UDRestAPI as Service for multiple accounts

Speegel · January 6, 2020, 5:09pm

Hello Folks,

I’m working for a company that is very interested in UD Dashboard for it’s REST API and frontend abilities. Though, they are pretty focused on security and do not want to grant access to a single service account the ability to operate some actions on SCCM / ADDS / etc … and thus requires these operations to be executed under different context depending on the target system.

I thought about running multiple REST API as services and running those services using the proper service account and then query those REST APIs from a Dashboard running on IIS and voila… …but seems like it’s not really possible, as I faced a lots of issues trying to publish services with Start-UDRestAPI and it seems like there is no possibilities to run multiple services using the publish service cmdlet. [@crni ask the very same question in May view here and still got any feedback about it]

So my question is, is there a proper way to run multiple REST API on the same box with different accounts in order to split accesses. That could be a show stopper if this is not possible. I thought about Docker Containers but the only documentation I found for docker containers are for Azure and I’m not experienced at all with this technology. So I’m fishing for solution right now and I’d really like to use this solution.

If any of you have some experience with this type of implementations, I’d really like to have some insight !

Many thanks in advance for your help on this and feel free to let me know if you need any additional information.

Cheers !

BoSen29 · January 6, 2020, 7:52pm

Hi @Speegel

You want separate REST API’s ran as difrent service accounts?
And from a security perspective, you cannot have a single one run the dashboard, and it dynamically loading credentials for the required modules on demand?

Speegel · January 7, 2020, 7:30am

Hey @BoSen29,

Yes this is what I’m trying to do. First for security reasons and then for spliting the webservices in order to avoid getting down REST API from AD / SCCM / DNS / etc + the Dashboard itself when we have to apply updates or fixes.

Security team doesn’t want any password stored locally for such purpose, even credential vault ain’t an valid solution for them.

The current environment is very tightly controlled and I have to figure out a reason, licenses won’t be an issues as we discussed already to eventually buy an enterprise license to run as much instances as we need.

BoSen29 · January 7, 2020, 9:32am

Hi again @Speegel,

Hmm…
This should be archievable via hosting in IIS.
Create separate applicationspools for the relevant REST APIs, make a parent proxy to proxy to the relevant sites based on URL?

IIS hosting of UD purely proxies the requests to the internal webserver of UD, so it should work?
From a licensing perspective, i have no idea… @adam?
Technically you’d need a license for each separate applicationpool.

See:
https://docs.universaldashboard.io/webserver/running-dashboards/iis#creating-nested-iis-sites

Topic		Replies	Views
Authentication - Dashboard and REST API Universal Dashboard Help	3	1350	October 29, 2019
Azure AD REST API authentication Universal Dashboard Help	1	669	June 10, 2020
REST API authentication Universal Dashboard Help	2	873	April 10, 2020
Service account vs app pool ID in IIS Universal Dashboard Help	2	432	January 11, 2019
Call Endpoint / restAPI from App with service account?	2	86	November 27, 2023

UDRestAPI as Service for multiple accounts

Related Topics