On-premise Robots Agent security

Follow the on-premise Robots Agent security recommendations to control access to the server where the Robots Agent is installed and keep sensitive data secure.

For information about user access to the cloud-based Robots app, see Robots app permissions.

Note

The information in this topic applies only to organizations that use an on-premise Robots Agent to run ACL scripts in ACL robots.

Individuals and organizations with ACL Robotics Professional Edition do not have an on-premise Robots Agent. Python/HCL scripts that run in HighBond robots or Workflow robots do not use the Robots Agent.

General user access

As a general guideline, you should grant Robots Agent access to the minimum number of required accounts, with the minimum required rights and permissions.

Server administration

To keep your Robots Agent server as secure as possible, promptly apply all Windows operating system upgrades and security patches.

Sensitive installation information

Secure any sensitive information related to your installation of the Robots Agent. During the installation process, if you create any files that contain sensitive information such as account credentials or configuration settings you should store the files in a secure location.

Allowlist URLs

On the server where the Robots Agent is installed, allowlist the URLs specified below for port 443 outbound. Allowlist only the URLs for the region where your Diligent One account is located.

To confirm the region for your Diligent One account, open Launchpad and select Options > Organization. Your region appears under Region name.

Caution

Configure port 443 for outbound traffic only. Do not allow inbound traffic.

Diligent One region URLs
Africa (South Africa)
  • https://hub-af.highbond.com
  • https://s3.af-south-1.amazonaws.com

Asia Pacific (Australia)

  • https://hub-au.highbond.com
  • https://s3.ap-southeast-2.amazonaws.com

Asia Pacific (Singapore)

  • https://hub-ap.highbond.com
  • https://s3.ap-southeast-1.amazonaws.com
Asia Pacific (Tokyo)
  • https://hub-jp.highbond.com
  • https://s3.ap-northeast-1.amazonaws.com

Europe (Germany)

  • https://hub-eu.highbond.com
  • https://s3.eu-central-1.amazonaws.com

North America (Canada)

  • https://hub-ca.highbond.com
  • https://s3.ca-central-1.amazonaws.com

North America (US)

  • https://hub.highbond.com
  • https://s3.us-east-1.amazonaws.com
  • https://s3-1.amazonaws.com
South America (Brazil)
  • https://hub-sa.highbond.com
  • https://s3.sa-east-1.amazonaws.com

Account logon rights and permissions

Two kinds of accounts require Windows logon rights and permissions on the server where the Robots Agent is installed:

  • service accounts used to run the two Robots Agent Windows services
  • individual user accounts used to access Analytics tables output by Robots tasks

    Individual users with a desktop installation of Analytics can use the application as a desktop client to connect to output tables stored on the Robots Agent server.

The specific logon rights and permissions required by the accounts are outlined below.

Account logon rights

The table below outlines the necessary logon rights for the accounts that require access to the Robots Agent server. Do not grant any logon rights to an account beyond what is specified below. Logon rights are specified in the User Rights Assignment area of the Windows security policy.

Restricting logon rights lessens the risk of someone gaining unauthorized access to the Robots Agent server.

Account Allow log on locally Deny log on locally Log on as a service
Robots Agent service account No Yes Yes
Robots Data Service account No Yes Yes

User account

(Analytics users)

Yes No No

Account permissions

Service account permissions

Windows service name Port Account to run the service Permissions required for the service account

Robots Agent

(runs scheduled and ad hoc Robots tasks)

443

outbound only

Use one of the following:

  • a dedicated domain user account
  • a generic IT domain account

Do not use:

  • an individual employee's account
  • a local user account
  • the Local System account

Note

If the account you specify uses a password that expires, make sure you have a process in place for keeping the password updated.

  • Read & execute permission for the Robots Agent installation folder

    Default location:

    C:\Program Files (x86)\ACL Software\Robots Agent

  • Read/Write/List permissions for the Robots Agent data folder

    Default location:

    C:\acl\robots\data

Robots Data Service

(provides the connectivity that allows users to open Robots Agent tables in Analytics)

10000 (default)

You can specify any available port between 0 and 65536

Local System
  • Read & execute permission for the Robots Agent installation folder

    Default location:

    C:\Program Files (x86)\ACL Software\Robots Agent

  • Read/Write permissions for the \aclse folder in order to initially create Prefix folders belonging to users

    Default location:

    C:\acl\robots\aclse

User account permissions

Analytics tables output by Robots tasks are stored on the server where the Robots Agent is installed. Users can connect to these tables and open them in their locally installed copy of Analytics if they have the permissions outlined below. (For more information, see Viewing the tables, files, and logs in an ACL robot.)

Restricting user access to the Robots Agent server

If your organization does not want users to have any access to the Robots Agent server, you can take a different approach. The analytic scripts in Robots tasks can be written to output results to a file type such as Excel or delimited. Users can download these file types directly from the cloud-based Robots app, with no requirement that they have access to the Robots Agent server.

A combined approach

You could also take a combined approach to providing access to task output results:

  • Regular users Require regular users to download results contained in Excel or delimited files from the cloud-based Robots app
  • Developers and architects Allow analytic developers and data architects to access Analytics result tables on the Robots Agent server

Permissions for Analytics users

If you want to give some or all Analytics users the ability to access Analytics tables on the Robots Agent server, specify the permissions outlined below.

Caution

Do not give individual users permissions to the entire C:\acl directory on the Robots Agent server, or to any folder beyond what is specified below.

Restricting folder access to just the required accounts and just the required folders lessens the risk of someone gaining unauthorized access to the Robots Agent server. It also prevents an Analytics script from accessing or modifying files outside the appropriate folders.

Item User account permissions required

Robots Data Service installation folder

  • Read permission for the Robots Data Service installation folder

    Default location:

    C:\Program Files (x86)\ACL Software\Robots Agent\aclse

Robots Data Service executable

(aclse.exe)

  • Full Control permission for the Robots Data Service executable (aclse.exe)

    Default location:

    C:\Program Files (x86)\ACL Software\Robots Agent\aclse\aclse.exe

Robots Agent data folder

(contains Analytics result tables output by Robots tasks)

  • Read permission for the Robots Agent data folder

    Default location:

    C:\acl\robots\data

Note

This permission can be granted to the entire \data folder, or it can be limited in the following ways:

  • Development mode grant permission to connect to only development mode result tables

    C:\acl\robots\data\Development

  • Production grant permission to connect to only production result tables

    C:\acl\robots\data\Production

  • Specific robots grant permission to connect to result tables for only specific robots

    For example:

    C:\acl\robots\data\Production\Robot5

Robots Data Service Prefix folder

(the Analytics working directory when connected to the Robots Agent server

contains Analytics output tables and index files saved from Analytics to the server)

  • Full Control permission for the Robots Data Service Prefix folder belonging to the user

    Default location:

    C:\acl\robots\aclse\<user_name>