brucetimberlake Absent Member.
Absent Member.
467 views

Which attribute/ACL is needed to start drivers with dxcmd ?

I'm working on enabling our Nagios system to restart some drivers that periodically stop -- Google drivers, due to API limits exceeded, and almost always in the middle of the night. A simple restart usually does the trick, but I'm trying to sort out a way that the ops on-call person doesn't get paged unless there's a problem that a restart (or two) won't fix.

I've gotten my script working, but only with way more permissions allowed for the Nagios user than I'm comfortable with. Before this testing, the Nagios user had read/compare access to DriverSet.IDM.services, but that's not sufficient for "dxcmd -start" to work.

I don't want to use the tree admin account. During testing, granting full write access to DriverSet.IDM.services (inherited) lets Nagios start a driver, but that is way too much permission for what I want. After Nagios did restart a driver, I checked via iMonitor for any attributes on the driver object modified by the Nagios user, thinking that would let me figure it out. But no luck there.

I also tried using RBS (assigning DirXML-Management for the scope DriverSet.IDM.services) and that works as well, but I'm concerned that it's also potentially too much access if the Nagios account were ever compromised.

So does anyone know what specific attribute(s) I need write access to in order to dxcmd -start a driver? Thanks for any insights (or even a link to TFM I can R).
Labels (1)
0 Likes
4 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Which attribute/ACL is needed to start drivers with dxcmd ?

brucetimberlake wrote:

>
> I'm working on enabling our Nagios system to restart some drivers that
> periodically stop -- Google drivers, due to API limits exceeded, and
> almost always in the middle of the night. A simple restart usually does
> the trick, but I'm trying to sort out a way that the ops on-call person
> doesn't get paged unless there's a problem that a restart (or two) won't
> fix.
>
> I've gotten my script working, but only with way more permissions
> allowed for the Nagios user than I'm comfortable with. Before this
> testing, the Nagios user had read/compare access to
> DriverSet.IDM.services, but that's not sufficient for "dxcmd -start" to
> work.
>
> I don't want to use the tree admin account. During testing, granting
> full write access to DriverSet.IDM.services (inherited) lets Nagios
> start a driver, but that is way too much permission for what I want.
> After Nagios did restart a driver, I checked via iMonitor for any
> attributes on the driver object modified by the Nagios user, thinking
> that would let me figure it out. But no luck there.
>
> I also tried using RBS (assigning DirXML-Management for the scope
> DriverSet.IDM.services) and that works as well, but I'm concerned that
> it's also potentially too much access if the Nagios account were ever
> compromised.
>
> So does anyone know what specific attribute(s) I need write access to in
> order to dxcmd -start a driver? Thanks for any insights (or even a link
> to TFM I can R).


DirXML-AccessRun - Start and stop Identity Manager drivers and jobs

I can't find a reference to this in recent doc.

Here's a link to the IDM 3.6 doc

https://www.netiq.com/documentation/idm36/idm_security/data/bqfp9f8.html

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Which attribute/ACL is needed to start drivers with dxcmd ?

On 03.04.18 12:12, Alex McHugh wrote:
> brucetimberlake wrote:
>
>>
>> I'm working on enabling our Nagios system to restart some drivers that
>> periodically stop -- Google drivers, due to API limits exceeded, and
>> almost always in the middle of the night. A simple restart usually does
>> the trick, but I'm trying to sort out a way that the ops on-call person
>> doesn't get paged unless there's a problem that a restart (or two) won't
>> fix.
>>
>> I've gotten my script working, but only with way more permissions
>> allowed for the Nagios user than I'm comfortable with. Before this
>> testing, the Nagios user had read/compare access to
>> DriverSet.IDM.services, but that's not sufficient for "dxcmd -start" to
>> work.
>>
>> I don't want to use the tree admin account. During testing, granting
>> full write access to DriverSet.IDM.services (inherited) lets Nagios
>> start a driver, but that is way too much permission for what I want.
>> After Nagios did restart a driver, I checked via iMonitor for any
>> attributes on the driver object modified by the Nagios user, thinking
>> that would let me figure it out. But no luck there.
>>
>> I also tried using RBS (assigning DirXML-Management for the scope
>> DriverSet.IDM.services) and that works as well, but I'm concerned that
>> it's also potentially too much access if the Nagios account were ever
>> compromised.
>>
>> So does anyone know what specific attribute(s) I need write access to in
>> order to dxcmd -start a driver? Thanks for any insights (or even a link
>> to TFM I can R).

>
> DirXML-AccessRun - Start and stop Identity Manager drivers and jobs
>
> I can't find a reference to this in recent doc.
>
> Here's a link to the IDM 3.6 doc
>
> https://www.netiq.com/documentation/idm36/idm_security/data/bqfp9f8.html


The recent version is here:
https://www.netiq.com/documentation/identity-manager-47/security/data/bqfp9f8.html




Casper

brucetimberlake Absent Member.
Absent Member.

Re: Which attribute/ACL is needed to start drivers with dxcm

Outstanding! Thank you very much for the link.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Which attribute/ACL is needed to start drivers with dxcmd ?

On 4/3/2018 12:44 PM, brucetimberlake wrote:
>
> Outstanding! Thank you very much for the link.


And heck, I even vaguely mention it in my latest article on User App
permisions, since it uses those odd attributes for User App as well.

https://www.netiq.com/communities/cool-solutions/different-permissions-user-application/



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.