Setting Up Decisions to Run as a Non Admin User
  • Updated on 05 Feb 2015
  • 3 minutes to read
  • Print
  • Dark
    Light

Setting Up Decisions to Run as a Non Admin User

  • Print
  • Dark
    Light

Setting up Decisions to run as a Non Admin User

We begin with creating a New User that does not have administrator privileges in our OS.
addNewUser.png

We configure User...
creatingAccount.png

Standard User created.

standartAccountCreated.png

Next, we download the Decisions Installer and Install the program according to the Installation Documentationhttp://documentation.decisions.com/installation-ms-sql/
downloadDecisions.png

After Installation we will make changes so that we can run Decisions as a Non Admin User.

Database
In SQLserver Management Studio run this query to create an SQL User that does not have Administrator privileges.  We will use this user to connect Decisions to the database.  If you already have a user then you may skip the query and connect Decisions to the Database via that user.

 use decisions;
go
CREATE LOGIN Create user to use here
WITH PASSWORD ='CreatePassword to use here', DEFAULT_DATABASE = decisions;
go
CREATE USER exampleuser FOR LOGIN exampleuser
go
GRANT ALTER ANY SCHEMA to exampleuser
GRANT EXECUTE to exampleuser
GRANT ALL to exampleuser
EXEC sp_addrolemember N'db_datareader', N'exampleuser'
EXEC sp_addrolemember N'db_datawriter', N'exampleuser'

runQuery.png

Query runs successfully...
successfulQuery.png

Next, we run the Decisions Installer and go into Edit Settings.
editSettingsDecisionsInstaller.png

We need to change the DatabaseConnectString to use the newly created SQL User and its Password .
editDatabaseConnectString.png

Setting Access for User
In order to set Service Host Manager to use an account that does not have administrator privileges we need to run the commands below in the Command Prompt. These commands will reserve the URL’s so that our user can listen on them.  We need to enable user access for WCF services to use IIS and these following commands will enable that.
Run these commands in Command Prompt
netsh http add urlacl url=http://+:80/decisions/socketmanager/ user=NonAdminUser
netsh http add urlacl url=http://+:80/decisions/primary/api/ user= NonAdminUser
netsh http add urlacl url=https://+:443/decisions/primary/api/ user= NonAdminUser
Exchange NonAdminUser for the user created in the OS in the commands above
allCommandsSuccessful.png

Note: If we want to revert this process and set SHM back to Admin user, we are going to have to delete URL reservations.
Run these commands in Command Prompt to delete URL reservations
netsh http delete urlacl url=http://+:80/decisions/socketmanager/
netsh http delete urlacl url=http://+:80/decisions/primary/api/
netsh http delete urlacl url=https://+:443/decisions/primary/api/
deleteCommands.png

Enable Other Access
We change LazyServiceHosting to False in Settings.xml (This file can be found at C:\Program Files\Decisions\Decisions Services Manager ).  Without Lazy loading it will take longer for Service Host Manager to Load because it is loading all the services upfront.  With Lazy loading enabled the services are loaded as you need them.  In order to use Decisions with an account that is not an Administrator we need to disable Lazy Loading.
lazy_loading_settings.png

Next, we give our Non Admin User full access to the Decisions Directory (C:\Program Files\Decisions )
grantFullAccess.png

Then, we open Services and change Service Host Manager to use the Non Admin Account that was set up earlier.
addUserToSHM.png

Confirm that Non Admin User was granted log on to Service Host Manager .
nonAdminGrantedSHM.png

Restart Service Host Manager and navigate to the Decisions Login screen to verify that it is now working.
restartSHM.png

Folder Permissions for Non-Admin User
Decisions uses the system C:\window\temp folder for file uploads. If the non-admin user does not have explicit permissions for system %temp% & %tmp% C:\window\temp, the files will not write and will appear as NULL in the portal. To add those permissions, navigate to the system temp folder, right click > Properties > Edit > Add . Add the non-admin user and click OK. To test that permissions were added correctly, run or debug a test flow in the portal that uses a file upload component. Look at the data value; if the flow ran correctly but the file data is NULL, the permissions need to be reconfigured.
Other file actions (such as Delete File or Move File) may also fail if the action occurs on folders for which the non-admin user does not have permissions. Remember to add permissions on any system folders involved in your flow when the SHM user is a non-admin.

Articles relevant to this process

  1. https://msdn.microsoft.com/en-us/magazine/cc163531.aspx

  2. http://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager

Was this article helpful?