As a modular and scalable enterprise application, EmpowerID relies on two Windows Services and a variety of IIS Web REST Services to perform its processing. Each of the Windows Services and the IIS Application Pool Identities require a user identity (service account) with the necessary privileges to access the EmpowerID database. Before you install EmpowerID, you should first create these accounts, giving them the necessary access rights to interact with the EmpowerID database and the local machine on which EmpowerID is installed. These rights are outlined below.
When you create the service accounts, you should use the following restrictions for security purposes:
- Deny users access to log on using Terminal Services.
- Deny users access to this computer on a network.
Required SQL Database Rights
Because each EmpowerID Windows Service accesses the EmpowerID database, service account users must have the right to alter the database on the target SQL server. Specifically, service accounts must have the following database capabilities:
- Connect
- Authenticate
- Execute
- Delete
- Insert
- Select
- Update
- Alter — Needed on the following tables only to allow for truncation:
- PersonOrgRoleOrgZoneReEvalTempAccountData
- PersonOrgRoleOrgZoneReEvalTempPersonData
- PersonManadatoryAttributesTemp
- PersonMandatoryAttributesTempPreview
- PersonMandatoryAttributesOverwritePreview
- AccountObjectAttributeOutboxPreview
EmpowerID recommends the creation of a custom database role named "EmpowerIDService" that you can use to give the service account user the minimum database rights needed for each service. For more information on creating this role, see the topic on Granting SQL Access through Server Roles.
Required IIS Application Pool Rights
The application pool identity requires read access to the EmpowerID web site folders. If you are using SharePoint, the EmpowerID application pool requires read access to the SharePoint database and the SharePoint web site application pool needs the same rights to the EmpowerID database as the EmpowerID application pool.
Required Local Machine Rights
The EmpowerID service account interacts with the local machine to perform a variety of maintenance procedures, including the distribution and maintenance of new workflows and other Workflow Studio published items. The service account needs the following access rights on the local machine:
- Install files in to the local global assembly cache (GAC)
- Read the registry
- Read certificates in the local certificate store
- Spin child processes
- Run C# compiler in the background if and when necessary
- create files in the temp folder
- Run remote PowerShell for Microsoft Exchange, if that Server Role is enabled in EmpowerID
- Create files and folders in the following locations:
- C:\ProgramData
- C:\Program Files\TheDotNetFactory\Programs
Required Directory Management Rights
EmpowerID also utilizes highly privileged user accounts when connecting to user directories such as Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).
If you will be managing an Active Directory Domain, the proxy account must be able to access the deleted items container in AD. Access to the Deleted Items container requires Domain Admin access unless the container security is edited to allow non-domain admins to read it. Instructions for editing the security of the deleted items container can be found in the Microsoft Article, "How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server" which can be viewed in full at http://support.microsoft.com/kb/892806.