Dynamic Logon - Credential Pool

i_planned
orchestrator
sso
credential
enterprise

#1

Many enterprise customers have Single sign-on (SSO) systems implemented.

Once a user is logged to the Windows, they are granted with the right access for that type of user on all the targeted applications.

This is very granular, eg. in SAP users from a group can access AR but not Payroll etc. Creating special users for robots, with full access to all the target apps is normally not allowed.

Need to think to a solution for the robot to change it’s Windows Login dynamically - per release.


#2

Not sure if this quite answers your question but one way I have referenced dynamic usernames log on is to create an Asset with the machine name - e.g. MYMACHINE1_SAPLogon and then grabbed the Assets dynamically by using:

Environment.username + “_SAPLogon”

Richard


#3

Hi Richard,

This sounds good, but I’m not sure I got it right.

So the robotA is provisioned with UsernameA, PasswordA.

The thing is that this UsernameA and PasswordA will only entitle you to certain rights - specific to the process A, let’s say. They don’t even have a log screen for SAP, all the needed rights to perform the process are inherited from the UsernameA.

Now, Orchestrator will need to create sessions with specific users for each process (B, C, D… Z)

Reading the assets means that you already logged in with the UsernameA, how do you switch to the UsernameB dynamically?

There are some nasty workarounds for SSO - like creating more robots by provisioning the same machine with different Usernames and Passwords (this is possible in 2016.2). The disadvantage is that you will end up with a huge number of virtual robots (cartesian product of number of processes x number of users) - managing this is not straightforward.

Another way we thought about is to create a loader process and change the robot credentials through API, based on the process. Still not optimal and not very easy to implement.

Alex


#4

Hi Alex,

Why would you need to switch credentials whilst you are already logged in. It is very rare that clients want one robot using different credentials during the same session (actually it’s never done as far as I know). This is because they want a segregation of duties so they wouldn’t want one robot to set up bank details, create a payment and make the payment for example.

One one of our clients they use SSO and we get around it using the dynamic assignment of variables. For clarity on my initial point below is more detail:

You have three robot accounts ROBOT1, ROBOT2, ROBOT3 any of these can potentially log on to MACHINE1 but they have different user privliges. Therefore you have credentials to log in to Windows as normal but rather than using the Per Robot option you created individual credentials so ROBOT1_Credentials, etc.

Once you are on the machine you can then dynamically obtain the SSO details e.g. SAP password by using Environment.Username+"_Credentials. Therefore strSAPPassword = ROBOT2_Credentials.

Maybe we are talking about different issues?

Richard


#5

Hi Richard,

In my workplace, we use the SSO setting for windows credential, it means we grant special right assigned to us once we login the windows. Sometimes we want to run different processes in one robot machine( not at the same time, but one by one), and we meet the issue that we have to change to login username & password in the robot setting every times. any solutions for this?