Running a Task, Rule, or Monitor with Run As in Operations Manager 2007
Run As Profiles and Run As Accounts together provide an appropriate identity to run a task, rule, or monitor in Operations Manager 2007. A Run As Profile allows a Management Pack author to associate an identity, other than the default action account, with a module so that it can run as that identity.
A Run As Account represents an identity that can be associated with a Run As Profile. Management Pack authors with the necessary user rights can create tasks, rules, or monitors to perform various functions. Run As Accounts and Run As Profiles enable tasks, rules, or monitors to run with the account that has the necessary user rights.
Note
As an Operations Manager administrator, be sure you know what actions are going to be performed when importing Management Packs. This is especially important when importing Management Packs containing a task, rule, or monitor that uses a Run As Profile. Ensure that you understand the function of any module for which you specify a Run As Account associated with a Run As Profile.
The following example illustrates the relationship between Run As Profiles and Run As Accounts. Sam is working on a Management Pack for his company's Line of Business (LOB) application and is creating a Get Data task. Sam knows that the action account that he is using might not have sufficient rights to run this task; however, Jane, the LOB Administrator, does have the sufficient user rights. So Sam will configure the task to run with Jane’s credentials.
While authoring the Management Pack, Sam creates a Run As Profile called Data Operators and associates it with the task module. When the LOB Management Pack containing the Get Data task is imported into Operations Manager 2007, the Run As Profile associated with the task will be included in the import and Data Operators will appear in the list of available Run As Profiles.
The Operations Manager 2007 administrator will create a Run As Account configured with Jane’s credentials. The Run As Account is then added to the Run As Profile that the task will use. The target computer on which the Run As Account will be used will also need to be explicitly specified in the Run As Profile.
Note
The default account for the Run As Profile is the action account. By default, all rules, monitors, and tasks on an agent will run as the action account for that agent. Consider what the action account should be, and choose an account with appropriate rights. Given the wide range of rights of a domain administrator account, and considering the idea of using a least-privileged account, the domain administrator would not be a good choice. Account credentials associated with a particular Run As Account should consist of the least amount of privileges necessary. It is suggested that you do not associate high-privilege accounts unless absolutely necessary.
Run As Profiles default to the action account when they are created but can later be overridden on a per-computer basis. Because each computer requires a different credential, Operations Manager 2007 administrators can associate multiple Run As Accounts with each Run As Profile, which is useful when the Run As Profile is used on different computers.
See Also
Other Resources
About the Security Node in Operations Manager 2007
Administration Pane in Operations Manager 2007
Operations Console in Operations Manager 2007
Security Considerations in Operations Manager 2007