Controlling execution of user-defined commands
Several endpoints support running user-defined commands for pre/post-processing files. In the Operating System Level Credentials tab shown in SERVER view, you can provide user credentials for user-defined commands that needs to be executed at operating system level. By default, such commands are executed under the Replicate Server service account. This may constitute a security risk, as it allows any Replicate user with Admin or Designer permissions to specify user-defined commands that could lead to a full compromise of the server.
Note that when Replicate Server is installed on Linux, the External utilities tab will be hidden as the potential security risk is relevant to Windows only.
You can also determine whether to allow user-defined commands to be executed at all.
To do this:
- On the Replicate Server machine, open the <PRODUCT_DIR>\bin\repctl.cfg file and set the enable_execute_user_defined_commands parameter to "true" or "false" (the default) as required.
- If Another account is selected in the Operating System Level Credentials tab and you changed the default Attunity Replicate Server service Log On user:
For both admin and non-admin users:
Add the user specified in the Attunity Replicate Server service Log On tab to the "Replace a process level token" policy in the "Local Security Policy" settings.
- For non-admin users only:
Grant the user full control over the Replicate data folder.
The default location of the data folder is C:\Program Files\Qlik\Replicate\data
Grant the user full control over the folder containing the user-defined command to be executed.Information note
The user must be the same as the non-admin user specified in the Attunity Replicate Server service Log On tab.
- Restart the Qlik Replicate services.
Executing operating system commands as a different user
The load utility of the following target endpoints can run via user-provided credentials instead of the LocalSystem user:
- Microsoft APS PDW
- Google Cloud BigQuery
- IBM Netezza