locked
Run As Account and Run As Profile RRS feed

  • Question

  • Hi,

    I am using SCOM 2007 R2 on Windows Server 2003 SP2 and working on CISCO UCS MP.

    After too many web search on the above two topics I got confused in the concept of these. I really want to have more details on these.

    Also there are few queries of mine like:

    1) Does these have to do any thing with the MP or it is totally controlled by the SCOM?

    2) What roles "Less Secure" and "More Secure" do play?

    3) When I am selecting the account as Less Secure, it target to all objects and classes, it displays every classes like Server, Chassis and when I select a particular class (say blade server), the Mp discover only that server ant rest other components are in not monitored state. I get alerts only from this device, but I get "Secured Reference Override Failure" in Active Alerts, generated by rest other classes which are not monitored. Is this normal?

    4) When I select the account as More Secured, how it is different from the previous account? I think it does not allow me to select all targets. Inspite I have to select a particular class. Lets say I selected Chassis class from the CISCO UCS MP. So what alerts I should be getting in Active Alerts? Does It displays all the alerts from other MPs or does it only shows alerts from Chassis.

    One more thing should MP contain any filter or script which handles this More Secured feature? I am asking this because my costumes are saying that they can see other server faults(other than CISCO server like HP, Dell) when they select More Secure feature, in the Active Alert View. They want to see faults only from CISCO server. So is there is error with MP implementation or should I have to add any filter in my MP or this is normal?

    Regards,

    Ravi

    Thursday, April 21, 2011 6:38 AM

Answers

  • Let's try to answer your questions.

     

    A run-as profile is a setting on a workflow in a management pack.  Think of it as an XML tag that says "hey, if there is a special account assigned to this profile in the customer environment, then use that account to activate this workflow, otherwise use the default action account assigned to the agent running the workflow".

    A run-as account is an account you define in your console - it is a credential set reallly, and you give it a name.  Then you choose to bind it to a run-as profile.  If you don't bind it (assign it), then the account doesnt' have any impact.

    Once you assign an account to a run-as profile (and you can do this in a group scope as well) the agent that runs any workflows that make a claim on that profile will need to be sent the credentials.  this is where the confusingly named "more secure, less secure" labeling comes in.  BOTH are secure.  It is in scoping that the difference lies.

    In the so-called less-secure mode, the encrypted credentials are sent to any agent that runs a workflow that needs that credential (due to the profile claim it may have in the MP definition).  This is the mose flexible (could have been called more flexible, more error prone instead of less secure, more secure).

    In the more secure case, the encrypted credentials are sent to specific servers.  You have to name them.  If you don't name them, the credentials don't get sent to them.  The scenario this is important is when you are using agents in your DMZ.  Presumably you would not want to expose accidentially credentials that aren't neeeded in that DMZ to a hacker that gains full control of your internet facing web farms (or the rogue administrators who run them).  That access would let them get access to the encrypted credentials in the encrypted store on that server.  Once they can do that, with enough time and computing power, they can crack the cert encryption.  So this is why it is named more secure - there is less exposure.  The creds used are still there, but you don't accidentally get more creds on your high risk servers than are needed.

     


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Monday, April 25, 2011 3:09 AM
    • Marked as answer by Ravi_Raj Monday, April 25, 2011 4:58 AM
    Friday, April 22, 2011 3:52 PM
  •  

    Regarding the questions about Run As Accounts and Run As Profiles, I think you can also refer to the following articles:

     

    Run As Accounts and Run As Profiles in Operations Manager 2007

    http://technet.microsoft.com/en-us/library/bb735423.aspx

     

    Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

    http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx

     

    Hope this can give you some hints.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Ravi_Raj Thursday, May 5, 2011 7:34 AM
    Monday, April 25, 2011 3:29 AM

All replies

  • Let's try to answer your questions.

     

    A run-as profile is a setting on a workflow in a management pack.  Think of it as an XML tag that says "hey, if there is a special account assigned to this profile in the customer environment, then use that account to activate this workflow, otherwise use the default action account assigned to the agent running the workflow".

    A run-as account is an account you define in your console - it is a credential set reallly, and you give it a name.  Then you choose to bind it to a run-as profile.  If you don't bind it (assign it), then the account doesnt' have any impact.

    Once you assign an account to a run-as profile (and you can do this in a group scope as well) the agent that runs any workflows that make a claim on that profile will need to be sent the credentials.  this is where the confusingly named "more secure, less secure" labeling comes in.  BOTH are secure.  It is in scoping that the difference lies.

    In the so-called less-secure mode, the encrypted credentials are sent to any agent that runs a workflow that needs that credential (due to the profile claim it may have in the MP definition).  This is the mose flexible (could have been called more flexible, more error prone instead of less secure, more secure).

    In the more secure case, the encrypted credentials are sent to specific servers.  You have to name them.  If you don't name them, the credentials don't get sent to them.  The scenario this is important is when you are using agents in your DMZ.  Presumably you would not want to expose accidentially credentials that aren't neeeded in that DMZ to a hacker that gains full control of your internet facing web farms (or the rogue administrators who run them).  That access would let them get access to the encrypted credentials in the encrypted store on that server.  Once they can do that, with enough time and computing power, they can crack the cert encryption.  So this is why it is named more secure - there is less exposure.  The creds used are still there, but you don't accidentally get more creds on your high risk servers than are needed.

     


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Monday, April 25, 2011 3:09 AM
    • Marked as answer by Ravi_Raj Monday, April 25, 2011 4:58 AM
    Friday, April 22, 2011 3:52 PM
  •  

    Regarding the questions about Run As Accounts and Run As Profiles, I think you can also refer to the following articles:

     

    Run As Accounts and Run As Profiles in Operations Manager 2007

    http://technet.microsoft.com/en-us/library/bb735423.aspx

     

    Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

    http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx

     

    Hope this can give you some hints.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Ravi_Raj Thursday, May 5, 2011 7:34 AM
    Monday, April 25, 2011 3:29 AM
  • Hi Dan,

    Thanks for your valuable info. It really helped me a in various ways. But really I am more concerned about my 3rd & 4th query. Can you shed some light on them too?

    Regards

    Ravi

    Monday, April 25, 2011 5:01 AM