-
Title
Allowing Start / Stop / Restart / Resume of only some services via the Web Interface -
Description
Some services on a server or workstation need to have restricted access due to business reasons or security concerns, but an Administration Group needs access to be able to restart some services on the same host.
By default, Active Roles can only delegate access to all services. The following steps will interrupt the operation if a delegated Administration Group attempts to manipulate a restricted service.
-
Resolution
Administration Templates related to Services are applied to a computer object, and not a service object. This means that it is not possible to control access to individual services via an Administration Template alone.
It is possible to create a Workflow which listens to changes to objects of edsService and can allow or deny these changes as desired.
- Create a new triggered Workflow.
- Expand the Workflow options and start conditions at the top and choose Configure.
- In the Operations Conditions section choose Select Operation
- Next to Target object type: choose the ellipsis (...)
- Find the Service / edsService object type and choose OK
- Select Modify Properties and then choose Next
- Choose These Service properties: and then choose Add...
- Check the box labeled Show all possible properties and then check off the edsaPauseService edsaRestartService edsaResumeService edsaStartService and edsaStopService attributes, or any combination of these attributes as desired.
- Choose OK and OK again.
We now have a Workflow which listens to changes to these particular attributes and which will trigger if they are modified. The Workflow target is the edsService object.
We can now drag-and-drop an If-Else basic activity into the body of the Workflow above the Operation Execution.
NOTE: If-Else branches are processed left to right.
We can query the Distinguished Name (dn) of the Workflow target in order to determine what we want to allow or deny.
The Distinguished Name of one or more edsService objects will be in the following format:
CN=ServiceName,CN=Services,CN=HostName$,CN=DomainNetBios,CN=Network
ex: The IIS Service on the host called WebServer in the Contoso Domain would have a dn of CN=IISADMIN,CN=Services,CN=WEBSERVER$,CN=CONTOSO,CN=Network
Enhancement Request 723151 has been created to integrate this functionality into the product to be controlled via an Access Template.
-
Additional Information
The exact dn of an edsService object can be obtained by dropping in a script which dumps the request object to a text file.q