UDRestAPI as Service for multiple accounts

Hello Folks,

I’m working for a company that is very interested in UD Dashboard for it’s REST API and frontend abilities. Though, they are pretty focused on security and do not want to grant access to a single service account the ability to operate some actions on SCCM / ADDS / etc … and thus requires these operations to be executed under different context depending on the target system.

I thought about running multiple REST API as services and running those services using the proper service account and then query those REST APIs from a Dashboard running on IIS and voila… …but seems like it’s not really possible, as I faced a lots of issues trying to publish services with Start-UDRestAPI and it seems like there is no possibilities to run multiple services using the publish service cmdlet. [@crni ask the very same question in May view here and still got any feedback about it]

So my question is, is there a proper way to run multiple REST API on the same box with different accounts in order to split accesses. That could be a show stopper if this is not possible. I thought about Docker Containers but the only documentation I found for docker containers are for Azure and I’m not experienced at all with this technology. So I’m fishing for solution right now and I’d really like to use this solution.

If any of you have some experience with this type of implementations, I’d really like to have some insight !

Many thanks in advance for your help on this and feel free to let me know if you need any additional information.

Cheers !

Hi @Speegel

You want separate REST API’s ran as difrent service accounts?
And from a security perspective, you cannot have a single one run the dashboard, and it dynamically loading credentials for the required modules on demand?

Hey @BoSen29,

Yes this is what I’m trying to do. First for security reasons and then for spliting the webservices in order to avoid getting down REST API from AD / SCCM / DNS / etc + the Dashboard itself when we have to apply updates or fixes.

Security team doesn’t want any password stored locally for such purpose, even credential vault ain’t an valid solution for them.

The current environment is very tightly controlled and I have to figure out a reason, licenses won’t be an issues as we discussed already to eventually buy an enterprise license to run as much instances as we need.

Hi again @Speegel,

This should be archievable via hosting in IIS.
Create separate applicationspools for the relevant REST APIs, make a parent proxy to proxy to the relevant sites based on URL?

IIS hosting of UD purely proxies the requests to the internal webserver of UD, so it should work?
From a licensing perspective, i have no idea… @adam?
Technically you’d need a license for each separate applicationpool.