Cross Posted from Slack:
How to create automation accounts to bypass oAuth that don’t have sysadmin privileges?? Currently the authorized-users and authorized-groups enable sysadmin, admin. Is there any way to create a tightly scoped Automation User (to prevent oAuth intervention) for automated processes. For example automation_power_bi and have it assigned to a Role that doesn’t also have sysadmin?
Hi @Carolus thanks for posting the question. I saw on slack that you opened a ticket. Once you get a result, can you share with the community so anyone else struggling with this issue can have guidance? Thanks in advance!
I do plan on sharing the results. Thanks!
So the steps are fairly straight forward.
Setup instructions here: Password File Setup
I am using Kubernetes:
password-authenticator.properties: |
password-authenticator=file
file.password-file=secretRef:htpasswd-db:password.db
Add user to the file using instructions from above. You will need to use the Apache httpd package and then install httpd-tools to create the user.
Navigate to a directory to create the password.db file
touch password.db
htpasswd -B -C 10 password.db <user>
>New password:
>Re-type new password:
The password.db file will show the user and bcrypted password.
If you are using oAuth2 make sure and set:
http-server.authentication.type=password,oauth2
The order is important password first then oAuth.
After deployment of Values and password.db:
This will not be able to use the WebUi with the credentials, however you can attach tools using the user (Reporting, IDE’s etc). Though the user may not appear in your BIAC assignment drop down, you can create a role and add the user by typing the user name into the role assignment. Assign → Type user name, then set role authorizations if needed.