Setting Up Decisions to Run as a Non Admin UserLast Updated: 03/27/2018 Introduced in Version: 2.0
Setting up Decisions to run as a Non Admin User
We begin with creating a New User that does not have administrator privileges in our OS.
We configure User…
Standard User created.
Next, we download the Decisions Installer and Install the program according to the Installation Documentation. http://documentation.decisions.com/installation-ms-sql/
After Installation we will make changes so that we can run Decisions as a Non Admin User.
In SQLserver Management Studio run this query to create an SQL User that does not have Administrator privileges. We will use this user to connect Decisions to the database. If you already have a user then you may skip the query and connect Decisions to the Database via that user.
CREATE LOGIN Create user to use here
WITH PASSWORD ='CreatePassword to use here', DEFAULT_DATABASE = decisions;
CREATE USER exampleuser FOR LOGIN exampleuser
GRANT ALTER ANY SCHEMA to exampleuser
GRANT EXECUTE to exampleuser
GRANT ALL to exampleuser
EXEC sp_addrolemember N'db_datareader', N'exampleuser'
EXEC sp_addrolemember N'db_datawriter', N'exampleuser'
Query runs successfully…
Next, we run the Decisions Installer and go into Edit Settings.
We need to change the DatabaseConnectString to use the newly created SQL User and its Password.
Setting Access for User
In order to set Service Host Manager to use an account that does not have administrator privileges we need to run the commands below in the Command Prompt. These commands will reserve the URL’s so that our user can listen on them. We need to enable user access for WCF services to use IIS and these following commands will enable that.
Run these commands in Command Prompt
netsh http add urlacl url=http://+:80/decisions/socketmanager/ user=NonAdminUser
netsh http add urlacl url=http://+:80/decisions/primary/api/ user= NonAdminUser
netsh http add urlacl url=https://+:443/decisions/primary/api/ user= NonAdminUser
Exchange NonAdminUser for the user created in the OS in the commands above
Note: If we want to revert this process and set SHM back to Admin user, we are going to have to delete URL reservations.
Run these commands in Command Prompt to delete URL reservations
netsh http delete urlacl url=http://+:80/decisions/socketmanager/
netsh http delete urlacl url=http://+:80/decisions/primary/api/
netsh http delete urlacl url=https://+:443/decisions/primary/api/
Enable Other Access
We change LazyServiceHosting to False in Settings.xml (This file can be found at C:\Program Files\Decisions\Decisions Services Manager). Without Lazy loading it will take longer for Service Host Manager to Load because it is loading all the services upfront. With Lazy loading enabled the services are loaded as you need them. In order to use Decisions with an account that is not an Administrator we need to disable Lazy Loading.
Next, we give our Non Admin User full access to the Decisions Directory (C:\Program Files\Decisions)
Then, we open Services and change Service Host Manager to use the Non Admin Account that was set up earlier.
Confirm that Non Admin User was granted log on to Service Host Manager.
Restart Service Host Manager and navigate to the Decisions Login screen to verify that it is now working.
Folder Permissions for Non-Admin User
Decisions uses the system C:\window\temp folder for file uploads. If the non-admin user does not have explicit permissions for system %temp% & %tmp% C:\window\temp, the files will not write and will appear as NULL in the portal. To add those permissions, navigate to the system temp folder, right click > Properties > Edit > Add. Add the non-admin user and click OK. To test that permissions were added correctly, run or debug a test flow in the portal that uses a file upload component. Look at the data value; if the flow ran correctly but the file data is NULL, the permissions need to be reconfigured.
Other file actions (such as Delete File or Move File) may also fail if the action occurs on folders for which the non-admin user does not have permissions. Remember to add permissions on any system folders involved in your flow when the SHM user is a non-admin.
Articles relevant to this process