cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reduced Data Platform Service Account permissions after installation

Clients are pushing back on service accounts needing ongoing Local Admin permissions after installation. Can the Data Platform Service account permissions be reduced from Local Administrator to a lower level for ongoing function?

What are those permissions?

(1) Solution

An account with sysadmin privilege will be required if need to recreate the BDNA and BDNA_PUBLISH schema.

View solution in original post

(11) Replies
jasonlu
By Level 7 Champion
Level 7 Champion

I too am interested in this.

For installing, sa privileges for the SQL database are also required, and this is also not great.

j

 

Is sysadmin actually required.

An account with sysadmin privilege will be required if need to recreate the BDNA and BDNA_PUBLISH schema.

@gliu , does this mean that:

1) any time an upgrade happens, potentially it could require sa privileges, as an upgrade could possibly edit the schema?

2) sysadmin privilege is not required in the day-to-day running of the application?

 

j

 

 

@jasonlu,

SA privileges are not required unless it's your first time installing the application, or you are going to recreate the whole BDNA and BDNA_PUBLISH database.

For the day-to-day running of the application and upgrading, the db_owner + public privileges will take care of them.

What do we need to do if the original install was done with the original requirement of Interactive Logon for service accounts without having to reinstall or recreate the database since there are integrations to other systems in production?

@TeriStevenson you can revoke the sysadmin privilege for the service account after the install completes, but please make sure it has the db_owner role assigned.

@gliu , thanks. In my test rig, I removed sysadmin from the FDP service account, leaving only db_owner and public on both databases, then applied the latest update to v5.5.62.

This worked without issue.

j

 

Curious if you got an answer to this?

I've asked about this as well and was told the 2022 version removed the requirement of the service account interactive logon https://community.flexera.com/t5/Data-Platform-Release-Blog/Data-Platform-2022-5-5-58-Patch-October-2022/bc-p/256358#M75 but I've asked follow ups for this on how to remove the requirement on a current implementation.  I can't reinstall due to integrations to other systems.

The documents seem to still have it as required but I can't seem to get any answers.

https://docs.flexera.com/dataplatform/InstallGuide/Content/Security_Requirements_for_the_.htm#appd_security_settings__4262450925_999049

JdeGuzman
By Level 3 Flexeran
Level 3 Flexeran

Hi All,

Our Team is aware of your query, and we are currently reviewing this internally for you.

We will update the thread as soon as we have the details on this for you.

Many thanks,
Andrew