Configure Trusts

With Trusts, you can create "trusted" relationships between Agents, Modules and Resources, and so determine whether an Agent can execute a Job with these Modules and Resources. This further increases security in an environment and is especially useful in multi-tenant sites serving multiple customers.

Set up Trust security

First, to use Trusts in your Ivanti Automation environment, you need to enable the Trust security:

• In the Console, at Setup > Global Settings, enable Trusts Security.

When enabled, any Trusts in your environment will be applied. If you have a login with administrative role Full Access, you can also set it to Configure only and not (yet) enable Trusts security.

Delegate control over Trusts

Second, you need to assign permissions for Trusts to specific administrative roles.

• In the Console, at Administration > Security, configure Trust permissions on administrative roles.

Configure Trust relationships

After that, you need to configure trusts on each level: Agents, Teams, Team folders, Modules, Module folders, Resources and Resource folders. The Trust tab is only shown when Trusts Security is enabled or set to configure only.

At Topology > Agents (or Teams), on the Agent's (or Teams, or Team folder) Trusts tab, you can:

• Show (and filter on) all trusted Modules and trusted Resources.
• Set the following trust options: Trust (Allow), Do not trust (Deny), Inherit trust (Inherit).

At Library > Modules (or Resources), on the Module's (or Module folder, or Resource, or Resource folder) Trusts tab, you can:

• Show (and filter on) all trusted Agents and trusted Teams.
• Set the following trust options: Trust (Allow), Do not trust (Deny), Inherit trust (Inherit).

Best practice: create a Team folder, configure Trusts on this folder and add the two primary Teams to the Team folder. In this way, it is not necessary to change Team settings or Trusts for each primary Team: the Agent will still inherit the correct settings from its primary Team.

Trusts can be explicit or inherited:

• On the highest level, you can set an explicit trust or leave it at the default value Allowed. For example, Team folder.
• On the lower levels, you can inherit from its parent folder or override the settings and make explicit trust exceptions. For example, Teams inherit the Trusts from their Team folder, and Agents inherit from their primary Team.
• Agents that do not have a primary Team will be listed in the root folder of Trusted Teams and Agents.

Job execution

At Job execution, each time an Agent uses a Module or Resource, all Trusts on the relevant Agents, Modules and Resources in the Job will be evaluated.

• If a full Trust exists between an Agent and a Module, the Agent is allowed to execute the Module. If a full Trust does not exist, the Module will fail due to a breach of Trust.
• If a Task in a Module uses a specific Resource, a full Trust must also exist between the Agent and the Resource. If a full Trust does not exist, the Task that uses the Resource will fail. Depending on the error control settings of the Task, this may fail the entire Module.

When creating a Building Block of Modules and/or Resources, any Trusts on Teams and Agents will not be included in the Building Block.