Least Privilege Access Guide for ConnectWise Automate Integration

Introduction

This guide encompasses primarily the built in actions (and some common endpoints that an MSP may hit via the generic actions), it is important to recognize that you can utilize generic actions to hit any available endpoint so you may need to grant additional permissions/remove permissions that you do not find necessary. This is intended to be used as a starting point for those to wish to practice least privilege

It is assumed that you do not have conflicting permissions on the script level or group level. Additional work may be required if this is the case and Automate documentation should be referenced.

You must be careful when assigning permissions to your clients. If you copy the permissions wrong there is a chance you could overwrite existing permissions, please be sure to follow ConnectWise Documentation for best practices for assigning the client permissions.

Configure User Class Permissions

To be able to utilize Rewst with least privilege you will need to configure a new user class named โ€˜Rewst Automationโ€™. The class should then be configured with the following permissions:

User Class Permission

ActionsPermission

Agent Templates

Read

Alerts

Update

Clients

Read, Update, Delete

Clients โ†’ Show/Hide Passwords

Access

Clients โ†’ Show All

Access

Computers โ†’ Force Update

Access

Computers โ†’ Retired Assets

Delete

Computers โ†’ Show All

Access

Contacts

Read, Update, Delete

Groups

Create, Update, Delete

Groups โ†’ Scheduled Scripts

Update

Locations โ†’ Show All

Access

Patch Manager

Read, Update

Scripts

Read, Update, Delete

Scripts โ†’ Schedule Scripts

Update

Searches โ†’ Send Commands

Access

Tickets

Create, Read, Update, Delete

Tickets โ†’ Ticket Requests

Access

Configure Client Level Permissions

Client Level Permissions

ActionsPermission

Locations

Read, Edit, Delete

Projects

Read

Product Keys

Read

Documents

Read

Passwords

Read

Default Computer Permissions (Enabled if Listed)

ActionsPermission

Command Prompt

Access

Software and Tools

Install

History

Access

Commands

View, Send

Scripts

Schedule

Information

Edit

Alerts

Clear

Scheduled Scripts

Delete

For more information on how to set up user classes and client permissions please visit Connectwise Automate documentation.

Last updated