Not sure if this is the appropriate forum category, please suggest a better one if I should post elsewhere…
GOAL: Allow BigFix console operator initiated actions to only work on Windows endpoints where the operator’s domain account has been elevated to administrator. Prevent operators from being able to to take any action where they do not have elevated rights.
PROBLEM: BigFix client runs under system account. Any action taken against an endpoint gets run as system and no change control is in place for the servers visible from the operator’s console
POSSIBLE SOLUTION:
Any/all information is welcome with how to accomplish this. I have discovered from the forum how to use secret parameters (thanks brolly33) and how to accomplish running an action as another user with “override”.
Thanks to JasonWalker for his post making sense of the command for me Tips for using override
Using Override, I can have the operator enter credentials before taking an action. I could then use a pre-execution script to test that user’s rights on the target system. If the pre-execution script passed the test of “Does this user have admin rights” then I could allow the rest of the action to execute. If they do not have admin rights the script would abort.
The console operator’s ID is associated with a change in the ticketing system and get’s automated elevation when the change window opens. This would allow the operator to have access to apply changes using bigfix only on systems where they have an approved change and only during the window of the approved change.
I’m not aware of a way to enforce this ‘pre-execution’ check, but if I could, I think I could use this to expand the usage of BigFix in the environment.
Anyone aware of how to enforce pre-execution task on the endpoint that cannot be circumvented by an operator?
Many thanks - Monkeyboy