000031596 - What are the service accounts for RSA DLP environment

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by Yasmine Dowidar on Sep 27, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031596
Applies ToRSA Product/Service Type: RSA DLP
RSA Version/Condition: 9.6
Platform: Windows Server 2008R2
TasksFirst: Enterprise Manager: 
  • A domain-user account is required to run the "RSA DLP" Enterprise Manager service. (account doesn't have to be a domain-admin account could be OU-Admin account). 
  •  You may set the “Password never expires” option for your Enterprise Manager domain-user account. This makes sure that the Enterprise Manager service does not fail to start due to a failed logon attempt.
  •  You must set required permissions for the run-as user on the Enterprise Manager machine before installing Enterprise Manager.
 To set permissions for the run-as user:
1. Add the domain user to the Administrators group on the Enterprise Manager
a. Click Start > Control Panel > User Accounts > Manage User Accounts.
The User Accounts window appears.
b. Click Add, enter the User name and Domain, and click Next.
c. Select Administrator and click Finish
2. Set Log on as a service permission to the domain user.
a. Click Start > Control Panel > Administrative Tools > Local Security
The Local Security Policy window appears.
b. In the left pane, select Local Policies > User Rights Assignment.
c. Double-click on the Log on as a service policy.
The Log on as a service Properties window appears.
d. Verify the domain user is added to the list.
If the domain user is not listed, click Add User or Group and specify the user
to be added.
You must be an administrator on the Enterprise Manager machine to be able to edit the logon credentials.
2. Enter the new user name (if changed) and the new password.
3. Click OK.

SQL Database Domain-user account  for the RSA_DLP_EM Enterprise Manager Database: 
- SQLdb  domain-user account  [same Domain where RSA DLP is member of] is required to  be configured as a service account [log-on as] on your SQL Database server  hosting SQL instance RSA_DLP_EM   with below privilege: 
Set the  domain user to have owner and create permissions on the Enterprise Manager database.
- That account has also to be configured on your EM GUI: 
Open EM  web-interface > User & Groups > credentials >  add credential 
Open EM  web-interface  >  User & Groups > Permissions > select credentials tab > make sure that all the boxes   are checked for that account [use/read/update/delete]. 

Second: Endpoint Coordinator: [rEPC/EPC]
  • RSA DLP Endpoint Coordinator Service runs with local system (i.e. no service account is required for it). 
  • RSA Data Loss Prevention (DLP) Endpoint File Server service requires dlp_service_user account. The account will need the following permissions to the EndpointCoordinator folder: 
          1-  Traverse folder / execute file    2- List folder / read data     3- Read attributes    4-  Read extended attributes    5-  Read permissions 
Third: Enterprise Coordinator: [EC]
  • RSA DLP Datacenter Enterprise Coordinator  services runs with local system  (i.e. no service account is required for it). 
  • Any account that will be associated with a Datacenter-Scan has to have at least read-permissions. 
Fourth: RSA DLP Datacenter Site-Coordinator: [SC]
  • RSA DLP Discovery Agent service runs with local system (i.e. no service account is required for it). Likewise for your Grid-Workers depending on the setting of your agent being a temporary  or permanent one. Eventually  no service account needs to be associated.