1. Field
The disclosure relates to a method, system, and article of manufacture for providing security and authorization in management agents.
2. Background
In a management environment, centralized management applications may use agents installed on managed systems to remotely perform operations on the managed systems. A single operation by a management application may simultaneously target many hundreds or thousands of agents each of which support an operation with identical semantics. The existence of a plurality of agents with the capability to perform similar operations allows a single operation invocation by a management application to be duplicated and sent to the plurality of agents. However, a selected management application on a management server many not have the same rights to perform operations on each agent.
In certain management environments, each agent may be run in the local security domain of the environment managed by the agent. Each invocation by a management application of operations on a target agent may need credentials that are specific to the security domain of the target agent. Such schemes may cause difficulties in heterogeneous management environments in which agents exist in many security domains. However, such schemes may be usable in management environments in which all target agents can be expected to share a local security domain, such as the Microsoft Windows* domain. * Microsoft Windows is a trademark or registered trademark of Microsoft Corporation. Kerberos is a trademark of Massachusetts Institute of Technology.
In certain management environments, agents may establish trusted relationships with a management server. Once a trust relationship has been established the management server is granted complete access to the operation exposed by an agent. This model may be implemented when there is a close coupling between agent functions and management servers and may be used in certain heterogeneous management environments. However, this model causes a proliferation of agents on managed systems because each management server installs a trusted agent on the systems managed by the management server. The model may cause difficulties for an agent that hosts management functions for an arbitrary set of management servers.