Operating System, SQL and Active Directory rights to install and use Celiveo

Operating System Rights

Component	Installation			Operations
	Account	Privileges	Password change / Account expiry	Accounts	Privileges	Password change / Account expiry
Celiveo Smart Appliance (CSA)	Registered user on WA as Admins	WA – No additional privileges required	N/A	N/A	OS/ DB – No privileges required	N/A
Embedded Solution (HP FutureSmart)	Registered user on WA as Admins	WA – No additional privileges required	N/A	N/A	OS/ DB – No privileges required	N/A
Celiveo Virtual Printer (CVP/CSVP)	Windows Account	OS – Local Administrator privileges	NO	Local System	OS – No additional privileges required.	Password change – Required Not to Change. If password is changed, it needs to be updated in WA.Configuration settings file config.ini should be updated in all workstations.
	N/A	DB – N/A	NO	CeliveoDB User (credentials set in encrypted connection string)	DB – Require dbreader, dbwriter and ddladmin roles and EXEC permission to execute stored procedures on databases (SJPS/ CeliveoDB)	Password change – Required Not to Change. If password is changed, it needs to be updated in WA. Configuration settings file config.ini should be updated in all workstations.

SQL service account rights

There are 2 ways to install and run Celiveo Web Admin based on database user privileges that can be provided:

1. Using any user, who has the privilege to create a database on SQL Server. Typically default roles sysadmin, dbcreator have these privileges. And any role/user with “CREATE ANY DATABASE”, “VIEW ANY DATABASE”, “CONNECT” server-level permissions will also qualify.
   When this option for service user is chosen, enter a user with the above roles/permissions on the Celiveo WA installer and it will take care of creating both databases (CeliveoDB, SJPS) and install Web Admin keeping the entered user as service accounts for Celiveo with respect to database server.

2. Another way to specify the DB service user for Celiveo when this service user must not be able to create databases. In this case, before installing Celiveo Web Admin:
   1. Manually create 2 databases on SQL Server i.e. CeliveoDB and SJPS.
   2. Create login on SQL server with SQL Authentication.
   3. Create user in CeliveoDB and SJPS for created login and then give appropriate permissions to that user. There are 2 ways to give permission to user: built roles and explicit permissions. The following table describes permissions/roles required by Celiveo:

Database Name	Role	Permissions
CeliveoDB	db_datareader, db_datawriter, db_ddladmin	SERVER – VIEW SERVER STATE DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”, “CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”, “ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE”
SJPS	db_datareader, db_datawriter, db_ddladmin	SERVER – VIEW SERVER STATE DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”, “CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”, “ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE”

*NOTE – Please note that you can either set roles or permissions. When you have set roles for the user, you don’t need to explicitly set any permissions, because the roles specified above contain all those permissions.

You can also use the following scripts to create a login, user, and set permissions for service account –

1. Create Service Account with roles.sql – This file creates a login, user, and assigns db_datareader, db_datawriter and db_ddladmin roles to that user in SJPS and CeliveoDB databases.
2. Create Service User with permissions.sql – This file creates a login, user and then adds all minimum required permissions for the user.

*NOTE – Please remember to rename your username and provide your own password in the script. Command-line in SQL script denotes the place where username and password need to be changed.

Active Directory service account rights

The Active Directory service account is used by Celiveo Web Admin, Celiveo Printer Agent and Enrollment Portal to read and write data from and to Active Directory depending on type of selected enrollment.

• Active Directory Enrollment – The service account is used to read and write information from and to the Active Directory every time the user enrolls and authenticates.
• SQL Enrollment – The service account is used to read information from Active Directory and store it in the Celiveo SQL DB User Enrollment table upon enrollment. Additionally the Celiveo administrator can define a scheduler to query Active Directory to get user data to Celiveo SQL DB in order to keep parity with Active Directory.

Enrollment Type	Permissions	Field Operations
Active Directory	Read/Write	postOfficeBox: Read/Write department: Read displayName: Read sAMAccountName: Read description: Read mail: Read homeDirectory: Read domain: Read l: Read/Write memberOf: Read OU: Read Group: Read
SQL	Read	department: Read displayName: Read sAMAccountName: Read description: Read mail: Read homeDirectory: Read domain: Read memberOf: Read OU: Read Group: Read

Note: The Active Directory fields described above are used by default in Celiveo, these can be modified to other standard or custom Active Directory/LDAP fields. Further information about authentication profiles.

TGS 10

For TGS 10, the service user that you enter needs to have db_datareader, db_datawrite, db_ddladmin roles, or the same permissions as that of Web Admin. Therefore you can use the same service user as that of WA in TGS 10. TGS 10 always needs to be installed after Web Admin.

Note:
Tags applied decide the level of authority for the user in WA. To know more about Tags and System Administrator Management, refer to:

Tag Printers and Users
Managing System Administrators

©2024 Celiveo Pte Ltd – All Rights Reserved