Security settings

At Setup > Global Settings, you can define the general settings of your Ivanti Automation environment, and the default settings of Dispatchers and Agents.

Security

Protect clear of audits

Protects the Audit Trail list with a password.

Remote Console

Specifies whether the Remote Console functionality is available. With this functionality, you can open a remote Console on an Agent. The setting Remote Console is enabled by default. You can also set access permissions on the Remote Console functionality.

RunBookWho

Specifies whether the RunBookWho functionality is available when configuring Run Book Jobs.

  • Enabled: The option Use Run Book Parameter is available when configuring Run Book Jobs. With this setting, you can parameterize the Who field with the parameter $[RunBookWho], to specify which Team(s) or Agent(s) should perform the Job. This is particularly useful when using the Run Book in a Ivanti Identity Director service.
    • With the setting Enhanced security, you are only allowed to schedule a Run Book with a $[RunBookWho] parameter configured in the Who field when using a login with Ivanti Automation Authentication. Before enabling this option, you need to reschedule all existing Run Book Jobs that are scheduled before Ivanti Automation 2015 SR3 and all existing Run Book Jobs that are scheduled using a login with Windows Authentication. Otherwise, these Jobs will fail.
  • Disabled: the functionality will no longer be available for new Run Book Jobs. In existing Run Book Jobs, the functionality will still be available until a different sub-option is selected and saved. In that case, the parameter $[RunBookWho] will not be removed from the Run Book, but it can no longer be used for Job scheduling purposes.

Trusts Security

Specifies the behavior of Trusts in your Ivanti Automation environment. With Trusts, you can create "trusted" relationships between Agents, Modules and Resources, and so determine whether an Agent can execute a Job with these Modules and Resources. This further increases security in an environment and is especially useful in multi-tenant sites serving multiple customers.

  • Disabled: disables Trusts. Use this setting if it is not or no longer necessary to use Trusts in your environment. When disabled, it will not be possible to configure Trusts or to assign administrative role permissions to them. The Trusts tabs on Agents, Team folders, Teams, Resource folders, Resources, Module folders and Modules will be hidden in the Console, as well as all Trusts columns in administrative roles. Any existing Trusts will no longer be applied at Job execution. Trusts Security is disabled by default.
  • Disabled, configure only: disables Trusts, but allows Console users that log on with administrative role Full Access to configure Trusts and to assign administrative role permissions to them: the Trusts tabs on Agents, Team folders, Teams, Resource folders, Resources, Module folders and Modules, and the Trusts columns in administrative roles will only be available for these users.

    This setting is considered to be best practice when fine-tuning Trusts before enabling it in your environment: Any configured Trusts will NOT be applied at Job execution, and any Console users without the administrative role Full Access will not be able to configure Trusts. Once you have configured all relevant Trusts, you can safely enable Trusts Security.
  • Enabled: enables Trusts. When Trusts Security is enabled, the Trusts tabs on Agents, Team folders, Teams, Resource folders, Resources, Module folders and Modules, and the Trusts columns in administrative roles will become available to all Console users (provided that their administrative role grants access to these items). Any Trusts in your environment will be applied at Job execution, and any administrative role permissions that you have assigned will also be applied when Console users log on with these administrative roles.

Limit Job Export

Specifies whether the Export Job Results functionality is limited to the access permissions of a Console user's administrative role. When enabled, Console users can only export the results of Jobs that are executed by Agents to which they have access (Read/Modify). Console users must have access to all Agents in the Job: if the Console user does not have access to one or more Agents in the Job, the results of this Job cannot be exported.

  • If the Console user has insufficient permissions, any Job export functionality will be hidden in the Console, and neither will it be possible to export the results of these Jobs using a command line.
  • At Administration > Security, if the option Limit task details when read permissions are set has been selected in an administrative role (Library > Modules node), and the Console user only has Read access to the Modules node, he can only export limited information.

The setting Limit Job Export is disabled by default.

Limit Job Execution

Specifies which Jobs Console users can see in the Jobs nodes, based on the Console user's administrative role(s).

When enabled, Console users can only view Jobs that are executed by Agents to which they have access (Read/Modify). In the Jobs nodes the number of hidden job results will be shown as a text. Console users must have access to all Agents in the Job: if the Console user does not have access to one or more Agents in the Job, the Job will not be shown.

The setting Limit Job Execution is disabled by default.

Allow agents to be added to a team programmatically

Specifies whether Agents can be added to a Team via the Console, but also:

  • During unattended installations of an Agent (by applying properties to its MSI).
  • Via a registry value.

If the setting is disabled, it will only be possible to add Agents to a Team via the Console. The setting Allow agents to be added to a team programmatically is enabled by default.