This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Minimum Permissions needed for Impersonation Account

Go to answer
Edwin_Chung
Champ in-the-making
Champ in-the-making

‎01-10-2019 01:54 PM

Hi,

Does anyone have an idea on the minimal AD permissions needed by OnBase's impersonation account? We currently have it set to Domain Admin, which I find odd as I thought it was only used to read the AD. Is it also used for any other roles?

Sorry I'm not too familiar with the product, but from my understanding we are running OnBase 13 deployed via Unity Client deployed via Click Once. Users also gets auto logged (possibly single sign on).

Thanks,

Edwin

Labels:
0 Kudos
2 ACCEPTED ANSWERS

Go to answer
AdamShaneHyland
Employee
Employee

‎01-10-2019 02:02 PM

Hi Edwin.

The answer partially requires knowing how you are using the software, but I agree the a Domain Admin is overkill. Typically the impersonation account being used by the Application Server would require READ/WRITE access to the share/folder hosting the Disk Groups and then READ access to users and users groups who are authenticating into OnBase when configured for Single Sign On authentication with Active Directory.

Best wishes.

View answer in original post

Go to answer
Eric_Beavers
Employee
Employee

‎01-10-2019 02:07 PM

The Application Server MRG recommends the following reading:

For full details on custom service account configuration, see the Microsoft article: “How To: Create a Service Account for ASP.net

https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649309(v=pandp.10)

• For file and folder permissions required with .NET 4.x, see the ACL Technology Overview:

https://docs.microsoft.com/en-us/previous-versions/ms229742(v=vs.110)

See also the article on ASP.NET Required Access Control Lists (ACLs):

https://docs.microsoft.com/en-us/previous-versions/kwzs111e(v=vs.140)

View answer in original post

0 Kudos
4 REPLIES 4

Go to answer
AdamShaneHyland
Employee
Employee

‎01-10-2019 02:02 PM

Hi Edwin.

The answer partially requires knowing how you are using the software, but I agree the a Domain Admin is overkill. Typically the impersonation account being used by the Application Server would require READ/WRITE access to the share/folder hosting the Disk Groups and then READ access to users and users groups who are authenticating into OnBase when configured for Single Sign On authentication with Active Directory.

Best wishes.

Go to answer
Edwin_Chung
Champ in-the-making
Champ in-the-making
In response to AdamShaneHyland

‎01-10-2019 03:57 PM

Thanks Adam, that is what I suspected. In that case, we should be good to grant READ/WRITE access to the OnBase shares and simple Domain User level permission to READ AD groups?

0 Kudos

Go to answer
Bill_Voecks
Champ on-the-rise
Champ on-the-rise
In response to Edwin_Chung

‎11-29-2022 08:38 AM

Yes, we run this with an impersonation user who's only in the Domain Users group. You definitely don't want to grant this user Domain Admin. Just need to grant the impersonation user or the IIS_IUSRS read/write to the disk group folders.

 

We did need to grant the impersonation user Read permissions to HKEY_USERS\S-1-5-20\Software\Microsoft\Avalon.Graphics. This is the NetworkService SID as our AppPool runs as NetworkService. Adding this permission fixed several issues related to reporting dashboards and opening Unity Forms. 

 

0 Kudos

Go to answer
Eric_Beavers
Employee
Employee

‎01-10-2019 02:07 PM

The Application Server MRG recommends the following reading:

For full details on custom service account configuration, see the Microsoft article: “How To: Create a Service Account for ASP.net

https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649309(v=pandp.10)

• For file and folder permissions required with .NET 4.x, see the ACL Technology Overview:

https://docs.microsoft.com/en-us/previous-versions/ms229742(v=vs.110)

See also the article on ASP.NET Required Access Control Lists (ACLs):

https://docs.microsoft.com/en-us/previous-versions/kwzs111e(v=vs.140)

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC