Required user account information during installation and configuration
During installation and configuration, various user accounts are used, each with specific permissions. The Service Account and the Local System User account can be a single account, with the same user name and password. However, if your organization requires a separation of duties, use the Local System User Account during installation and configuration, and then use the Service Account for maintaining SQL Server database access.
Using the service account during installation and configuration
| Permissions | Descriptions |
|---|---|
Make the service account a local administrator.
Log in as this account when you are installing or maintaining the
software. The service account must have the following permissions
in the local security policy for the computer:
With a SQL Server database, you can use a single service account or multiple service accounts, depending on how you decide to install. |
If there is some type of group policy that is deployed on the server that alters the local security policy of the computer and revokes any of these rights after installation and configuration, AppScan Enterprise will not work. |
During the configuration of the components you install, you must enter service account information. This service account allows the agents to access the database server. Individual users do not require any form of database permissions. The service accounts used for the agents and the database should have passwords that do not expire. If, however, the passwords must change at regular intervals, you can rerun the Configuration wizard on all the AppScan® Enterprise Server and Dynamic Analysis Scanner computers and enter the new password. |
|
|
The service account is granted db_owner rights to the database and must have permissions that allow it to create a database and tables, add users, run stored procedures, and grant rights. If your organization prevents the service account to be granted db_owner rights, then the account must be granted a miminum of ddladmin, datawriter and datareader rights for configuring and running AppScan Enterprise. |
|
| File and folder permissions | The
service account must have the following permissions on Drive:\\YourInstallFolder\HCL\product
name\ and all of its subfolders:
Note: These permissions
enable the service account to write to the log files. They also enable
the scan agents to write temp files, without which the scans would
not function. The Configuration wizard creates these permissions for
you - do not change them. |
| Local security policies | The service account must have permission to log on locally on the target machine so that it can impersonate the user's logon credentials. It also must have permission to log on as a service. |
| Registry permissions | The service account
must have the following permissions:
|
Using the local system user account during installation and configuration
- Access this computer from the network
- Allow logon locally
- The Local System User Account creates and structures the AppScan database on the MS SQL Server.
- The Local System User Account adds the database service to the database as db_owner.
- The Local System User Account initializes the database with necessary data.
| Permissions | Descriptions |
|---|---|
Make the local system user account a local
administrator. Log in as this account when you are installing or maintaining
the software. The local system user account must have the following
permissions in the local security policy for the computer:
With a SQL Server database, you can use a single account or multiple accounts, depending on how you decide to install. |
If there is some type of group policy that is deployed on the server that alters the local security policy of the computer and revokes any of these rights after installation and configuration, AppScan Enterprise will not work. |
The local system user account allows the agents to access the database server. Individual users do not require any form of database permissions. The local system user accounts used for the agents and the database should have passwords that do not expire. If, however, the passwords must change at regular intervals, you can rerun the Configuration wizard on all the AppScan® Enterprise Server and Dynamic Analysis Scanner computers and enter the new password. |
After installation and configuration are completed, remove the database permissions from the Local System User Account and assign them to the Service Account to handle all interaction between AppScan Enterprise and the database. |
The local system user account is granted db_owner rights to the database and must have permissions that allow it to create a database and tables, add users, run stored procedures, and grant rights. If your organization prevents the local account to be granted db_owner rights, then the account must be granted a miminum of ddladmin, datawriter and datareader rights for configuring and running AppScan Enterprise |
|
| File and folder permissions | The
local system user account must have the following permissions on Drive:\\YourInstallFolder\HCL\product
name\ and all of its subfolders:
Note: These permissions
enable the local system user account to write to the log files. They
also enable the scan agents to write temp files, without which the
scans would not function. The Configuration wizard creates these permissions
for you -- do not change them. |
| Local security policies | The local system user account must have permission to log on locally on the target machine so that it can impersonate the user's logon credentials. It also must have permission to log on as a service. |
| Registry permissions | The local
system user account must have the following permissions:
|
Other user accounts
| Account | Description |
|---|---|
| ASPNET account | The ASPNET account must have the following
permissions on Drive:\\YourInstallFolder\HCL\product name\ and all
of its subfolders:
|
| Internet Guest account | The Internet Guest account must have the
following permissions on Drive:\\YourInstallFolder\HCL\product name\
and all of its subfolders:
|