5 Replies Latest reply on Jun 27, 2020 7:16 PM by Phillip Brockhaus

    Need for Administrator Access for Integration Accounts

    Phillip Brockhaus
      Share This:

      Does the issue described in https://communities.bmc.com/thread/87298 apply to consuming remedy web services?

      Meaning, if I create a service account in the user form and that service account consumes an AR web service from multiple IP Addresses, will the web service call error out if the service account is not a member of the administrator group?

       

      Does the answer change if the account is ONLY reading information versus submitting transactions?

       

      Thanks

        • 1. Re: Need for Administrator Access for Integration Accounts
          LJ LongWing

          Phil,

          If the user is not licensed as a Read Restricted, or Fixed with Admin permissions and accesses the system, they run the chance of getting this error.

           

          Remedy has stated in the past that when a Query is done by a user, it allocates a license in the theory that if the user is retrieving the data, they may next try to modify the data retrieved.

           

          So...if your intent is to have this user accessing the data in a read only manner, it's going to be in your best interest to give it a Read Restricted license.

          2 of 2 people found this helpful
          • 2. Re: Need for Administrator Access for Integration Accounts
            Phillip Brockhaus

            Thanks. We're making it work with restricted read for one of our integration accounts.

            This integration account only submits and reads; it does not modify.

             

            All of our other integration accounts will have administrator access for now.

             

            Is there an accepted solution for integration accounts that need to perform a modify action via a web service that doesn't give them admin access and doesn't lock them out for coming from multiple IP addresses?

            • 3. Re: Need for Administrator Access for Integration Accounts
              LJ LongWing

              The only solution I'm aware of is to use an interface form that is always submitted to.  Because Read Restricted can submit records, this account of course doesn't need Admin....you can then have workflow that does the modify for you.

               

              One caveat to this is that I seem to remember reading somewhere that you need to pay for licenses of users that use service account, in the same way that you would if they were logged in directly to Remedy...so, if you are using the integration to do updates for 100 users, even though the users aren't logging on, you still need to pay for licenses for them.

               

              I can't speak on the licensing thing authoritatively though so I would suggest you talk to your sales rep on the subject if you are concerned.

              • 4. Re: Need for Administrator Access for Integration Accounts
                Carl Wilson

                Hi,

                to add to what LJ mentions, BMC changed the EULA a few years back to state that there is no such things as "free" licenses anymore - I discovered this when looking into Read licences for accessing data in DWP/SmartIT as "read only" and seeing what application permissions could be done with "Viewer" only type permissions i.e. a support Manager wanted to see tickets, but not actually do anything with them.

                Although a number of the applications use what is known as a "paper based" license, the whole "free Read" licensing model is no longer in play due to the EULA updates.

                 

                It was subtle in the wording of the EULA, but explained by BMC to the customer as that anyone that accesses data in anyway needs to have a "paid" license whether this is Read/Fixed/Floating/Bundled/Paper based.

                 

                This I believe was due to people exploiting the "Read" license to perform operations that really should be done with a real license.  Also, the license model changes all the time, so the only way to understand what is the current iteration is to contact your sales rep as LJ mentions.

                 

                The only solution for multiple access from different IP's is as an Administrator with a Fixed license - all other licenses are restricted to being accessed from the one IP at anyone time.

                 

                Cheers

                Carl

                1 of 1 people found this helpful
                • 5. Re: Need for Administrator Access for Integration Accounts
                  Phillip Brockhaus

                  Yeah, these users have all been Fixed/Admin licenses for years. The problem is, now we have a requirement to limit results to one of them.

                  If the user is Fixed/Admin, they see every result. If they are any other type of paid license, they get locked out because the web service calls are coming from a group of more than a dozen servers.

                   

                  Aside from that, having all these users setup as admin/fixed is a security issue. If a malicious actor in one of these organizations that we integrate with were able to get a copy of Dev studio, they could cause all kinds of havoc.

                   

                  Our concerns here are not about paying for licenses.

                   

                  Thanks for the feedback. We will see how this solution works when we go to UAT in the next few weeks.

                   

                  I'll talk to our guys about talking to our sales reps.

                  2 of 2 people found this helpful