Solved: Re: Reduced Data Platform Service Account permissions after installation

donald_helliwell · ‎Jan 21, 2022

Clients are pushing back on service accounts needing ongoing Local Admin permissions after installation. Can the Data Platform Service account permissions be reduced from Local Administrator to a lower level for ongoing function?

What are those permissions?

gliu · ‎Mar 03, 2023

An account with sysadmin privilege will be required if need to recreate the BDNA and BDNA_PUBLISH schema.

View solution in original post

jasonlu · ‎Jan 24, 2022

I too am interested in this.

For installing, sa privileges for the SQL database are also required, and this is also not great.

j

goody612 · ‎Dec 06, 2022

Is sysadmin actually required.

gliu · ‎Mar 03, 2023

An account with sysadmin privilege will be required if need to recreate the BDNA and BDNA_PUBLISH schema.

jasonlu · ‎Mar 05, 2023

@gliu , does this mean that:

1) any time an upgrade happens, potentially it could require sa privileges, as an upgrade could possibly edit the schema?

2) sysadmin privilege is not required in the day-to-day running of the application?

j

gliu · ‎Mar 06, 2023

@jasonlu,

SA privileges are not required unless it's your first time installing the application, or you are going to recreate the whole BDNA and BDNA_PUBLISH database.

For the day-to-day running of the application and upgrading, the db_owner + public privileges will take care of them.

TeriStevenson · ‎Mar 06, 2023

What do we need to do if the original install was done with the original requirement of Interactive Logon for service accounts without having to reinstall or recreate the database since there are integrations to other systems in production?

gliu · ‎Mar 06, 2023

@TeriStevenson you can revoke the sysadmin privilege for the service account after the install completes, but please make sure it has the db_owner role assigned.

jasonlu · ‎Mar 09, 2023

@gliu , thanks. In my test rig, I removed sysadmin from the FDP service account, leaving only db_owner and public on both databases, then applied the latest update to v5.5.62.

This worked without issue.

j

goody612 · ‎Nov 01, 2022

Curious if you got an answer to this?

TeriStevenson · ‎Dec 07, 2022

I've asked about this as well and was told the 2022 version removed the requirement of the service account interactive logon https://community.flexera.com/t5/Data-Platform-Release-Blog/Data-Platform-2022-5-5-58-Patch-October-2022/bc-p/256358#M75 but I've asked follow ups for this on how to remove the requirement on a current implementation. I can't reinstall due to integrations to other systems.

The documents seem to still have it as required but I can't seem to get any answers.

https://docs.flexera.com/dataplatform/InstallGuide/Content/Security_Requirements_for_the_.htm#appd_security_settings__4262450925_999049

JdeGuzman · ‎Dec 07, 2022

Hi All,

Our Team is aware of your query, and we are currently reviewing this internally for you.

We will update the thread as soon as we have the details on this for you.

Many thanks,
Andrew