Running a Task, Rule, or Monitor with Run As in Essentials
Applies To: System Center Essentials 2010
Run As Profiles and Run As Accounts together provide an appropriate identity to run a task, rule, or monitor in Essentials 2010. A Run As Profile allows a management pack author to associate an identity, other than the default action account, with a module so that it can run as that identity.
A Run As Account represents an identity that can be associated with a Run As Profile. Management pack authors with the necessary user rights can create tasks, rules, or monitors to perform various functions. Run As Accounts and Run As Profiles enable tasks, rules, or monitors to run with the account that has the necessary user rights.
As an Essentials 2010 administrator, be sure you know what actions are going to be performed when importing management packs. This is especially important when importing management packs containing a task, rule, or monitor that uses a Run As Profile. Ensure that you understand the function of any module for which you specify a Run As Account associated with a Run As Profile.
The following example illustrates the relationship between Run As Profiles and Run As Accounts.
You are working on a management pack for your company's Line of Business (LOB) application and are creating a Get Data task. You know that the action account that you are using might have insufficient rights to run this task; however, your LOB Administrator does have sufficient user rights. You can configure the task to run with the administrative credentials of the LOB administrator.
While authoring the management pack, create a Run As Profile called Data Operators and associate it with the task module. When the LOB management pack containing the Get Data task is imported into Essentials 2010, the Run As Profile associated with the task is included in the import, and Data Operators appear in the list of available Run As Profiles.
The Essentials 2010 administrator creates a Run As Account configured with the LOB administrator’s credentials. The Run As Account is then added to the Run As Profile that the task will use. The target computer on which the Run As Account will be used also has be explicitly specified in the Run As Profile.
The default account for the Run As Profile is the action account. By default, all rules, monitors, and tasks on an agent run as the action account for that agent. Consider what the action account should be, and choose an account with appropriate rights. Given the wide range of rights and permissions of a domain administrator account, and considering the idea of using an account with the most reduced rights, the domain administrator account would not be a good choice. Account credentials associated with a particular Run As Account should consist of the least amount of user rights necessary. We recommend that you do not associate accounts with full user rights unless absolutely necessary.
Run As Profiles default to the action account when they are created but can later be overridden on a per-computer basis. Because each computer requires different administrative credentials, Essentials 2010 administrators can associate multiple Run As Accounts with each Run As Profile, which is useful when the Run As Profile is used on different computers.