RSA DLP What are the service accounts for RSA DLP environment
Originally Published: 2015-10-28
Article Number
Applies To
RSA Version/Condition: 9.6
Platform: Windows Server 2008R2
Tasks
- A domain-user account is required to run the "RSA DLP" Enterprise Manager service. (account doesn't have to be a domain-admin account could be OU-Admin account).
- You may set the “Password never expires” option for your Enterprise Manager domain-user account. This makes sure that the Enterprise Manager service does not fail to start due to a failed logon attempt.
- You must set required permissions for the run-as user on the Enterprise Manager machine before installing Enterprise Manager.
To set permissions for the run-as user:
1. Add the domain user to the Administrators group on the Enterprise Manager
machine.
a. Click Start > Control Panel > User Accounts > Manage User Accounts.
The User Accounts window appears.
b. Click Add, enter the User name and Domain, and click Next.
c. Select Administrator and click Finish
2. Set Log on as a service permission to the domain user.
a. Click Start > Control Panel > Administrative Tools > Local Security
Policy.
The Local Security Policy window appears.
b. In the left pane, select Local Policies > User Rights Assignment.
c. Double-click on the Log on as a service policy.
The Log on as a service Properties window appears.
d. Verify the domain user is added to the list.
If the domain user is not listed, click Add User or Group and specify the user
to be added.
You must be an administrator on the Enterprise Manager machine to be able to edit the logon credentials.
2. Enter the new user name (if changed) and the new password.
3. Click OK.
1. Add the domain user to the Administrators group on the Enterprise Manager
machine.
a. Click Start > Control Panel > User Accounts > Manage User Accounts.
The User Accounts window appears.
b. Click Add, enter the User name and Domain, and click Next.
c. Select Administrator and click Finish
2. Set Log on as a service permission to the domain user.
a. Click Start > Control Panel > Administrative Tools > Local Security
Policy.
The Local Security Policy window appears.
b. In the left pane, select Local Policies > User Rights Assignment.
c. Double-click on the Log on as a service policy.
The Log on as a service Properties window appears.
d. Verify the domain user is added to the list.
If the domain user is not listed, click Add User or Group and specify the user
to be added.
You must be an administrator on the Enterprise Manager machine to be able to edit the logon credentials.
2. Enter the new user name (if changed) and the new password.
3. Click OK.
SQL Database Domain-user account for the RSA_DLP_EM Enterprise Manager Database:
- SQLdb domain-user account [same Domain where RSA DLP is member of] is required to be configured as a service account [log-on as] on your SQL Database server hosting SQL instance RSA_DLP_EM with below privilege:
Set the domain user to have owner and create permissions on the Enterprise Manager database.
- That account has also to be configured on your EM GUI:
Open EM web-interface > User & Groups > credentials > add credential
Then,
Open EM web-interface > User & Groups > Permissions > select credentials tab > make sure that all the boxes are checked for that account [use/read/update/delete].
Second: Endpoint Coordinator: [rEPC/EPC]- SQLdb domain-user account [same Domain where RSA DLP is member of] is required to be configured as a service account [log-on as] on your SQL Database server hosting SQL instance RSA_DLP_EM with below privilege:
Set the domain user to have owner and create permissions on the Enterprise Manager database.
- That account has also to be configured on your EM GUI:
Open EM web-interface > User & Groups > credentials > add credential
Then,
Open EM web-interface > User & Groups > Permissions > select credentials tab > make sure that all the boxes are checked for that account [use/read/update/delete].
- RSA DLP Endpoint Coordinator Service runs with local system (i.e. no service account is required for it).
- RSA Data Loss Prevention (DLP) Endpoint File Server service requires dlp_service_user account. The account will need the following permissions to the EndpointCoordinator folder:
Third: Enterprise Coordinator: [EC]
- RSA DLP Datacenter Enterprise Coordinator services runs with local system (i.e. no service account is required for it).
- Any account that will be associated with a Datacenter-Scan has to have at least read-permissions.
Fourth: RSA DLP Datacenter Site-Coordinator: [SC]
- RSA DLP Discovery Agent service runs with local system (i.e. no service account is required for it). Likewise for your Grid-Workers depending on the setting of your agent being a temporary or permanent one. Eventually no service account needs to be associated.
Related Articles
BIOS Password for RSA DLP appliance Number of Views How to configure RSA DLP Datacenter in a work-group environment (Standalone server) Number of Views Requesting RSA to create additional Super Administrator accounts for the RSA SecurID Access Cloud Authentication Service Number of Views RSA DLP Network How to enable TLS Secure Channel between RSA DLP ICAP & your Proxy server Number of Views RSA DLP Sample of DLP Syslog Messages sent to SIEM Number of Views
Trending Articles
Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Downloading RSA Authentication Manager license files or RSA Software token seed records Unable to login to RSA Authentication Manager Security Console as super admin RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device
Don't see what you're looking for?
