Accounts

In this article you will get more advise about user accounts, domains and permissions levels.

Ometa Framework Server

(Local) Administrator account for installation and configuration of the Ometa Framework. This account needs db_owner permissions to the Ometa databases.
Domain service account (Ometa\ServiceOmeta$) for running Ometa Services (BCA, BCM, BCSL, BCSP, BCJS, Audit Service), Core Web service, Generic REST Service and Authority Service.
- Modify permissions on the %OMETA_INSTALL_ROOT% folder and the BAMConfig.LogDirectory (refer to the root appsettings.json file) folder.
- The service account must have the following user privileges in the local security policy: "Log on as a service", "Create global objects", "Debug programs" and "Logon as a batch job"
- Member of the Performance Monitor Users group.
- Should have permission to the private key of the certificate which is configured on the Ometa Web Services.
  - Navigate to the certificate, right click, select All Tasks and Manage Private Keys.
- Database permissions:
  
  Database db_owner
  
  Ometa BAM Logging
  
  Ometa Framework
Register the Ometa Framework as application in Microsoft Entra
Microsoft account with permissions to create and upload the ADM app to the SharePoint App Catalog.

Database	db_owner
Ometa BAM Logging
Ometa Framework

Domain Service Account

Refer to the official Microsoft documentation about how to work with domain service accounts.

Ometa Authority Service

If the Ometa Authority Service uses on-premise Active Directory as authentication provider, the service account needs access to read all Active Directory users and groups. That account needs the same database permissions as with the local service account (see item Database permissions).

This does not apply if Microsoft Entra is used as authentication provider.

BCSL

This service is responsible for managing interface processes like BCS_BaaN, BCS_SAP, BCS_AD, etc... Those interface processes will be started with the same account as the service itself. This account needs to have these additional permissions:

Some interface processes need extra permissions to do certain tasks (e.g.: to be able to update AD information, additional permissions are required for the BCS_AD process). These permissions must be granted to that same service user if necessary. As an alternative, it is also possible to save the credentials in the profile of the Ometa Business Connector.

Microsoft Entra

Microsoft Entra could be used for the following use cases:

Microsoft Provider: configure the Microsoft provider for logging in with the Microsoft account, found in Application Menu > Security > Providers. Requires Directory.Read.All application and User.Read delegated permissions.
Mail Building Block profiles: requires profile configuration and Mail.Send application permissions.
SharePoint profiles: requires profile configuration and Sites.FullControl.All application or Sites.Selected application permissions.
BuildingBlock profiles: requires profile configuration and Sites.FullControl.All application or Sites.Selected application permissions.
Generic REST: config.SharePointAuthentications must be configured, see the Service Settings section: requires Sites.FullControl.All application or Sites.Selected application permissions.

SharePoint Online

Register the Ometa Framework as app in the Microsoft Azure Portal.
- Needed for site creation with Case Management
- Needed for Generic REST Service to connect with the site collection for context purposes
- Needed for the SharePoint Building Blocks
Account with permissions to create and upload to the App Catalog

SharePoint On Premise

Account with permissions to add and install solutions in Central Administration
Service Account with permissions to create new site collections
- Password does not expire
- Complex password

SQL Server

As mentioned in the SQL Server Minimum System Requirements, an SQL or AD account with full ownership on existing databases is required.

Important

The Ometa Business Connector connects directly to the Ometa Framework database when using certain functionality in the tool. When using trusted connection the user running the Ometa Business Connector is used, so be sure to run the Ometa Business Connector using an account that has the necessary privileges on that database.

Azure SQL Database

When using the Azure SQL Database service, only SQL accounts are supported. Keep in mind that those SQL accounts also need full ownership on the databases.

Please consult the Microsoft documentation for creating the service principal user in Azure SQL Database with the explanation on how to add SQL accounts with the proper ownership permissions.

Installer

The installer requires read and write permission to the registry location HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ometa BC. This location is used to store some settings filled during the install process by the install wizard for reuse during upgrades.

Domain Joining

The Ometa servers and services do not require to be domain joined to be able to operate. However, from a management perspective, we recommend that all servers will be domain joined to facilitate user management, service management, system monitoring and compliance. When domain joined, initially the servers need to be exempt from any group policies that restrict application installation and/or browser behaviour.

Any additional utilities i.e. antivirus software, inventory management, etc. have not been included or anticipated in the system requirements. Please add the necessary resources to the listed requirements according to the specifications of the Ometa Framework.

Table of Contents