Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

When you create the service accounts, you should use the following restrictions for security purposes:

  • Deny users access to log on using Terminal Services.

  • Deny users access to this computer on a network.

Required SQL Database Rights

Because each EmpowerID Windows Service accesses the EmpowerID database, service account users must have the right to alter the database on the target SQL server. Specifically, service accounts must have the following database capabilities:

Required Windows Service Rights

Connect

Authenticate

Execute

Delete

Insert

Select

Update

Alter — Needed on the following tables only to allow for truncation:

  • PersonOrgRoleOrgZoneReEvalTempAccountData

  • PersonOrgRoleOrgZoneReEvalTempPersonData

  • PersonManadatoryAttributesTemp

  • PersonMandatoryAttributesTempPreview

  • PersonMandatoryAttributesOverwritePreview

  • AccountObjectAttributeOutboxPreview

Required IIS Application Pool Rights

The application pool identity requires read access to the EmpowerID web site folders. If you are using SharePoint, the EmpowerID application pool requires read access to the SharePoint database and the SharePoint web site application pool needs the same rights to the EmpowerID database as the EmpowerID application pool.

Required Local Machine Rights

The EmpowerID service account interacts with the local machine to perform a variety of maintenance procedures, including the distribution and maintenance of new workflows and other Workflow Studio published items. The service account needs the following access rights on the local machine:

Required Local Machine rights

Install files in to the local global assembly cache (GAC)

Read the registry

Read certificates in the local certificate store

Spin child processes

Run C# compiler in the background if and when necessary

Create files in the temp folder

Run remote PowerShell for Microsoft Exchange

Create files and folders in the following locations:

  • C:\ProgramData

  • C:\Program Files\TheDotNetFactory\Programs

Required Directory Management Rights

EmpowerID also utilizes highly privileged user accounts when connecting to user directories such as Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).

...

In addition to the above rights, the EmpowerID Worker Role Service and the EmpowerID Web Role Service each requires service accounts with additional rights. The specific rights needed by each service is as follows:

EmpowerID Windows Service

Service Account Rights Required

EmpowerID Worker Role Service

  • Local admin on the server hosting the service

EmpowerID Web Role Service

  • Local admin on the server hosting the service

  • Optionally, domain user with local administrator privileges on Windows File servers

Insert excerpt
IL:External Stylesheet

...

IL:External Stylesheet

...

nopaneltrue