Returns list of allowed privilege elevation commands for a specific user on a system

  1. Since this is a Read/Query operation, HTTP Get method is used.
    2. In version 1, both "System" and "User" are required parameters. This allows us to narrow the search for specify user on specify computers. We may relax this to support "all" in "System" and "User" in future. However, we
    need to consider the performance/scalability implications when there are thousands of computers and thousands of users.
    3. In future versions, additional information about each rule will be returned as key/value pairs in each item. Example of such information includes umask settings, required checksum/signature of the executable etc.
    4. The caller can be a machine service account or an authenticated user.
    a. If the caller is the machine service account, the request is sent from cagent. The request is allowed only when the caller is the machine service account for "system". This means that the administrator of one client
    system cannot find out what is available as privilege elevation commands on another system.
Language