On-premise Robots Agent security
Follow the on-premise Robots Agent security recommendations to control access to the server where the Robots Agent is installed and keep sensitive data secure.
For information about user access to the cloud-based Robots app, see Robots app permissions.
Note
The information in this topic applies only to organizations that use an on-premise Robots Agent to run ACL scripts in ACL robots.
Individuals and organizations with ACL Robotics Professional Edition do not have an on-premise Robots Agent. Python/HCL scripts that run in HighBond robots or Workflow robots do not use the Robots Agent.
General user access
As a general guideline, you should grant Robots Agent access to the minimum number of required accounts, with the minimum required rights and permissions.
Server administration
To keep your Robots Agent server as secure as possible, promptly apply all Windows operating system upgrades and security patches.
Sensitive installation information
Secure any sensitive information related to your installation of the Robots Agent. During the installation process, if you create any files that contain sensitive information such as account credentials or configuration settings you should store the files in a secure location.
Allowlist URLs
On the server where the Robots Agent is installed, allowlist the URLs specified below for port 443 outbound. Allowlist only the URLs for the region where your Diligent One account is located.
To confirm the region for your Diligent One account, open Launchpad and select Options > Organization. Your region appears under Region name.
Caution
Configure port 443 for outbound traffic only. Do not allow inbound traffic.
| Diligent One region | URLs |
|---|---|
| Africa (South Africa) |
|
|
Asia Pacific (Australia) |
|
|
Asia Pacific (Singapore) |
|
| Asia Pacific (Tokyo) |
|
|
Europe (Germany) |
|
|
North America (Canada) |
|
|
North America (US) |
|
| South America (Brazil) |
|
Account logon rights and permissions
Two kinds of accounts require Windows logon rights and permissions on the server where the Robots Agent is installed:
- service accounts used to run the two Robots Agent Windows services
- individual user accounts used to access Analytics tables output by Robots tasks
Individual users with a desktop installation of Analytics can use the application as a desktop client to connect to output tables stored on the Robots Agent server.
The specific logon rights and permissions required by the accounts are outlined below.
Account logon rights
The table below outlines the necessary logon rights for the accounts that require access to the Robots Agent server. Do not grant any logon rights to an account beyond what is specified below. Logon rights are specified in the User Rights Assignment area of the Windows security policy.
Restricting logon rights lessens the risk of someone gaining unauthorized access to the Robots Agent server.
| Account | Allow log on locally | Deny log on locally | Log on as a service |
|---|---|---|---|
| Robots Agent service account | No | Yes | Yes |
| Robots Data Service account | No | Yes | Yes |
|
User account (Analytics users) |
Yes | No | No |
Account permissions
Service account permissions
| Windows service name | Port | Account to run the service | Permissions required for the service account |
|---|---|---|---|
|
Robots Agent (runs scheduled and ad hoc Robots tasks) |
443 outbound only |
Use one of the following:
Do not use:
Note If the account you specify uses a password that expires, make sure you have a process in place for keeping the password updated. |
|
|
Robots Data Service (provides the connectivity that allows users to open Robots Agent tables in Analytics) |
10000 (default) You can specify any available port between 0 and 65536 |
Local System |
|
User account permissions
Analytics tables output by Robots tasks are stored on the server where the Robots Agent is installed. Users can connect to these tables and open them in their locally installed copy of Analytics if they have the permissions outlined below. (For more information, see Viewing the tables, files, and logs in an ACL robot.)
Restricting user access to the Robots Agent server
If your organization does not want users to have any access to the Robots Agent server, you can take a different approach. The analytic scripts in Robots tasks can be written to output results to a file type such as Excel or delimited. Users can download these file types directly from the cloud-based Robots app, with no requirement that they have access to the Robots Agent server.
A combined approach
You could also take a combined approach to providing access to task output results:
- Regular users Require regular users to download results contained in Excel or delimited files from the cloud-based Robots app
- Developers and architects Allow analytic developers and data architects to access Analytics result tables on the Robots Agent server
Permissions for Analytics users
If you want to give some or all Analytics users the ability to access Analytics tables on the Robots Agent server, specify the permissions outlined below.
Caution
Do not give individual users permissions to the entire C:\acl directory on the Robots Agent server, or to any folder beyond what is specified below.
Restricting folder access to just the required accounts and just the required folders lessens the risk of someone gaining unauthorized access to the Robots Agent server. It also prevents an Analytics script from accessing or modifying files outside the appropriate folders.
| Item | User account permissions required |
|---|---|
|
Robots Data Service installation folder |
|
|
Robots Data Service executable (aclse.exe) |
|
|
Robots Agent data folder (contains Analytics result tables output by Robots tasks) |
Note This permission can be granted to the entire \data folder, or it can be limited in the following ways:
|
|
Robots Data Service Prefix folder (the Analytics working directory when connected to the Robots Agent server contains Analytics output tables and index files saved from Analytics to the server) |
|
