rights elevation for applications in locked down environment
Hi All ,
Apologies , this is nowwhere related to packaging , but as I did not get any response in deployment forum , I thought I should give it a try in this forum .
We have implemented CA USD tool in our company for software deployment . All desktops are locked down (No access to c drive) . In this scenario we want to install the applications with elevated rights .
We want to open up restricted areas in C drive on an application basis so that they can write runtime data to those directories with elevated rights .
Most of the people suggest to create application groups in AD and elevate rights for that group to restricted directories (C:\PF|[ProductName] ) and then deploy the application hence during installation rights to identified restricted folders will be elevated .
I have few questions (I am new to AD policies):
1) Does right elevation for such directories mean adding this application group to the Administrator group and then deploy
OR
2) Actually access target directory folders in the AD and assign elevated permissions
Kindly suggest pointers to best practises for the same from your experience .
Cheers ,
V
Apologies , this is nowwhere related to packaging , but as I did not get any response in deployment forum , I thought I should give it a try in this forum .
We have implemented CA USD tool in our company for software deployment . All desktops are locked down (No access to c drive) . In this scenario we want to install the applications with elevated rights .
We want to open up restricted areas in C drive on an application basis so that they can write runtime data to those directories with elevated rights .
Most of the people suggest to create application groups in AD and elevate rights for that group to restricted directories (C:\PF|[ProductName] ) and then deploy the application hence during installation rights to identified restricted folders will be elevated .
I have few questions (I am new to AD policies):
1) Does right elevation for such directories mean adding this application group to the Administrator group and then deploy
OR
2) Actually access target directory folders in the AD and assign elevated permissions
Kindly suggest pointers to best practises for the same from your experience .
Cheers ,
V
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
VikingLoki
18 years ago
There are many ways of going about setting the security. The standard process is to add a small custom action to your MSI packages that executes a command which will update security settings as the app needs them. SetACL.EXE is a very popular option, freely downloadable. You can even imbed it into the MSI's binary table and execute it from there.
With CA you don't really need to use AD. The package will only be deployed through Unicenter which will have it's own ID and credentials. That will have the ability to run the MSI install, which launches SetACL.exe. The only way AD would be involved is if you need tight security.
For example app 1 needs write access to Program Files\App1\tempdata. You could include SetACL.exe in the MSI binary table and execute it with a command line that sets the security of tempdata to give everyone read/write to Tempdata. The app will work fine.
BUT, if some sensitive data can be cached in tempdata, you may want to insure that only users of App1 have access to it. Then set the security for tempdata the same way as above, except give the App1Users group read/write access. The App1Users group will be an AD security group.
With CA you don't really need to use AD. The package will only be deployed through Unicenter which will have it's own ID and credentials. That will have the ability to run the MSI install, which launches SetACL.exe. The only way AD would be involved is if you need tight security.
For example app 1 needs write access to Program Files\App1\tempdata. You could include SetACL.exe in the MSI binary table and execute it with a command line that sets the security of tempdata to give everyone read/write to Tempdata. The app will work fine.
BUT, if some sensitive data can be cached in tempdata, you may want to insure that only users of App1 have access to it. Then set the security for tempdata the same way as above, except give the App1Users group read/write access. The App1Users group will be an AD security group.
Posted by:
viv_bhatt1
18 years ago
Sorry for late reply .
For App1Users group are you suggesting to use SetACL.exe to elevate rights in MSI .
This a good point but I have only one concern , as App1Users group is a group defined by the company in AD . Any changes to the naming convention of this group in future will call for a change in the package too .
I wanted to understand if I can achieve the same as suggested by you using group policies . Has anyone triedXcal .
Cheers ,
V
For App1Users group are you suggesting to use SetACL.exe to elevate rights in MSI .
This a good point but I have only one concern , as App1Users group is a group defined by the company in AD . Any changes to the naming convention of this group in future will call for a change in the package too .
I wanted to understand if I can achieve the same as suggested by you using group policies . Has anyone tried
Cheers ,
V
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.