Product Documentation

Security Considerations

Oct 16, 2015

This topic provides information about Operations Manager actions accounts and using low-privilege accounts with the Citrix EdgeSight Management Pack and the SCOM alert action.

EdgeSight Management Pack

The EdgeSight Management Pack uses the default agent action account that is created when Operations Manager is first installed to perform discovery and run rules, tasks, and monitors. By default, Operations Manager assigns the Local System account as the agent action account. When running as Local System, the agent action account has all the privileges necessary to perform discovery and run rules, tasks, and monitors.

Low-Privilege Environments

You can use a low-privilege account for the agent action account; however the service recovery tasks require elevated rights. The low-privilege account must meet the following requirements:

  • Member of the local users group
  • Granted Log On Locally rights

With the low-privilege action account the following features are supported:

  • EdgeSight Server Discovery
  • EdgeSight RSSH service monitoring
  • Launch the EdgeSight Console

With the low-privilege action account the following features are not supported:

  • Recovery task to restart the Citrix RSSH Admin Service
  • Recovery task to restart the Citrix RSSH Application Manager Service

EdgeSight Alert Action

The Alert Action includes credentials used for authentication. This account must be a member of the Operations Manager Administrators role to access the SDK Service. This account must also be a member of the administrator’s Local Group on the EdgeSight Server so that the alert action can spawn a local process. The low-privilege section describes the minimum permissions required by this account.

Low-privilege Environments

The minimum privileges required by the SCOM administrator account are:

  • Domain: Member of the Domain Users Global Group
  • Operations Manager: Member of the Operations Manager Administrators role
  • EdgeSight for XenApp 5.0 or later: Member of the Administrator Local Group on the EdgeSight Server