As a modular and scalable enterprise application built following a Services Oriented Architecture, EmpowerID uses Windows Services to host Job functions as well as WCF web services. Each of these Windows services requires a user identity (service account) with the necessary privileges to perform their designated tasks. Before you install EmpowerID, you should first create this service account, giving it the necessary access rights needed by EmpowerID to interact with the EmpowerID database, IIS application pools, the local machine on which EmpowerID is installed, as well as to perform any needed directory management operations. These rights are outlined below.
Because each EmpowerID Windows Service accesses the EmpowerID database, service account users must have the right to alter the database on the target SQL server. Specifically, service accounts must have the following database capabilities:
Required Windows Service Rights |
---|
Connect |
Authenticate |
Execute |
Delete |
Insert |
Select |
Update |
Alter — Needed on the following tables only to allow for truncation:
|
The EmpowerID app pool requires dbo.Owner to all SharePoint databases and must be a Farm Admin in SharePoint as well. All Service Accounts used on all SharePoint app pools should have Full Control on the private key of any certificate used in the federation.
The EmpowerID service account interacts with the local machine to perform a variety of maintenance procedures, including the distribution and maintenance of new workflows and other Workflow Studio published items. The service account needs the following access rights on the local machine:
|
|
|
|
|
|
|
|
EmpowerID also utilizes highly privileged user accounts when connecting to user directories such as Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).
In addition to the above rights, the EmpowerID Worker Role Service and the EmpowerID Web Role Service each requires service accounts with additional rights. The specific rights needed by each service is as follows:
EmpowerID Windows Service | Service Account Rights Required |
---|---|
EmpowerID Worker Role Service |
|
EmpowerID Web Role Service |
|