Automic Workload Automation

Expand all | Collapse all

Windows Agents - Required Access

  • 1.  Windows Agents - Required Access

    Posted 09-12-2014 06:47 PM
    Hi.  Had a question on whether or not anyone has played around with the different rights that you need in order to run a UC4 job.  If you look in the HELP it says "the user that starts the Windows agent must have these rights".

    • Act as part of the operating system
    • Replace aprocess level token
    • Logon as service
    • Logon as batch job *)
    • Restore files and directories
    • Adjust memory quotas for a process

    But it says the user that STARTS the agent, not the users that just run UC4 jobs right?

    So I'm wondering has anyone played around with this from the standpoint of - removing these rights to see what is the bare minimum? 

    Yes, this is another security question - you can see what my life has become  :)

    The Windows team wants to lock down / remove as much access as possible.  They specifically don't like the right having to do with process tokens. 

    This is where my understanding is a little fuzzy.  If you look at Administrative Tools => Services at the UC4 service - it says "Log On  As" and has "Local System".  If you look in the Service Manager Dialog and go to the Properties it doesn't have anything in the fields for Log On As.  So..... what user is the agent running under?  SYSTEM?  Exactly what user needs to have these 6 rights?

    We have a domain account that we use to run jobs (uc4xyz).  We removed all rights from this user and tried to run jobs.  So far, all it seems like this userid needs is "logon as a batch job" and to be able to logon locally.  But this is just what we've seen so far.

    Can anyone explain what user exactly needs these 6 rights?
    And what exactly the agent is running under if it isn't started as a particular user?

    I do not want to update all our domain accounts to only have those 2 things - logon as a batch job and logon locally and have issues later.  Reduced security would make the Windows team happy, but maybe jobs won't run then. 

    Just wondering if anyone has played around with this and/or has a better understanding of Windows security than I do.

    Thanks in advance.



  • 2.  Windows Agents - Required Access

    Posted 09-15-2014 03:20 AM
    As far as I know the later Versions of Win agents (>2014) do only need this 6 rights on the user who starts the agent.
    The user who run this job needs less (sorry not tested what rights exactly).

    If you look at Administrative Tools => Services at the UC4 service - it says "Log On  As" and has "Local System".
    => then the SMGR runs under local System account as well as all agents started via SMGR.

    You can start SMGR with a domainuser (logon as in WIN Services) then all Agents will be started with this WIn user

    If you only want to start one particular agent with domain credentials you can enter the user credentials in SMGR Dialog

    Hope this helps a bit.