Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-5288

OpenIDM install guide should not recommend use of windows administrative account to run as a service

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 4.0.0
    • Fix Version/s: OpenIDM 6.0.0
    • Component/s: documentation
    • Labels:
      None

      Description

      In the OpenIDM installation guide, “To Install OpenIDM as a Windows Service”, the following steps are described:

      4. Change the user account for this service from the default (local system) account to an account with administrative privileges. The local system account has limited permissions and an OpenIDM service that runs with this account will encounter problems during synchronization.

      4c. Select This Account and browse for an Active Directory administrative account.

      https://backstage.forgerock.com/#!/docs/openidm/4/install-guide#install-windows-service

      Running a service as a Windows administrator account is bad practice. In most enterprises, a Windows domain administrator account is the most privileged account in the enterprise. Running a service as a domain administrator (as 4c implies) is dangerous.

      https://msdn.microsoft.com/en-us/library/cc875826.aspx

      Accounts can be given specific file system permissions, registry permissions and user rights in the local security policy such as the “Log on as a service” right. If privileges are required in active directory, these can easily be assigned using any of the “delegate control” wizards.

      It is highly unlikely that OpenIDM requires user rights such as “allow logon locally” and “perform volume maintenance tasks”, which administrative accounts have. (4c) implies that an account is required to have domain admin privileges. It is unlikely that OpenIDM requires anything further than the ability to read and modify certain user accounts on an active directory domain.

      I recommend updating the documents to describe what file system/registry permissions are required, what user rights are required and what active directory permissions are required (if any).

      I am willing to assist in this if need be.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nabil.maynard Nabil Maynard
                Reporter:
                simon.harding Simon Harding
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: