Operating System Rights
| Component | Installation | Operations | ||||
| Account | Privileges | Password change / Account expiry | Accounts | Privileges | Password change / Account expiry | |
| Celiveo Web Admin (WA) | ||||||
| Celiveo Smart Appliance (CSA) | Registered user on WA as Admins | WA – No additional privileges required | N/A | N/A | OS/ DB – No privileges required | N/A |
| Embedded Solution (HP FutureSmart) | Registered user on WA as Admins | WA – No additional privileges required | N/A | N/A | OS/ DB – No privileges required | N/A |
| Celiveo Virtual Printer (CVP) | Windows Account | OS – Local Administrator privileges | NO | Local System | OS – No additional privileges required. | Password change – Required Not to Change. If password is changed, it needs to be updated in WA.Configuration settings file config.ini should be updated in all workstations. |
| N/A | DB – N/A | NO | CeliveoDB User (credentials set in encrypted connection string) | DB – Require dbreader, dbwriter and ddladmin roles and EXEC permission to execute stored procedures on databases (SJPS/ CeliveoDB/PrintManager90) | Password change – Required Not to Change. If password is changed, it needs to be updated in WA. Configuration settings file config.ini should be updated in all workstations. |
|
| Celiveo Server Services (CSS) | Windows Account | OS – Local Administrator privileges | N/A | Local System | OS – No additional privileges required. | N/A |
| Celiveo Shared Virtual Printer (CSVP) | Windows Account | OS – Local Administrator privileges | N/A | Local System | OS – No additional privileges required. | N/A |
| N/A | DB – N/A | NO | CeliveoDB User (credentials set in encrypted connection string) | DB – Require dbreader, dbwriter and ddladmin roles and EXEC permission to execute stored procedures on databases (SJPS/ CeliveoDB/PrintManager90) | Password change – Required Not to Change. If password is changed, it needs to be updated in WA. Configuration settings file config.ini should be updated in all workstations. |
|
| For older versions of Celiveo | ||||||
| Celiveo Secure Services (CSS) | Windows Account | OS – Local Administrator privileges | NO | Local System | OS – No additional privileges required | Password change – Required Not to Change. If the password is changed, it needs to be updated in CSS. |
| N/A | DB – N/A | NO | System Admin | DB – Require dbcreator, dbowner privileges for databases | Password change – Required Not to Change. If the password is changed, it needs to be updated in CSS. | |
SQL service account rights
There are 2 ways to install and run Celiveo Web Admin based on database user privileges that can be provided:
- Using any user, who has the privilege to create a database on SQL Server. Typically default roles sysadmin, dbcreator have these privileges. And any role/user with “CREATE ANY DATABASE”, “VIEW ANY DATABASE”, “CONNECT” server-level permissions will also qualify.
When this option for service user is chosen, enter a user with the above roles/permissions on the Celiveo WA installer and it will take care of creating both databases (CeliveoDB, SJPS) and install Web Admin keeping the entered user as service accounts for Celiveo with respect to database server.
- Another way to specify the DB service user for Celiveo when this service user must not be able to create databases. In this case, before installing Celiveo Web Admin:
- Manually create 2 databases on SQL Server i.e. CeliveoDB and SJPS.
- Create login on SQL server with SQL Authentication.
- Create user in CeliveoDB and SJPS for created login and then give appropriate permissions to that user. There are 2 ways to give permission to user: built roles and explicit permissions. The following table describes permissions/roles required by Celiveo:
| Database Name | Role | Permissions |
|---|---|---|
| CeliveoDB | db_datareader, db_datawriter, db_ddladmin | SERVER – VIEW SERVER STATE
DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”, “CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”, “ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE” |
| SJPS | db_datareader, db_datawriter, db_ddladmin | SERVER – VIEW SERVER STATE
DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”, “CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”, “ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE” |
You can also use the following scripts to create a login, user, and set permissions for service account –
- Create Service Account with roles.sql – This file creates a login, user, and assigns db_datareader, db_datawriter and db_ddladmin roles to that user in SJPS and CeliveoDB databases.
- Create Service User with permissions.sql – This file creates a login, user and then adds all minimum required permissions for the user.
Active Directory service account rights
The Active Directory service account is used by Celiveo Web Admin, Celiveo Printer Agent and Enrollment Portal to read and write data from and to Active Directory depending on type of selected enrollment.
- Active Directory Enrollment – The service account is used to read and write information from and to the Active Directory every time the user enrolls and authenticates.
- SQL Enrollment – The service account is used to read information from Active Directory and store it in the Celiveo SQL DB User Enrollment table upon enrollment. Additionally the Celiveo administrator can define a scheduler to query Active Directory to get user data to Celiveo SQL DB in order to keep parity with Active Directory.
| Enrollment Type | Permissions | Field Operations |
|---|---|---|
| Active Directory | Read/Write | postOfficeBox: Read/Write department: Read displayName: Read sAMAccountName: Read description: Read mail: Read homeDirectory: Read domain: Read l: Read/Write memberOf: Read OU: Read Group: Read |
| SQL | Read | department: Read displayName: Read sAMAccountName: Read description: Read mail: Read homeDirectory: Read domain: Read memberOf: Read OU: Read Group: Read |
Note: The Active Directory fields described above are used by default in Celiveo, these can be modified to other standard or custom Active Directory/LDAP fields. Further information about authentication profiles.
TGS 10
For TGS 10, the service user that you enter needs to have db_datareader, db_datawrite, db_ddladmin roles, or the same permissions as that of Web Admin. Therefore you can use the same service user as that of WA in TGS 10. TGS 10 always needs to be installed after Web Admin.
Note:
Tags applied decide the level of authority for the user in WA. To know more about Tags and System Administrator Management, refer to:
Tag Printers and Users
Managing System Administrators
Last modified:
28 June 2021
Feedback
Copyright © 2024 Celiveo
—
Powered by 
Post your comment on this topic.