000031903 - What are the minimum privileges the service account must have in RSA Archer 5.x?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000031903
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Archer Services, Archer Application Pool
RSA Version/Condition: 5.x
Platform: Microsoft SQL Server
IssueWhen running on Integrated security to connect to the SQL databases (both Configuration and the Instance DB). What are the minimal privileges the service account running the RSA Archer Services and the RSA Archer Application pool needs to have?
Tasks

Below are the minimum privileges needed by the service account:


  • The service account should have DBO access to the instance and configuration DB (in case you are using integrated security.)
  • Full access to the following locations:
    • company_files (by default it is c:\inetpub\wwwroot\rsaarcher\company_files, can be different depending on your environment)
    • Search index (location mentioned in RSA Archer Control Panel)
    • Log locations (location mentioned in RSA Archer Control Panel)
    • File repositories (location mentioned in RSA Archer Control Panel)
    • Datafeed home directory(if you have one) (location mentioned in RSA Archer Control Panel)
        NOTE:  All the above locations other than the company_files should be mentioned in the installation and instance settings in the RSA Archer control Panel.
  • Apart from that it would need full privilege to the following locations:
    • Website root directory (by default it is c:\inetpub\wwwroot\rsaarcher, can be different depending on your environment)
    • C:\Windows\Temp
    • C:\Temp
    • Temporary ASP.net files. (by default C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files)
    • Archer installation directory (By default C:\Program Files\RSA Archer can be different depending on your environment)
  • Add the account in the IIS_IUSRS group.
  • Apart from that, perform the port registration with the app pool identity if it is already not done as mentioned in the following Article:  Archer Port Registration
  • If the service account is specified as a local user in a single host install, the installer will place a .\ in reference to an absent domain on each of the RSA Services. This .\ must be appended to the Application Pool identity if they are specifying a local user.


We have also seen performance improvements if the service/iis account is added to the local administrators groups in the servers. This step is not necessary but can be considered.

Attachments

    Outcomes