Hyland Connect

Carlos_Arroyo · ‎01-06-2021

Hi,

One of my customer is asking why when connect to the OnBase Client, OnBase create a new user in the DB with the workstation name. Exist any reason for this or any documentation with the explanation?

Thanks

Jimmy_Byrne · ‎01-07-2021

Hi Carlos,

The workstations are created on both the instance level and the database level for authentication purposes. This behavior is explained on page 64 of the Database Reference Guide:

"The hsi connection is used to create a workstation account that is given the same name as the workstation itself. This new account is used for all future authentications, assuming the workstation name never changes. This workstation database user is assigned to the CLIENTGP database role in an Oracle environment. Within SQL Server, a server login and a database user with the same name are created. The workstation database user account is assigned to the CLIENTGP database role."

Hope that helps!

Eric_Beavers · ‎01-07-2021

Workstations names will be expected since end users, generally, do not have access to the HSI database account or any other Security Admin accounts for SQL. These logins are created for each workstation for the purpose of tracking license/workstation registrations and are used for future authentications to the database.

The documentation in the Security Best Practices MRG recommends disabling the option:

By default, OnBase creates specific workstation accounts to communicate with the database.
In order to accomplish this account creation, OnBase uses a system account with the
securityadmin server role.

It is recommended that specific workstation accounts are not created in the database by
OnBase, removing the need for the system account to be granted the securityadmin server
role.

The System Admin MRG also discusses settings related to workstation Identification under Utils - Workstation Options

Workstation Options Dialog Box
This dialog box contains options pertaining to how user workstations are registered by OnBase.
To access the dialog box:
1. In the Configuration module, select Utils | Workstation Registration. The Workstation
Options dialog box is displayed.

It looks like this can have an effect however on components of Licensing, Workstation Settings, Scan Formats, and even cause issues related to High-Demand/Disaster Recovery.

The System Admin MRG has more information about "Config | Users | Global Client Settings | Security | Disable workstation account creation":

When this option is selected, the hsi user will not be able to create workstation accounts. Instead, the hsi account itself will be used to log in to the database.

I have reviewed a few Tech Support issues where the setting was disabled in PROD and during a DR Failover, a bunch of "Fatal DB Error: unable to connect to ODBC Source!" ended up occurring for end users. The solution initially was a manual intervention by the DBA in the form of "Deleting workstation accounts from Server and database level on the database server resolves this issue". However, enabling the "Disable workstation account creation" setting removed the need to do the manual fix.

Past Discussions:

https://community.hyland.com/en/forum/threads/53073-sql-server-security-logins-have-all-pcs-listed

Ryan_Rickenbach · ‎01-07-2021

Carlos,

I in addition to Jimmy's comment I wanted to add that this can be turned off.

Config | Users | Global Client Settings | Security | Disable workstation account creation

Eric_Beavers · ‎01-07-2021

The System Admin MRG has more information about "Config | Users | Global Client Settings | Security | Disable workstation account creation":

When this option is selected, the hsi user will not be able to create workstation accounts. Instead, the hsi account itself will be used to log in to the database.

Hyland Connect

Workstation created as user in DB