06-15-2023 11:49 AM
I found the ConfigEngine privilege and noticed that this turned off many configuration options in Station Options and editing Search Directories. I was especially interested in preventing my end users from messing with the Search Directories list. However, I've noticed that when they're developing a TestStand sequence, they can still add Action steps to code modules at any path they want and the dialog when selecting vi's allows you to add new search directories. I thought it would prevent them from actually adding search directories, but it seems that they are able to. This strikes me as a bug. Am I missing something? Is there any way to actually prevent end users from modifying the SearchDirectories list without fully removing all sequence editing privileges?
06-20-2023 03:34 AM
Hi Steven,
I wouldn't call it a bug, rather a "legacy behaviour" which is not neccessarily state of the art.
SearchDirectories.cfg is just a text file, which is located in a publically available folder. So it is modifiable by design.
In fact, the NI TestStand Exercises / Solutons that come with the official training leverage this behaviour for creating backups / using solutions for exercises.
And I am pretty sure, that there are usecases, where people use this feature.
Looking through the security lens, this behaviour is critical, since a change of search directories could be used to use potentially malicious code.
06-22-2023 08:47 AM
Thanks for the reply! Do you see any way to limit/prevent someone from changing searchDirectories? Right now I'm not sure how you could really prevent someone from adding new ones without taking away all sequence editing capabilities.
06-26-2023 08:50 AM
Since you are using User Management in TestStand, I suppose you are also using proper AD accounts for your users.
So, if TestStand doesn't allow you to block changing SearchPath file only, you might also use Windows privileges: allow wite access to the SearchPaths File for certain users. But this would take a lot of effort for configuration and during deplyoment so probably this would really be just a solution in theory.
08-01-2023 08:25 AM - edited 08-01-2023 08:27 AM
The solution we're going with is to programming re-create the search directories configuration file every time a user logs in. Here is an incomplete stub of the general code we're using