ScriptRunner Portal Edition R5—New Query configuration and Action configuration

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
• dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
• Ten sed command examples - Wed, Aug 23 2023

ScriptRunner is designed to simplify the management and administration of Microsoft Windows environments, including Active Directory, Exchange, SharePoint, and Office 365.

One of the key benefits of ScriptRunner is that it allows IT teams to delegate administrative tasks to nonadministrative staff without the need for direct access to sensitive systems or credentials. This helps to improve security, reduce errors, and free up IT staff to focus on more strategic tasks.

In addition, ScriptRunner offers PowerShell policies, logging, and reporting capabilities, allowing admins to standardize and introduce governance over PowerShell execution across the environment.

Furthermore, ScriptRunner enables organizations to delegate the execution of recurring tasks with the needed protective measures for PowerShell usage. It also closely monitors and regulates user permissions, targeted systems, and accessible modules when running scripts.

New features in ScriptRunner Portal Edition R5

With each release, ScriptRunner adds new features to the platform. For example, the R5 release is the first version that supports all the functions in the role-based Portal, which is an objective the company has had for a few versions now. Also, it is important to note that ScriptRunner 2020 has been deprecated with this release and will not receive further updates.

Note the following new features contained in this release:

• Query configuration
• Action configuration
• Authentication of users via OpenID Connect, support for Okta
• IIS is no longer required
• Web API Healthcheck URL
• Additional ASRDisplay options

Query configuration

Using Query configuration, users can define and save custom queries that retrieve specific data from Active Directory, Exchange, SharePoint, or other Microsoft systems. ScriptRunner queries are dynamic elements that allow users to search in lists, files, and directories, such as Active Directory. ScriptRunner makes these query elements reusable and dynamic so they can be easily included in additional scripts.

For example, a user could create a query to retrieve all accounts that are members of a specific security group in Active Directory.

Once the query has been defined, it can be saved and reused as needed, either as a standalone query or as part of a larger workflow or automation script. The saved queries can also be shared with other users, either within the organization or with external partners or vendors.

In R5, new queries can be created from templates, preconfigured based on best practices, and modified in the settings later. In addition, various preconfigured queries are available for Active Directory and Azure. Below, you can choose the type of query using the templates provided (Active Directory, Azure, Script, List, File, etc.).

Predefined Queries in the ScriptRunner R5 release

In addition to the new templates, R5 includes preconfigured query cases that further extend customizing PowerShell queries to meet your needs.

Predefined Queries in the ScriptRunner R5 release

In the R5 release, queries can now be fully configured and tested in the Portal, featuring redesigned overviews and functions with the same look and feel as Targets and Credentials configuration.

Testing a ScriptRunner R5 query

Action configuration

A ScriptRunner Action is a policy framework for executing a PowerShell script on a target system. It defines who is allowed to start the script and what inputs the script requires. The Portal's Action configuration options offer a redesigned list and settings interface. The Overview page displays the main elements and settings for execution policies, with accessible sections, such as General, Scripts, Queries, Targets, Delegations, and Scheduling.

In addition, the last five execution results are shown, and the Run button allows quick execution. Additional parameter information is also displayed on the script parameter presets and query assignments page, streamlining the configuration process.

Run options provide streamlined running of scripts in ScriptRunner R5

In R5, the execution policy options, delegation settings, and display option configurations have been improved. Tile display settings now include a WYSIWYG preview. ScriptRunner displays the actions that users have been delegated as tiles. Customizing the look and feel of these action tiles allows aligning the display of ScriptRunner with company branding.

WYSIWYG preview editor for Actions in ScriptRunner R5

Scheduled Action execution has also been redesigned with selectable cycle periods and additional configurations in the More tab.

Scheduling in the Actions configuration in ScriptRunner R5

Authentication of users via OpenID Connect, support for Okta

ScriptRunner can now take advantage of OpenID Connect and Okta (an identity and access management solution) in this release. It can use external identity providers, including Active Directory, ADFS, Azure AD, and Keycloak, for user authentication, and role-based access groups determine user access in the ScriptRunner Portal.

For Okta and Keycloak (an open-source single sign-on tool) integration, admins configure the required SAML integration in their identity provider. At a high level, the configuration workflow includes the following:

Okta configuration

• Configure the SAML application in Okta required to integrate with ScriptRunner
• Create group claims in Okta
  A group claim includes Okta groups returned by Okta when a user successfully authenticates

ScriptRunner configuration

• Store the group claims in the user configuration in ScriptRunner as "claims-based" groups
• Configure settings in the ScriptRunner web service portal using the built-in Set-ASRSTSOptions cmdlet
• Configure the ScriptRunner R5 App.json configuration file for proper redirection to Okta for MFA login

For details on configuring OpenID and ScriptRunner roles and permissions, see Roles and permissions (scriptrunner.com).

ScriptRunner R5 integration with Okta

IIS is no longer required, and a new web API

Portal Edition R5 introduces ScriptRunner's web API, thereby eliminating the need for IIS, using a single port for communication, and allowing operation on standard ports 80/443 for better accessibility. In addition, the old web and desktop apps are no longer needed.

For existing installations, updates retain previous settings and IIS operations. New installations default to the web API for the Portal and service endpoint 80 (HTTP). Migrations follow the same steps but without IIS or the need for port 8091.

Web API healthcheck URL

For simplified monitoring of ScriptRunner's web API, a dedicated healthcheck URL compliant with RFC standards has been implemented. It enables monitoring systems, load balancers, and third-party systems to verify ScriptRunner service availability before invoking the web service connector.

Using ScriptRunner R5 healthcheck URL

Wrapping up

ScriptRunner is an excellent management, reporting, and auditing tool for controlling the use of PowerShell in corporate networks. The R5 release integrates all its functions in the role-based portal, improving the accessibility of its features and simplifying the work, especially for inexperienced PowerShell users.