Operating System Rights

Component Installation Operations
Account Privileges Password change / Account expiry Accounts Privileges Password change / Account expiry
Celiveo Web Admin (WA)
Celiveo Smart Appliance (CSA) Registered user on WA as Admins WA – No additional privileges required N/A N/A OS/ DB – No privileges required N/A
Embedded Solution (HP FutureSmart) Registered user on WA as Admins WA – No additional privileges required N/A N/A OS/ DB – No privileges required N/A
Celiveo Virtual Printer (CVP) Windows Account OS – Local Administrator privileges NO Local System OS – No additional privileges required. Password change – Required Not to Change. If password is changed, it needs to be updated in WA.Configuration settings file config.ini should be updated in all workstations.
N/A DB – N/A NO CeliveoDB User (credentials set in encrypted connection string) DB – Require dbreader, dbwriter and ddladmin roles and EXEC permission to execute stored procedures on databases (SJPS/ CeliveoDB/PrintManager90) Password change – Required Not to Change. If password is changed, it needs to be updated in WA.
Configuration settings file config.ini should be updated in all workstations.
Celiveo Server Services (CSS) Windows Account OS – Local Administrator privileges N/A Local System OS – No additional privileges required. N/A
Celiveo Shared Virtual Printer (CSVP) Windows Account OS – Local Administrator privileges N/A Local System OS – No additional privileges required. N/A
N/A DB – N/A NO CeliveoDB User (credentials set in encrypted connection string) DB – Require dbreader, dbwriter and ddladmin roles and EXEC permission to execute stored procedures on databases (SJPS/ CeliveoDB/PrintManager90) Password change – Required Not to Change. If password is changed, it needs to be updated in WA.
Configuration settings file config.ini should be updated in all workstations.
For older versions of Celiveo
Celiveo Secure Services (CSS) Windows Account OS – Local Administrator privileges NO Local System OS – No additional privileges required Password change – Required Not to Change. If the password is changed, it needs to be updated in CSS.
N/A DB – N/A NO System Admin DB – Require dbcreator, dbowner privileges for databases Password change – Required Not to Change. If the password is changed, it needs to be updated in CSS.

SQL service account rights

There are 2 ways to install and run Celiveo Web Admin based on database user privileges that can be provided:

  1. Using any user, who has the privilege to create a database on SQL Server. Typically default roles sysadmin, dbcreator have these privileges. And any role/user with “CREATE ANY DATABASE”, “VIEW ANY DATABASE”, “CONNECT” server-level permissions will also qualify.
    When this option for service user is chosen, enter a user with the above roles/permissions on the Celiveo WA installer and it will take care of creating both databases (CeliveoDB, SJPS) and install Web Admin keeping the entered user as service accounts for Celiveo with respect to database server.
  1. Another way to specify the DB service user for Celiveo when this service user must not be able to create databases. In this case, before installing Celiveo Web Admin:
    1. Manually create 2 databases on SQL Server i.e. CeliveoDB and SJPS.
    2. Create login on SQL server with SQL Authentication.
    3. Create user in CeliveoDB and SJPS for created login and then give appropriate permissions to that user. There are 2 ways to give permission to user: built roles and explicit permissions. The following table describes permissions/roles required by Celiveo:
Database Name Role Permissions
CeliveoDB db_datareader, db_datawriter, db_ddladmin SERVERVIEW SERVER STATE DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”,
CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”,
ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE
SJPS db_datareader, db_datawriter, db_ddladmin SERVERVIEW SERVER STATE DATABASE – “CREATE TABLE”, “CREATE VIEW”, “CREATE PROCEDURE”, “CREATE FUNCTION”, “CREATE RULE”, “CREATE DEFAULT”, “CREATE TYPE”, “CREATE ASSEMBLY”, “CREATE XML SCHEMA COLLECTION”, “CREATE SCHEMA”,
CREATE SYNONYM”, “CREATE AGGREGATE”, “CREATE SYMMETRIC KEY”, “CREATE ASYMMETRIC KEY”, “CREATE FULLTEXT CATALOG”, “CREATE CERTIFICATE”, “CONNECT”, “ALTER ANY SCHEMA”, “ALTER ANY ASSEMBLY”,
ALTER ANY FULLTEXT CATALOG”, “ALTER ANY SYMMETRIC KEY”, “ALTER ANY ASYMMETRIC KEY”, “ALTER ANY CERTIFICATE”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”, “REFERENCES”, “ALTER ANY DATABASE DDL TRIGGER”, “VIEW DATABASE STATE”, “EXECUTE

You can also use the following scripts to create a login, user, and set permissions for service account –

  1. Create Service Account with roles.sql – This file creates a login, user, and assigns db_datareader, db_datawriter and db_ddladmin roles to that user in SJPS and CeliveoDB databases.
  2. Create Service User with permissions.sql – This file creates a login, user and then adds all minimum required permissions for the user.

Active Directory service account rights

The Active Directory service account is used by Celiveo Web Admin, Celiveo Printer Agent and Enrollment Portal to read and write data from and to Active Directory depending on type of selected enrollment.

  • Active Directory Enrollment – The service account is used to read and write information from and to the Active Directory every time the user enrolls and authenticates.
  • SQL Enrollment – The service account is used to read information from Active Directory and store it in the Celiveo SQL DB User Enrollment table upon enrollment. Additionally the Celiveo administrator can define a scheduler to query Active Directory to get user data to Celiveo SQL DB in order to keep parity with Active Directory.
Enrollment Type Permissions Field Operations
Active Directory Read/Write postOfficeBox: Read/Write
department: Read
displayName: Read
sAMAccountName: Read
description: Read
mail: Read
homeDirectory: Read
domain: Read
l: Read/Write
memberOf: Read
OU: Read
Group: Read
SQL Read department: Read
displayName: Read
sAMAccountName: Read
description: Read
mail: Read
homeDirectory: Read
domain: Read
memberOf: Read
OU: Read
Group: Read

Note: The Active Directory fields described above are used by default in Celiveo, these can be modified to other standard or custom Active Directory/LDAP fields. Further information about authentication profiles.

TGS 10

For TGS 10, the service user that you enter needs to have db_datareader, db_datawrite, db_ddladmin roles, or the same permissions as that of Web Admin. Therefore you can use the same service user as that of WA in TGS 10. TGS 10 always needs to be installed after Web Admin.

Note:
Tags applied decide the level of authority for the user in WA. To know more about Tags and System Administrator Management, refer to:

Tag Printers and Users
Managing System Administrators

Last modified: 28 June 2021

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment