Defining Your Service Accounts - PAS ICS Integrity - 7.3 - Installation & Upgrade - Intergraph

ICS Integrity Installation Guide

Language
English
Product
PAS ICS Integrity
Subproduct
ICS
Search by Category
Installation & Upgrade
PAS Version
7.3

Integrity uses several services to provide various features. The Service Administration link in the Admin Utility displays the Configure the Services window. This window allows you to start and stop each service. You can also specify the account user name and password for each service to use. These services should run under valid domain accounts, and the permissions required for these accounts depend on whether you chose Windows authentication mode or SQL Server mode to access the Integrity database:

IntegrityDataCollector2

Provides data import and management capabilities. This service must run on each Integrity data collector or server where asset data is imported. The account you specify for this service must have access to the data to be imported into Integrity. This data can reside in files, folders, or databases, and can be located on computers other than the Integrity server or data collector. Because this service can run only as a single account, the various data locations must be configured to allow read access to this account. If Integrity imports SharePoint data via Document Manager, the account specified for this service must have permissions to access SharePoint and its data.

By default, this service runs under the SYSTEM account. If the Integrity data files, the Integrity database, and the Integrity server are all on the same server, and the service is running under Local System, you do not need to specify an account for this service on this window.

If the Integrity database is on a separate server and you chose Windows authentication mode, this service account must have the db_owner role on each primary and secondary database. When using multiple databases, if a secondary database is on a separate server from the primary database, this service account must also have the setupadmin role on the primary database to create a database link.

pasIntegrityDB

Provides data management for multiple database deployments. This service is not needed for single database deployments. When using multiple databases, this service must run on the Integrity server for the primary database. The account you specify for this service must be a valid domain account. In addition, you need to specify this account in the InstallPath\DataCollector\*.exe.config files on the Integrity server for the primary database.

PAS WebFileService

Provides features for the Integrity web interface, such as email notifications and reporting capabilities. This service must run on the Integrity server that provides the Integrity web interface. Depending on your site security, the account you specify for this service could be a local user account or a domain user account and have read and write permissions to the folder where you installed Integrity and its subfolders. If you have specified a local user account and experience issues, specify a domain user account. For email notifications, this service uses the settings specified through Maintenance > Configure Email Settings in the Admin Utility.

pasWindowsEventLog

Provides Windows event log data processing and management. This service must run on each Integrity data collector or server where Windows event data is imported. The account you specify for this service must have read permissions to the folder where you installed Integrity. This account must also have read and write permissions to the folder and subfolders where event log data to import is stored. Integrity stores Windows event log data in a separate database named PASWindowsEventLogs.

If you collect Windows event log data, the account used to connect to the database (SQL login for SQL Server mode or the pasWindowsEventLog service account for Windows authentication mode) must have the following roles:

  • dbcreator and serveradmin server roles

  • If you chose Windows authentication mode, the pasWindowsEventLog service account must also have the db_owner role for the SQL Server where the Integrity database is stored and the db_datareader role for the Integrity database.

If you collect Windows event log data and if you chose Windows authentication mode, the administrator who uses the Admin Utility to create the Windows event log collection database must have at least the dbcreator role on the SQL Server where the Integrity database is stored.

PAS Integrity Scheduler

Provides features for the Integrity web interface, such as email notifications and scheduled tasks. The first time you run the service, Integrity creates a new database (PASScheduler) on the Integrity data collector server.

This service is required in the following scenarios:

  • Apply normalization rules as you modify or add them

  • Manage impact factors and groups for Vulnerability Management

Ensure that the PASIntegrityScheduler service is running on the Integrity web server (the IIS server hosting the Integrity web interface). If the connection to the Integrity database is using Windows authentication mode, the PASIntegrityScheduler service needs to run as a domain account that has db_creator on the server and datareader on the Integrity database. If the connection to the Integrity database is using SQL Server mode for login authentication, the SQL Server login account used for the web interface needs the db_creator server role on the SQL Server instance.

PAS Integrity Integration

Provides features for the Integrity web interface, such as integrations with third-party applications. This service must run on the Integrity server that provides the Integrity web interface.

Review the following additional considerations for the account you specify for each service to use and related Windows accounts:

  • If the Integrity database uses Windows authentication, these services can run as Local System only if the Integrity data files, the Integrity database, and the Integrity server are all on the same server.

  • If the Integrity database uses Windows authentication, some of these services need to use accounts that have permissions to access the SQL Server database.

  • For each account you specify, if the password for that account is changed, you must also change the password through the Service Administration link in the Admin Utility or through the service configuration itself.

  • By default, SQL Server uses the NETWORK SERVICE Windows account for many functions. For example, the IntegrityAppPool for the Integrity web interface uses the NETWORK SERVICE by default. Set the NT AUTHORITY/NETWORK SERVICE Windows account to have permissions to the Integrity database.

  • Maintenance jobs require the SQL Server agent service to be active and running under a Windows account that has permissions to the Integrity database. Set the SQL Server agent service to run under the NT AUTHORITY/NETWORK SERVICE Windows account and to start automatically.

To specify the service accounts:

  1. In the Admin Utility, click the Service Administration link.

  2. In the Service name field, select the service to configure.

  3. Type the user name and password for an account that has the required permissions for the service. Click Get Accounts to view all accounts on the server.

  4. To preface the account name with the domain name and backslash, check the Add Domain to Username check box.

  5. Click Save.