gavsto/AutomateAPI

Required Permissions

Closed this issue · 4 comments

Hi Gavsto,

Great work! Very usefull to integrate Control a bit better in Automate. I'm scripting some checks now so I can monitor them. Starting with this in powershell, it will ease the login procedure to automate the functions. If running from Automate Script, you can even set the login details in Automate and pass them as a variable to the script.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Pass = ConvertTo-SecureString '(Password)' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("(User)", $Pass)
Import-Module AutomateAPI
Connect-AutomateAPI -clientid '(clientid)' -server '(Automate URL)' -Credential $Cred
Connect-ControlAPI -credential $cred -Server '(Control URL)'
#Eny command here to create output

But now the big question:
Say I want to make a service account in both Automate and Control to use it in the script. What are the minimum permissions required to accomplish this? Because I want to script this, I dont want it to use MFA. So my only option seems like to check the Integrator Checkbox in Automate. However, this account needs to be Super Admin to be able to access computers. So a Super admin with this username and password permissions without MFA is not the best choise.
Any advise?

Same is for Control. But it seems like the control user can be limmited to view only.

Great question BassieZ!

I am also in a very similar boat.

I want to restrict the permissions of the account used in my scripts however unlike BassieZ I don't mind having to enter MFA codes as my scripts are run on a manual basis. I just want to limit any damage my scripts could cause if I make a slip up with a loop or if they are edited by a colleague.

At the moment I'm struggling to find out what is needed to be able to run the Compare-AutomateControlStatus function as I keep getting the below error.

image

If I run the script using my normal account with LTAdmin access I do not have the issue.

I hope this doesn't come across as me stealing from your original post, our issues are so alike that I didn't want to make another issue thread.

If Gavsto knows what permissions we need to set to run the PowerShell API functions and could let us know that would be amazing!

Closing as answered