Setting Executing User on a per-job basis

[Rob Byrne]

I'm working on setting up a new node in our Rundeck environment that's a generalized "Windows Job Runner" for all of our Powershell scripts. However, some of these scripts need access to our AD environment; and thus need to be run as a user with permissions to access AD.

We don't want all of our scripts (jobs) being run on this machine to be executed as that user with extra privileges, just the instances where it's necessary. For Node configuration, I see we can define the username to execute as; can this be defined on a per-job basis instead of at the broad node level?

Thanks for your assistance.

[rac...@rundeck.com]

Hi Rob,

Sure, you can limit users and/or groups to some jobs, take a look at this example (based on job groups but you can use a job name directly).

Also you have an amazing examples here.

Regards.

[Rob Byrne]

Thanks for the quick response, that's some useful information I had not come across previously. However, I think I may have miscommunicated somewhere- I'm running into a different issue. When we have a scheduled job, we want to change the user that actually runs the remote commands. Here's an example of our node files (with sensitive info replaced):

machine fqdn:
    description: Windows RDP Server
    hostname: fqdn
    nodename: fqdn
    username: privileged_username_here

In the above example, running a command through that node would run it as "privileged_username_here", which works great- except we want to use a different user for a specific job. Can this be over-ridden on a job level?

Thanks,

Rob

[rac...@rundeck.com]

Hi Rob, I see,

Probably a good approach is to set your job with a "Job Level Authentication": In your job, you can create an hidden option (called "username", that's mandatory) with the desired user and then pass it to the model source, take a look at this case.

Regards.