But seriously, in my organization I would escalate that asap. If me or my team is not able to work in this case, they suddenly endanger project success quickly and create a lot of damage.
IT is very likely not earning the money for your company. They need to assist you. I would say it’s their primary responsibility. I know there is a lot of friction, usually because of them being in a difficult position. But they don’t need to worry about you executing malware, if they already preventing you from working properly. That is a similar outcome.
Therefore its always good to know somebody who you can talk to. Hopefully they have not outsourced them to a “best cost country”. But if they insist in blocking you like this, I would guess its also their responsibility to find a workaround.
Please take a look at this guide. This shows how you can customize the .rhinocode path to a difference place. You can run Rhino, open Script Editor and set up the development environment on a machine, grab the contents of .rhinocode and include that in the deployment for all user machines.
The contents of the directory need to be loadable and executable still so make sure users have read-execute access to the new .rhinocode path.
Are you aware of the problems with a machine wide installation of Python (without any virtualization)? Given two or more users actively using the same machine (e.g. a server for virtual desktops), suddenly user A is uninstalling module a, while user B is using it. Or b is installing a module which breaks another module of user A. You break configurations of other users and most people won’t even notice. Under certain conditions you can even modify the Python installation in a way, that you force another user to execute your code in his name.
You might provide a custom Powershell or Batch script which any user has to execute once instead. And why should your Software management system not support user-wide installation?
I think the biggest problem is the restriction you mentioned in the first post. It is really bad to only allow to run apps from this directory, because it will prevent any form of scripting. Even if you bypass the problems. Are you sure that you can execute the script then? In case of IronPython, it will need to compile the code before running it. Other than that, you are not supposed to create data within %ProgramFiles%. Its usually meant for applications data which does not change after installation. You can‘t dump or modify any data there with user rights. Meaning you can’t store compiled or pip/yak downloaded binary data there as a user.
Hi @TomTom
We work in a strongly secured environment.
Users cannot install Python packages.
On a directory there is either execute permission OR write permission. Never both
This means we need to deploy a Python clone that contains all the necessary packages for the users to work and deploy this clone on the machine.
We will try to do this as described above and see if it works.
Regards,
Thom
sorry, but so do I. I have worked on critical and highly confidential projects in the automotive sector in multiple areas in and for different companies. This included a wide range of activities, from exterior design up to developing ECU software. There are companies who zero trust their own people, but its funny if you know where the leaks are. Very often this either follows other reasons. Often you see harsh restriction to control own people or because of ignorant decision makers in the IT department. Again, you might eliminate the slight chance of executing malware on a system, ignoring the fact that this is not the main problem. Instead they effectively disturbing people for doing their work. But from my experience you can indeed get often special permission if your work requires this. Its not a technical, but a problem of communication.
Anyway… If it works for you
@thomas.k Predeploying python libraries in the .rhinocode folder, and deploying as readonly-executable on target machines is a great idea. It’s necessary to control which packages and which versions are used across a strongly secured environment.
But not like this. Usually you instead have internal hosted services such as JFrog Artifactory, Sonatype Nexus etc. where you upload pip modules, nuget packages etc. These packages are then scanned and tested by the tool and additionally by someone responsible.
@TomTom It’s not an either/or IMHO. Choose the solution that is right for your environment. Let me know if there is anything we can improve in Rhino or the Script Editor.
