Trusts

By default, all Agents in a Ivanti Automation environment are allowed to use all Modules and all Resources when they execute Jobs. This behavior may not always be desirable in multi-tenant sites that serve multiple customers. In multi-tenant sites, "ownership" of customer-specific Agents, Modules and Resources often lies with customer representatives. You therefore may want to create a situation in which you let customer representatives determine which Modules and Resources are used by that customer's Agents.

You can tackle these situations by configuring Trust relationships ("Trusts") between these objects. By configuring Trusts, you can create relationships between Agents and Modules and between Agents and Resources. This relationship is determined, on the one hand, by the Agent(s) that are trusted by the Module and/or Resource and, on the other hand, by the Module(s) and/or Resource(s) that are trusted by the Agent. As Trusts are evaluated at the moment of Job execution, it is the combination of these Trusts that determines whether or not an Agent can execute a Job with these Modules and Resources. This is only possible when a full Trust exists (i.e. the Module or Resource is trusted by the Agent AND the Agent is trusted by the Module or Resource).

Schematically:

Trusts2

For example:

  • If a full Trust exists between an Agent and a Module, the Agent is allowed to execute the Module. If it does not exist, the Module will fail.
  • If a Task in a Module uses a specific Resource, a full Trust must also exist between the Agent and the Resource. If it does not exist, the Task that uses the Resource will fail. Depending on the error control settings of the Task, this may fail the entire Module.

Trusts can be configured for Teams and Team folders, Agents, Modules and Module folders and on Resources and Resource folders.

Because you can delegate control over Trusts to the owners of Agents, Modules and Resources, this makes it possible for a customer to determine which of his Agents are authorized to use which of his Modules and Resources.

Scenarios

Trusts are ideal in the following situations:

  • When owners of a customer-specific Module or Resource need to specify that it may only be used by that customer's Teams.
  • When owners of a customer-specific Team need to specify that only certain Modules and Resources may be used by that customer's Teams.
  • When only a specific Agent is allowed to use a specific Module with a specific Resource (for example, a specific AutoCad installation or an ISO with specific licensing information).

Configuring Trusts

  • Before Console users can start working with Trusts, you need to specify:
    • The behavior of Trusts in your Ivanti Automation environment. You can do this with the global setting Trusts Security. Best practice is to set Trusts Security to Disabled, configure only first, as this setting does not enable Trusts, but allows Console users that log on with administrative role Full Access to configure Trusts and to assign administrative role permissions to them. Once you have configured all relevant Trusts, you can safely enable Trusts Security. See Global Settings.
    • Which Console users are allowed to do this, and on which items they are allowed to configure Trusts. Because "ownership" of customer-specific Agents, Modules and Resources often lies with customer representatives in multi-tenant sites, you may want to delegate control over Trusts to these representatives first, before you enable Trusts in your environment. This prevents situations in which unauthorized personnel can configure Trusts. You can delegate control over Trusts by assigning permissions to Trusts to specific administrative roles. See Permissions on Trusts.
  • Once you have specified the behavior of Trusts and have delegated control on Trusts to Console users, Console users can configure Trusts and assign permissions to Trusts, depending on the permissions of their administrative role. Console users can configure Trusts for Agents, Team folders, Teams, Resource folders, Resources, Module folders and Modules by using the Trusts tab when editing these items.
    • When editing a Team folder, Team or Agent, the Trusts tab is divided in the tabs Trusted Modules and Trusted Resources. These tabs allow you to configure Trusts for Module folders, Modules, Resource folders and Resources.
    • When editing a Resource folder, Resource, Module folder or Module, the Trusts tab allows you to configure Trusts for Team folders, Teams and Agents.
  • All items that are shown on the various Trusts tabs are subject to the access permissions of the administrative role(s) of the Console user.

Trusts can be explicit or inherited:

  • A Trust on a Team folder can be explicit or, if applicable, inherited from its parent folder.
  • A Trust on a Team can be explicit or, if applicable, inherited from its Team folder.
  • A Trust on an Agent can be explicit or, if applicable, inherited from its primary Team. Agents that do not have a primary Team will be listed in the root folder of Trusted Teams and Agents (available when configuring Trusts on Resources and Modules and/or their folders).
  • A Trust on a Module folder or a Resource folder can be explicit or, if applicable, inherited from its parent folder.
  • A Trust on a Module or a Resource can be explicit or, if applicable, inherited from its parent folder.

At Job execution, each time an Agent uses a Module or Resource, all Trusts on the relevant Agents, Modules and Resources in the Job will be evaluated.

  • If a full Trust exists between an Agent and a Module, the Agent is allowed to execute the Module. If a full Trust does not exist, the Module will fail due to a breach of Trust.
  • If a Task in a Module uses a specific Resource, a full Trust must also exist between the Agent and the Resource. If a full Trust does not exist, the Task that uses the Resource will fail. Depending on the error control settings of the Task, this may fail the entire Module.

Configuration

  • To use Trusts in your Ivanti Automation environment, set the global setting Trusts Security to Enabled. When enabled, any Trusts in your environment will be applied. See the global setting Trusts Security.
  • You can configure Trusts on Agents, Teams and Team folders, Modules and Module folders and on Resources and Resource folders.
  • When creating a Building Block of Modules and/or Resources, any Trusts on Teams and Agents will not be included in the Building Block.
  • Agents that use a Team as their primary Team not only inherit its Trusts (Security settings), but also its Team settings (Topology settings). It is therefore recommended to consider the consequences before assigning an Agent to a different primary Team, as this may have a severe impact on the performance of the Agent.

    Best practice: Create a Team folder, configure Trusts on this folder and add the two primary Teams to the Team folder. In this way, it is not necessary to change Team settings or Trusts for each primary Team: the Agent will still inherit the correct settings from its primary Team. See Teams.