This article describes the permissions required for an Inventory Service Account used to perform a Zero-Touch Inventory of Linux/UNIX/Mac devices, by connecting those via SSH.
Option 1: sudoer
A sudoer without any restrictions on the command lines is the simplest approach to enable RayVentory to execute all neccessary commands and to read some folders and files (details see below).
Such a service account needs to be added to each device, permitted by the sudoer's list and rolled out to all devices that will be targeted by this user account.
Option 2: Account with minimum permissions
This option realizes a least-privilege approach. Permissions are described in the following tables covering all commands and files required for Zero-Touch Inventory.
Such an approach requires named permissions on files and commands granted to the inventory service account which will access the target devices by SSH.
Once the permissions have been set for each platform, the credentials and permissions need to be rolled out to all devices in scope of scanning by Zero-Touch.
A) Commands and files which do not need privileges
B) Commands and files which do not explicit require privileged rights
C) Commands and files which deliver best results with privileged rights
D) Commands which could require privileged rights depending on OS version
Please check carefully!
It is very important to check all commands in your environment and if they can be executed without privileged rights. It's recommended to verify the permissions with your subject matter experts for each OS configuration used in your environment before starting rollout or updates.
All commands and files are listed in the attached ZIP file, containing an Excel sheet.