Accounts
In this article you will get more advise about user accounts, domains and permissions levels.
Domain Joining
The Ometa servers and services do not require to be domain joined to be able to operate. However, from a management perspective, we recommend that all servers will be domain joined to facilitate user management, service management, system monitoring and compliance. When domain joined, initially the servers need to be exempt from any group policies that restrict application installation and/or browser behaviour.
Any additional utilities i.e. antivirus software, inventory management, etc. have not been included or anticipated in the system requirements. Please add the necessary resources to the listed requirements according to the specifications of the Ometa Framework.
Ometa Framework Server
- (Local) Administrator account for installation and configuration of the Ometa Framework
Service Accounts
Each service in the Ometa Framework needs specific permissions to do certain tasks. Those permissions will be described in detail for each process or service.
Applies to: BCA, BCM, BCSL, BCSP, BCJS
Each Windows Service needs the following permissions:
- Read and write permission the registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ometa BC.
- Permission to write to the application event log.
- Permission to start new and manage Windows processes (change priority, kill processes, request running information, ...).
- The service account must have the user right: Log on as a service.
BCSL
This service is responsible for managing interface processes like BCS_BaaN, BCS_SAP, BCS_AD, etc... Those interface processes will be started with the same account as the service itself. This account needs to have these additional permissions:
- Member of the Performance Monitor Users group to be able to read performance counters on the system. If this permission is not set, some performance optimisations will not be available and performance can degrade over time.
Some interface processes need extra permissions to do certain tasks (e.g.: to be able to update AD information, additional permissions are required for the BCS_AD process). These permissions must be granted to that same service user if necessary. It is also possible to save the credentials in the profile of the Ometa Business Connector.
Web API Services
Ometa Core Service
- Application pool user is an AD account with permissions:
- write to the log directory (default: %OMETA_INSTALLATION_MAP%\Log\Services)
- read its own website directory
- read / write permissions to the Ometa Framework database
- optional if the credentials are stored in the appsettings.json
- database owner permissions to the Ometa Framework database for migrating purposes during upgrades
- optional if the credentials are stored in the appsettings.json
- read / write permissions to the case management database
- optional if the credentials are stored in the appsettings.json
- database owner permissions to the case management database for migrating purposes during upgrades
- optional if the credentials are stored in the appsettings.json
- Password does not expire
- Complex password
- The service account must have the user right: Log on as a batch job.
Ometa Authority Service
- Application pool user is an AD account with permissions:
- write to the log directory (default: %OMETA_INSTALLATION_MAP%\Log\Services)
- read its own website directory
- read / write permissions to the Ometa Framework database
- optional if the credentials are stored in the appsettings.json
- database owner permissions to the Ometa Framework database for migrating purposes during upgrades
- optional if the credentials are stored in the appsettings.json
- read all user properties from AD
- permissions to read the private key from the certificate used by the authority service
- Password does not expire
- Complex password
- The service account must have the user right: Log on as a batch job.
Ometa Generic REST Service
- Application pool user is an AD account with permissions:
- read its own website directory
- write to the WorkDir directory of its own website
- site collection administrator permissions
- optional if the credentials are stored in the appsettings.json file
- Password does not expire
- Complex password
- The service account must have the user right: Log on as a batch job.
SharePoint Online
- Register the Ometa Framework as app in the Microsoft Azure Portal. Copy the Client ID and Client Secret to use later in the installation.
- Needed for site creation with Case Management
- Needed for Generic REST Service to connect with the site collection for context purposes
- Needed for the SharePoint Building Blocks
- Account with permissions to create and upload to the App Catalog
Deprecated
The preferred way is to register the app in the Microsoft Azure Portal. If this is not possible:
- SharePoint Online Administrator account for creating site collections used as service account
- Password does not expire
- Complex password
SharePoint On Premise
- Account with permissions to add and install solutions in Central Administration
- Service Account with permissions to create new site collections
- Password does not expire
- Complex password
SQL Server
As mentioned in the SQL Server Minimum System Requirements, an SQL or AD account with full ownership on existing databases is required.
Important
The Ometa Business Connector connects directly to the databases of case management and our framework when using certain functionality in the tool. When using trusted connection the user running the Ometa Business Connector is used, so be sure to run the Ometa Business Connector using an account that has the necessary privileges on that database.
Azure SQL Database
When using the Azure SQL Database service, only SQL accounts are supported. Keep in mind that those SQL accounts also need full ownership on the databases.
Please consult the Microsoft documentation for creating the service principal user in Azure SQL Database with the explanation on how to add SQL accounts with the proper ownership permissions.