Potential Issues When Using Multiple Administrators

Usage Issues

You must take a few common sense precautions when using multiple administrators. Even though Security Controls contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

  • If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.
  • The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

  • If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

Credential Issue

If You Choose Not to Use Shared Credentials

When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Security Controls, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.

One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.

Recommendations:

  • Each administrator should create their own credentials and assign them to machines
  • Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

If You Choose to Use Shared Credentials

Much of the pain described above can be eliminated by using shared credentials. Sharing a credential enables other users to use the credential without knowing the secure details about the credential. For complete details, see Shared Credentials.

Virtual Inventory Consideration

Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Security Controls. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.