The Windows RunAs application lets a user borrow permissions from a privileged account to perform a specific task. You can create a Windows Run As password consumer so that when a user executes RunAs, the SAM Agent provides the privileged account password directly to the RunAs application. The Windows Run As password consumer removes the need for users to know privileged account passwords to perform administrative tasks.
You can create Windows Run As password consumers only on Windows Agentless endpoints.
In the following example, a backup task is scheduled to run weekly. The task is located at C:\backup\backup.exe and is run by Administrator. If the scheduled backup fails, the system administrator Steve wants to let user John manually start the backup. Steve can use a Windows Run As password consumer to let John start the backup task without the Administrator password.
The following process describes the steps that Steve and John perform to create and use a Windows Run As password consumer on an endpoint named win123_PUPM:
Note: Steve enters John's user name as it appears on the endpoint.
The Windows Run As password consumer is created.
Note: The SAM Agent ignores any value that John provides for the password.
The SAM Agent checks the cache for previous requests by John to start the backup task. Because John has made this request for the first time, the request is not cached. The SAM Agent retrieves the privileged account password from CA ControlMinder Enterprise Management and provides it to the RunAs application. The backup task starts.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|