-
Notifications
You must be signed in to change notification settings - Fork 30
api_privs
Even without using the API, getting JSS privileges correct for some actions can be tricky - want to allow someone to flush policy logs? They need update permissions for Computers, as well as Policies.
Unfortunately ruby-jss can sometimes require permissions that don't make sense at first. Mostly this is because of the 'wholistic' way it interacts with the API.
For example, say you are creating a new JSS::Package object. You might need read-permissions on JSS::Category. Why? Because when you try to set the category, ruby-jss will try to validate that the category exists before setting the package to use it. Without permission to read the categories, it can't do the validation.
Want to install that package via ruby-jss? You'll need read access to NetworkSegments and DistributionPoints.
When setting permissions for JSS accounts that use ruby-jss, a good general rule of thumb is to grant read-access for all objects, then remove it for specific objects you know the account or group shouldn't be able to read.
Of course, create, update, and delete permissions should only be granted if needed.
If you run into permission-based problems, the ruby backtrace is helpful for finding out for which object the acct needed permissions.