RES Automation Manager security Modules

AM-sec_modules-01

When configuring a security role in RES Automation Manager (RES AM) it is posible to deny access to the content of the modules.

When editing the permisions of the Module node in a RES AM security Role, a select box is shown. With the option “Limit task details when read access permissions are set” selected, a user who is configured with this security role can not view the content of the tasks of the modules.

AM-sec_checkrights_notok_01

Option “Limit task details when read access permissions are set” selected.

AM-sec_checkrights_ok_01

Option “Limit task details when read access permissions are set” not selected. Setting and Script tab are accessible.

 

 

Show Specific control panel items issue RES WM

In a locked down Windows environment, it is a best practice to hide specific control panel items for those functions that can’t or shouldn’t be performed by an end user.

With a RES WM “User registry” object, you can use “control.admx” to load the policy template to configure these settings.policy_01

In the “List of allowed control panel items” the Canonical name of the Control panel items should be entered.

So far so good. But it wasn’t working in my environment…

With this configuration active in RES Workspace Manager  2014, still all control panel items were shown.

When looking in the registry of a logged in user, these registry key’s were present:

registry_01

The registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl” is set by the policy.

As stated in this MS Technet article, “The Hide specified control panel applets policy takes precedence over the Show only specified control panel applets policy.”

The entries in the “DisallowCpl” hyve are:

registry_02

 

What about the “…\DisallowCpl”? Where does it come from?

The “villan” here, appears to be the setting “Disable Add/Remove programs” at Composition -> Desktop -> Lockdown and behaviour:

reswm_lockdown_01a

This setting will result in the “Disallow” hive.

Logging in, with this setting unchecked, only the specified items in the control panel were visible. Everything is working as expected…

 

“Stub” Application – RES Workspace manager

In an RES Workspace Manager environment you have to deal with the following settings:

  1. Application Security Rules
  2. User settings (Zero Profile)
  3. Configuration

An issue can be, to know and keep track for what reason a specific setting has been set. A way to keep track is to make use of the “Administrative note”. When filling in this field, make it short and descriptive. With “Security Rule” you can end up with more than one rule for a specific application, eg. Java. You will end up adding “Java” to each rule.

A more organized way, is making use of a “Stub” (Dummy) application Object and Move all security rule, belonging to Java to this “Stub” object. To move the security rule to the “stub”, select the rule, click right, select “Move…” and select the “stub” object. Name this object “stub Java” .SecurityMove_01 To keep these special Application Objects together (more than one stub), you can put the “Stub”s in a separate start menu folder.

Start_subs01

To make sure that this special Application Object doesn’t behave as a normal Application Object, some settings needs to be set on the Application Object:

  1. General -> Command Line = empty
  2. General -> ☐ Create Start Menu Shortcut
  3. Settings -> ☑ Hide application
  4. Settings -> ☑ Do not list in PowerHelp
  5. Settings -> ☑ Do not show in “New Applications”
  6. Settings -> ☑ Autolaunch at session start: Mandatory

“Identity”, “Location” and devices” and “Workspace Containers” needs to be adjusted according to the need of the security rules.

This technique can also be used with an application suite (a collection of Application objects, eg. Office). By doing so you can configure the “user settings” and “Configuration” actions once and link to the application objects of the suite.

  • User settings: ☑ Use the user settings from the following application: “…” and select the stubUsersettings_02
  • Configuration: Add “Linked Action” and select the stubLinkedaction_01

The “Zero profile mode” configured in the Usersettings of the “stub” need to be set to “capture on session end”.

Usersettings_03

To get the Zero profile activated at the start of a session, configure the “User Settings” -> “Application user settings”, global or for a Workspace conatainer, to “Prefetch in background, check on application start”.

Usersettings_01Having all the settings for a specific Application, collected in the “stub”, you have a better overview of what is necessary for that application. Also changing from a Test to a Production environment is a lot easier, one Building Block instead of…

 

Update 14-10-2014: For “User settings” to save settings at session end, it is nessesarry to start the “stub” at session start. Added setting 6. to the setting for a sub application object.