Command Relay Workload

The command relay workload is a service that facilitates communication between the customer and the Delinea Platform through an SSH connection. Its primary function is to dispatch commands along with their parameters to be executed within the customer's environment. The command relay requires a service account that can modify your domain so the proper administrative policies can be added.

Command Relay Prerequisites

.Net 4.8 - must be installed on the Delinea Platform Engine target machine.

If .Net 4.8 is not already installed, Command Relay installs it automatically. In this case, you need to reboot the server.

Command Relay activates the PowerShell module on the Windows Server machine, and it downloads and installs the PowerShell feature required by Command Relay.  

Editing Command Relay Settings

To execute the Command Relay workload, a Command Relay Service account must be selected. Follow the steps below to add the account. The user will only see accounts for which they have permissions.

  1. Click Settings from the left navigation menu, then click Engine Management.

  2. Select a site.

  3. Click the Settings tab.

  4. Next to Delinea Command Relay, click Edit.

    The first time this settings page is opened, the Command Relay Service Account shows None.

  5. Click Select.

  6. Search for the vaulted account where you have permissions, and select the account.

    • The logged-in user must be the owner of the secret for the account.

    • The secret must not be configured for checkout.

  7. Select Turn off folder inheritance and Share Secret. This disables inheritance, granting workloads access to the secrets.

  8. Click Save after the domain is selected.

Setting Description
Domain User should be able to select the Domain accounts they already have access to

Command Relay Account Permissions

On the server where you will install the Delinea Platform Engine and the Command Relay workload, define a service account for Command Relay, then configure the account with local server permissions, domain permissions, or domain administrator permissions (temporary) as described in those sections below.

Local Server Permissions

With local permissions on the server where the Delinea Platform Engine and Command Relay will be installed, the Command Relay service account can create the DelineaPlatform OU manually before running the setup for Command Relay. The local server permissions must include the Log on as a batch job permission to allow PCS to work.

Assign the Log on as batch job permission

To assign the Log on as a batch job permission to the Command Relay service account, follow these steps:

  1. Select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.



  2. Select the Log on as a batch job permission.

  3. On the Local Security Setting tab, click Add User or group.

  4. Navigate to and select the Command Relay service account to apply the permission.

The Log on as batch job permission is granted by default to all members of these three AD groups:

- Administrators

- Backup Operators

- Performance Log Users

Domain Permissions

An object named OU=DelineaPlatform must be created at the root of the domain. Permissions giving Full Control to create the OU=DelineaPlatform object and all child objects must be given to the Command Relay service account. In the Permissions section of the Permission Entry dialog, every checkbox must be selected, as shown in the following image.

The DelineaZone

When Command Relay executes, it creates the DelineaZone within the DelineaPlatform OU, as shown in the following image.

The DelineaZone contains all the agent policies that need to be enforced on applicable servers. The DelineaZone is managed by the platform.

Minimal Permissions to Join a Server to a Zone

Windows

The minimum permissions for an AD user or group to join a Windows server to the DelineaZone:

  • Local Administrator permissions on the server

  • AD Permissions:

    • Create all child objects

    • Generic Read

*nix

The minimum permissions for an AD user or group to join a *nix server to the DelineaZone:

  • Root permissions on the server

  • AD Permissions: Create AD Computer Object

  • AD Permissions: DelineaZone:

    • Create all child objects

    • Generic read

Switching Command Relay Service Accounts

On the server where you will install the Delinea Engine and the Command Relay workload, you can define more than one service account for Command Relay. To use another service account for Command Relay, you must delegate the zone permissions to the new service account. To do so, run the following PowerShell script on the Command Relay machine (substitute your own value for new_service_account). You must be logged in as a user with sufficient privileges to modify the zone: