Setting Up Decisions to Run as a Non Admin User

Last Updated: 03/27/2018 Introduced in Version: 2.0

Setting up Decisions to run as a Non Admin User

 

We begin with creating a New User that does not have administrator privileges in our OS.

addNewUser

 

We configure User…

creatingAccount

 

Standard User created.

 

standartAccountCreated

Next, we download the Decisions Installer and Install the program according to the Installation Documentationhttp://documentation.decisions.com/installation-ms-sql/ 

downloadDecisions

After Installation we will make changes so that we can run Decisions as a Non Admin User.

 

Database

In SQLserver Management Studio run this query to create an SQL User that does not have Administrator privileges.  We will use this user to connect Decisions to the database.  If you already have a user then you may skip the query and connect Decisions to the Database via that user.

 runQuery

 Query runs successfully…

successfulQuery

Next, we run the Decisions Installer and go into Edit Settings. 

editSettingsDecisionsInstaller

We need to change the DatabaseConnectString to use the newly created SQL User and its Password.

 editDatabaseConnectString

Setting Access for User

In order to set Service Host Manager to use an account that does not have administrator privileges we need to run the commands below in the Command Prompt.  These commands will reserve the URL’s so that our user can listen on them.  We need to enable user access for WCF services to use IIS and these following commands will enable that.

Run these commands in Command Prompt

netsh http add urlacl url=http://+:80/decisions/socketmanager/ user=NonAdminUser

netsh http add urlacl url=http://+:80/decisions/primary/api/ user= NonAdminUser

netsh http add urlacl url=https://+:443/decisions/primary/api/ user= NonAdminUser

Exchange NonAdminUser for the user created in the OS in the commands above

allCommandsSuccessful

Note: If we want to revert this process and set SHM back to Admin user, we are going to have to delete URL reservations.

Run these commands in Command Prompt to delete URL reservations

netsh http delete urlacl url=http://+:80/decisions/socketmanager/

netsh http delete urlacl url=http://+:80/decisions/primary/api/

netsh http delete urlacl url=https://+:443/decisions/primary/api/

 deleteCommands

Enable Other Access

We change LazyServiceHosting to False in Settings.xml (This file can be found at C:\Program Files\Decisions\Decisions Services Manager).  Without Lazy loading it will take longer for Service Host Manager to Load because it is loading all the services upfront.  With Lazy loading enabled the services are loaded as you need them.  In order to use Decisions with an account that is not an Administrator we need to disable Lazy Loading.

 lazy_loading_settings

Next, we give our Non Admin User full access to the Decisions Directory (C:\Program Files\Decisions)

grantFullAccess

Then, we open Services and change Service Host Manager to use the Non Admin Account that was set up earlier.

addUserToSHM

Confirm that Non Admin User was granted log on to Service Host Manager.

nonAdminGrantedSHM

Restart Service Host Manager and navigate to the Decisions Login screen to verify that it is now working.

restartSHM

 

Folder Permissions for Non-Admin User

Decisions uses the system C:\window\temp folder for file uploads. If the non-admin user does not have explicit permissions for system %temp% & %tmp% C:\window\temp, the files will not write and will appear as NULL in the portal. To add those permissions, navigate to the system temp folder, right click > Properties > Edit > Add. Add the non-admin user and click OK. To test that permissions were added correctly, run or debug a test flow in the portal that uses a file upload component. Look at the data value; if the flow ran correctly but the file data is NULL, the permissions need to be reconfigured.

Other file actions (such as Delete File or Move File) may also fail if the action occurs on folders for which the non-admin user does not have permissions. Remember to add permissions on any system folders involved in your flow when the SHM user is a non-admin.

 

Articles relevant to this process

  1. https://msdn.microsoft.com/en-us/magazine/cc163531.aspx
  2. http://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager

 

Additional Resources