What Operating System user privileges should I have to install and/or Administer a Client Automation environment?

Document ID : KB000012927
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Sometimes security administrators may require the permissions needed for a Client Automation administrator able to manage and perform the maintenance tasks of the installation to restrict as much as possible the access to resources which are not needed.

Question:

What Operating System user privileges should I have to install and/or administer a Client Automation environment?

Environment:
Client Automation - All Versions
Answer:

Administering the application may require at least the following tasks: 

* Start / Stop / Recycle services (either via command or Windows Computer Management) 

* Start / Stop / Recycle application plugins like engines, SD servers, RC servers, etc. 

* RDP (Remote Access Protocol) Access to Domain Managers, Scalability Servers and Agent computers. 

* Enable / Restore trace levels for all the modules, for a particular facility or for a particular process. 

* Change Client Administrator policies via command line. 

* Extract / Modify the comstore of the application containing the current policy settings. 

* Install / Modify / Reinstall / Repair existing or new modules of the Application. 

* Start / Stop / Recycle via command or Windows Service auxiliary low level linked communication products like CAM (CA-Messaging, CSAM, etc). 

* SQL Server dbowner access on the MDB database as some times we may require SQL Server interaction to trace problems, like adding, updating or modifying rows to some tables, reindexing and database maintenance, trigger manupulation, views manupulation, etc. 

 

All these tasks require Local Administrator privileges, that is why the user account for the administrator of the ITCM application must be a Local Administrator of the computer the ITCM Domain Manager is installed on. 

This is by product design as all the services and plugins are running with LSA (Local System Account) context and the interaction executables to CAF (the Common Application Framework) have been also designed to be managed by local administrators only. 

Additional Information:

The local administrator of a computer is a privilege totally independent from the privileges set for the same user from a domain perspective. This means that a totally regular domain user (this is a user having no domain administrator rights) can be configured to be local administrator of a particular server. This will result in an account having all the rights on the server computer and no special rights in the Active Directory or Windows Domain.