Required user account information during installation and configuration

During installation and configuration, various user accounts are used, each with specific permissions. The Service Account and the Local System User account can be a single account, with the same user name and password. However, if your organization requires a separation of duties, use the Local System User Account during installation and configuration, and then use the Service Account for maintaining SQL Server database access.

Using the service account during installation and configuration

Table 1. Using the service account as the installation account

Permissions Descriptions
Make the service account a local administrator. Log in as this account when you are installing or maintaining the software. The service account must have the following permissions in the local security policy for the computer:
  • Access this computer from the network
  • Log on as a service (this permission is granted by the Server Configuration wizard, which is being run by a local Product Administrator)

With a SQL Server database, you can use a single service account or multiple service accounts, depending on how you decide to install.

If there is some type of group policy that is deployed on the server that alters the local security policy of the computer and revokes any of these rights after installation and configuration, AppScan Enterprise will not work.

During the configuration of the components you install, you must enter service account information. This service account allows the agents to access the database server. Individual users do not require any form of database permissions. The service accounts used for the agents and the database should have passwords that do not expire. If, however, the passwords must change at regular intervals, you can rerun the Configuration wizard on all the AppScan® Enterprise Server and Dynamic Analysis Scanner computers and enter the new password.

The service account is granted db_owner rights to the database and must have permissions that allow it to create a database and tables, add users, run stored procedures, and grant rights.

File and folder permissions
The service account must have the following permissions on Drive:\\YourInstallFolder\HCL\product name\ and all of its subfolders:
  • Read and Execute
  • Write
  • Delete
  • Delete files and subfolders
  • Create files and subfolders
Note: These permissions enable the service account to write to the log files. They also enable the scan agents to write temp files, without which the scans would not function. The Configuration wizard creates these permissions for you - do not change them.
Local security policies

The service account must have permission to log on locally on the target machine so that it can impersonate the user's logon credentials. It also must have permission to log on as a service.

Registry permissions
The service account must have the following permissions:
  • Read and Execute
  • Write
  • Delete

Using the local system user account during installation and configuration

The Local System User Account must be a local Product Administrator on the machine (does not have to be the service account). In the local security policy for that machine, this user must have the following permissions:
  • Access this computer from the network
  • Allow logon locally
During installation and configuration, the Local System User Account requires db_owner permissions on the SQL Server database to create a database and tables, add users, run stored procedures, and grant rights. After installation and configuration are completed, remove the database permissions from the Local System User Account and assign them to the Service Account to handle all interaction between AppScan Enterprise and the database.
Tip: If you upgrade AppScan Enterprise or rerun the configuration wizard (which changes the database), give the Local System User Account the appropriate database privileges.
  1. The Local System User Account creates and structures the AppScan database on the MS SQL Server.
  2. The Local System User Account adds the database service to the database as db_owner.
  3. The Local System User Account initializes the database with necessary data.
Table 2. Using the Local System User Account as the installation account

Permissions Descriptions
Make the local system user account a local administrator. Log in as this account when you are installing or maintaining the software. The local system user account must have the following permissions in the local security policy for the computer:
  • Access this computer from the network
  • Log on as a service (this permission is granted by the Server Configuration wizard, which is being run by a local Product Administrator)

With a SQL Server database, you can use a single account or multiple accounts, depending on how you decide to install.

If there is some type of group policy that is deployed on the server that alters the local security policy of the computer and revokes any of these rights after installation and configuration, AppScan Enterprise will not work.

The local system user account allows the agents to access the database server. Individual users do not require any form of database permissions. The local system user accounts used for the agents and the database should have passwords that do not expire. If, however, the passwords must change at regular intervals, you can rerun the Configuration wizard on all the AppScan Enterprise Server and Dynamic Analysis Scanner computers and enter the new password.

After installation and configuration are completed, remove the database permissions from the Local System User Account and assign them to the Service Account to handle all interaction between AppScan Enterprise and the database.

The local system user account is granted db_owner rights to the database and must have permissions that allow it to create a database and tables, add users, run stored procedures, and grant rights.

File and folder permissions
The local system user account must have the following permissions on Drive:\\YourInstallFolder\HCL\product name\ and all of its subfolders:
  • Read and Execute
  • Write
  • Delete
  • Delete files and subfolders
  • Create files and subfolders
Note: These permissions enable the local system user account to write to the log files. They also enable the scan agents to write temp files, without which the scans would not function. The Configuration wizard creates these permissions for you -- do not change them.
Local security policies

The local system user account must have permission to log on locally on the target machine so that it can impersonate the user's logon credentials. It also must have permission to log on as a service.

Registry permissions
The local system user account must have the following permissions:
  • Read and Execute
  • Write
  • Delete

Other user accounts

Table 3. Other user accounts

Account Description
ASPNET account
The ASPNET account must have the following permissions on Drive:\\YourInstallFolder\HCL\product name\ and all of its subfolders:
  • Read and Execute
  • Write
  • Delete
  • Impersonate a client after authentication
Internet Guest account
The Internet Guest account must have the following permissions on Drive:\\YourInstallFolder\HCL\product name\ and all of its subfolders:
  • Read and Execute
  • Write