Privileged and Non-Privileged “Run As” accounts in cross platform monitoring

One of the initial configuration requirements (and one of the top things new users forget to do) for cross platform monitoring is setting up the user accounts to use for privileged and non-privileged actions. But what exactly are privileged and non-privileged actions? Why would you need one or the other?

When performing remote operations on clients such as monitoring, diagnostics or remediation, the agent performs these actions running as a specific user account (the “Run As” account specified by the administrator). The recommended security practices call for specifying a low-privilege account for most actions and using a higher-privilege account only where necessary. This segregates security privileges according to the types of actions performed and can help prevent inadvertently assigning tasks outside of the user’s security scope.

You assign Run As accounts to multiple computers through Run As Profiles, and assign the profile to the group of computers. When you install Operations Manager R2 Cross Platform extensions, it creates for you two profiles under Administration > Run As Configuration > Profiles. These profiles are named Unix Action Account and Unix Privileged Account. These profiles are pre-assigned to the various monitors and tasks within the UNIX and Linux management packs, so that once the actual accounts are specified, they need to be set up only once and all of the UNIX/Linux MPs will now work.

They key is that the user accounts need to be defined in the Run As Profile for the profile to work. There’s no obvious indication in the console that these accounts aren’t defined in the profile, but your MP’s will not work until the accounts are added.  (See: How to Create  a Run As Account in Operations Manager 2007)

Ok, so you understand the basics of Run As accounts and profiles – but which tasks require which profile? Generally, monitoring actions do not require privilege, but many remediation actions do. This is because they are stopping / restarting processes or daemons and we don’t want that happening accidentally. Also, deploying agents does not require privilege, but installing and uninstalling requires a privileged account.

Here are some links to specifics about the actions requiring privilege across the supported operating systems (latest OS version shown, but other versions similar and in the same documentation):