cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service level accounts and security policy

Former Member

on ‎03-12-2010 4:27 PM

0 Kudos

Hello Experts,

We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.

Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.

It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.

If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.

Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.

Is there any good suggestions for this kind of scenario?

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-14-2010 11:21 PM
0 Kudos

Hi Madis,

I would create a generic user account, for the installation. This is what we have done most of the time. Create a BPCADMIN account on the domain so that if the administrator Bob leaves the company you don't have to deal with this scenario. However there is within the Server Manager (depending on your version of the product) a utility to change the user id associated with your COM+ objects as in many organizations (most) there are intervals in which the actual passwords need to change therefore BPCADMIN's password will need to be updated on the server as well leveraging this utility.

I hope this helps.

Cheers, Scott

Show replies
Show replies
Former Member
‎03-15-2010 9:04 AM
0 Kudos

Thanks Scott,

This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.

It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.

Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:

OsoftDatabaseADMIN

OsoftDatabaseSYSADMIN

OsoftDatabaseUSER

Then use Service Manager password reset function and it will update all COM+ apps in one go.

Former Member
‎03-15-2010 9:06 AM
0 Kudos

Hi Madis,

Glad to hear you resolved this.

Sounds like a good topic for you to write a blog about ;)...

Cheers, Scott

Ask a Question