbook Activities that can interact with external systems via Integration Packs |
| Runbook Operator | Runbook Folder permissions granted by Runbook Authors in the Runbook Designer | - Non-administrative rights to Orchestrator - Access to the Orchestration Console and Web Service - View and invoke runbooks based on rights granted by Runbook Authors - No access to the Orchestrator database - No encrypt/decrypt rights |
Note
Placing a user account in the Orchestrator Users group identifies this user account as being an administrator of Orchestrator. All Orchestrator users are essentially equally-privileged administrators with full access to Orchestrator and the data contained in the database. This would include access to encrypt and decrypt data contained in the Orchestrator database.
Orchestrator manages security through membership in two security groups created at installation time. These are the Orchestrator Users group and the Orchestrator System group. Membership in either or both of these groups identifies accounts that are considered administrators of Orchestrator ("trusted personas"). Administrative rights include the ability to update runbooks and their related configuration data, update the configuration of runbook servers, interact with external systems via integration packs, install and deploy integration packs, interact programmatically with the Orchestrator database, update the database configuration and encrypt/decrypt encrypted data stored in the Orchestrator database.
Note
Membership in either or both of these groups grants full administrative access to Orchestrator including access to all data contained in the Orchestrator database and full encrypt/decrypt rights.
| Security group | Associated persona | Security group purpose |
|---|---|---|
| Orchestrator Users Group | Runbook authors and anyone who deploys integration packs | This security group defines user accounts that will be able to launch the Runbook Designer, Deployment Manager and Data Store Configuration utility. Membership in this group grants privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data. |
| Orchestrator System Group | None (used for service accounts) | This security group defines the service accounts that require privileged access to the Orchestrator database. This would include the ability to read and update the database configuration as well as access and decrypt encrypted data. |
The following user roles are considered trusted/untrusted personas in Orchestrator.
| Security domain | Context | Cryptography rights | Identified by | Trusted persona |
|---|---|---|---|---|
| Run Time | Orchestrator Services "Invoke Runbook" Alternate Credentials |
Full encrypt & decrypt | Orchestrator Systems Group in Active Directory / Credentials on "Invoke Runbook" Runbook Activity | Yes |
| Design Time | Runbook Designer Deployment Manager Data Store Configuration |
Full encrypt & decrypt | Orchestrator Users Group in Active Directory | Yes |
| Operator | Orchestration Console Web Service |
No explicit access to encrypted or decrypted data. | User rights defined in the Runbook Designer by the Runbook Author role | No |
| Database Administrator | MS SQL Server 20008 R2 | Full Encrypt & decrypt | Rights to SQL Server as a DBA with rights to the Orchestrator database | Yes |
| Windows Administrator | Windows Server 2008 R2 | No explicit rights are granted, however Windows administrators are considered trusted personas. | Rights to Windows | Yes |