Node management permissions needed when using Powershell to set node to "unmanaged"

Hi,

we use an special orion account to set nodes to "unmanged" by powershell script in our automated server maintenance jobs.

Permissions for this account should be limited as much as possible. It should only have the permission to set nodes to "Unmanaged".

Doing the web-request with this URL: https://$($hostname):17778/SolarWinds/InformationService/v3/Json/Invoke/Orion.Nodes/Unmanage with a post body like this: ["N:1996","06/24/2019 09:00:29","06/24/2019 09:02:28","false"]  works great.

But only with both permissions “Allow Node Management RightsANDAllow Account to Unmanage Objects”. Without node management rights we get the error  "Access to Orion.Nodes.Unmanage verb denied.".

When using the same account in the Web UI for putting nodes to unmanaged mode, it's possible without node management rights.

Why is it different in SDK?

Regards,

Hermann

  • I assume you let those scripts run via task scheduler. You would create the password file with the user that runs those scripts.

    it is not 100% secure but at least no plaintext passwords.

    It can only be decrypted in "normal ways" by the User that created the Passwordfile, so unfortunately there is no way to "give permission" to someone else.

    example:

    Run a Powershell in the User context that executes the script

    run the following command in the powershell

    $credential = Get-Credential

    $credential.Password | ConvertFrom-SecureString | Set-Content c:encrypted_password.txt

    you will now have a file in the User's root directory (the one that ran the script)

    Copy that to where you want it to be stored

    in order to use the password in the script:

    $password = Get-Content c:encrypted_password.txt | ConvertTo-SecureString

    $credential = New-Object System.Management.Automation.PsCredential($username, $password)

    cheers aus Franken

  • As an alternative if you are running it from your own workstation you can use your own credentials using the code below.

    $swis = Connect-Swis -host YOUROrionServer -Trusted

  • Hi Dan,

    are there any news regarding the permission issue CORE-12986 ?

    Because the script we are using to set nodes to UNMANAGED can be called from everywhere and everyone, I cannot use password encryption technics because the encryption key then needs to be public also...

    I have to rollout the script in production all would be fine if the account which is used only needs "Allow Account to Unmanage Objects & Mute Alerts" permissions.

    Thanks!

  • CORE-12986 has gone through initial prioritization, but development hasn't started yet (at least from what I can see).  I updated the issue with a link to your most recent comment about your situation.

  • Hi, is there an update on that internal issue? I have a client that wants to use the unmanage verb but does not want the user to have node management rights.

  • I'm afraid that the internal issue hasn't yet been prioritized for inclusion in a release.  I added a note to the issue to capture the continued interest in getting it addressed.