This is documentation for Apprenda 7 and 8.
Documentation for newer version is available at https://new.docs.apprenda.com.

Understanding Platform User Accounts and Privileges

The Apprenda Cloud Platform is cross-Operating System solution that utilizes many system, application server, and database-level accounts, rights and permissions to configure controls and deploy guest services in enterprise environments. While the accounts and permissions necessary to run the Platform are defined in the Pre-Installation Checklist of Installing the Apprenda Platform on Multiple Servers, this page is meant to describe those Platform accounts and permissions in more detail. Please refer to this page for details on specifying service accounts for guest applications

Additionally, the purpose of this document is to provide information on how certain accounts will be used and how to make sure accounts are only assigned the necessary permissions to complete Platform functions. By enforcing this policy, known as the principle of least privileges, on your Platform you can make sure accounts are granted only the permissions necessary to accomplish essential tasks and help to keep your Platform secure. 

Before beginning, you should have a firm understand of Platform roles and key concepts and terminology.

Overview of Accounts and Permissions

Account/Component

Required Permissions

Location(s)

Apprenda Installer

Administrator Group

Domain (all Windows nodes and only during install/upgrade/modify)

Apprenda Admin

”Allow Log on Locally” and

Read/write access to Repo

As of Platform version 7.2.0, the Admin Account also needs "Log on as a batch job" permissions

Domain (all Windows nodes)

Apprenda System (only used in Platform versions prior to 7.1.0)

”Allow Log on Locally,”

“Impersonate a client after authentication rights,” and Read/write access to Repo

 

Domain (all Windows nodes)

ApplicationPoolIdentity (unique to each Platform and guest application .NET UI)

and

Windows Virtual Accounts (only used on Platform versions 7.1.0 and later)

`NT SERVICE\ALL SERVICES` has "Log on as a Service"  All Windows Web/App Nodes

Load Management Service

 

LocalSystem

Load Management Nodes

Windows Host

 

LocalSystem

All Windows Web/App Nodes

Platform Cache

 

LocalService

Platform Cache Nodes

Platform Coordinator

 

LocalService

Platform Coordination Nodes

Platform Management Websites

(As of Platform version 7.2.0, these run under the Apprenda Admin account)

 

IIS ApplicationPoolIdentity

All Windows Web/App Nodes

Platform SQL Server Admin Account

Sysadmin and serveradmin

OR

ALTER SETTINGS (install/upgrade/modify only)

ALTER ANY DATABASE

ALTER ANY CONNECTION

ALTER ANY LINKED SERVER

ALTER ANY LOGIN

CONNECT SQL

VIEW SERVER STATE

 

All SQL Servers

Platform Core Database (SaaSGrid Core and Portal databases)*

CONNECT SQL Platform Data SQL Server

Audit Database Account*

ALTER ANY DATABASE (install/upgrade/modify only)

CONNECT SQL 

Platform Data SQL Server or a separate SQL Server

Billing Database Account*

CONNECT SQL Platform Data SQL Server

Load Management Database Account*

CONNECT SQL Platform Data SQL Server

Logging Database Account*

CONNECT SQL Platform Data SQL Server

Scheduling Database*

CONNECT SQL Platform Data SQL Server

Utilization Database*

CONNECT SQL Platform Data SQL Server

Linux Container

root access

All Linux Nodes

*Platform Databases

Windows Accounts

The Platform requires different Windows user rights and permissions when it is installed, modified, or upgraded than it does during standard Platform runtime. As a result, the following section is broken up into two stages:

  • Install/Upgrade/Modify Accounts

  • Runtime Accounts

Install/Upgrade/Modify Accounts

In order to install, upgrade, or modify the Platform, the User account under which the Apprenda Installer will be run requires the following rights:

  1. Local admin rights on all Windows machines where Apprenda services will run

  2. Read/Write access to the Apprenda Repository Share(s)

Post-install, local admin rights is not required for running the Platform. Therefore, in order to run the Platform with the least viable permissions, we recommend that you install using a separate, privileged user as opposed to the users that will be running the Platform. The Apprenda Installer account will only be needed again for upgrading or modifying the Platform at a later date.

Runtime Accounts

Apprenda Admin and System Accounts

In order to launch and manage Core Platform websites and WCF services, the Platform requires two standard Windows Domain accounts: the Apprenda Admin and the Apprenda System user accounts (these can also be custom Domain accounts). The Apprenda Installer will prompt you to initially configure these accounts during installation. While these accounts do not require administrator rights, they will require the following permissions:

  1. ”Allow Log on Locally” on all machines in the Platform

  2. Read/write access to the Apprenda Repository Share

  3.  “Impersonate a client after authentication rights ” (only System Account)

In Platform version 7.1.0 and later, the Apprenda System Account is no longer used as the default account for Platform WCF Services. Instead, these services are run under the Apprenda Admin account and Windows Virtual Accounts, which further reduces the privileges needed to run the Platform. Virtual Accounts are enabled by default when you install or upgrade to 7.1.0. To run WCF Services, you will have to make sure `NT SERVICE\ALL SERVICES` have the "Log on as a Service" permission.

If you upgrade to Platform version 7.1.0 or later from a version before 7.1.0, there are some additional Platform configurations needed to use Virtual Accounts by default. See Microsoft's documentation for more about Virtual Accounts.

While these represent the default account settings, Platform Operators can add more granular access controls by running Platform and guest application components under unique and/or less privileged accounts. Operators can manage the user account credentials for all application components (Platform or guest application) via the Applications page of the SOC.

Built-in Windows Accounts

Once installed, the Platform runs a number of components as .NET User Interfaces (UIs) in IIS or as Windows services that require added permissions, and as a result, make use of built-in Windows accounts. For instance, the UIs for the Apprenda Developer Portal, System Operations Center, and Account Portal each run as a unique ApplicationPoolIdentity in IIS. 

There are four Windows services within every Platform configuration: Platform Cache, Platform Coordinator, Load Management, and Windows Host. Each service requires different accounts and permissions to perform their function on the Platform.

The Platform Cache and Coordinator services need to be running as the LocalService Account on the nodes in which they are installed. Both services connect on the local network and need to be instantiated before the start of Platform WCF services.

The Load Management service and Windows Host, need to run as the LocalSystem Account because they require more permissions to obtain administrator access tokens in User Account Control (UAC) configured environments and configure IIS. Windows Host services also need to run as the LocalSystem Account to manipulate job objects.

SQL Server Accounts

The Apprenda Platform Core Database (and other Platform databases) runs on Microsoft SQL Server. It requires an Apprenda SQL Server account per server for storage management and for updating mappings between servers (known as the Platform SQL Server Admin account). Platform Operators have the choice of running with or without Resource Throttling (CPU and RAM) enabled for SQL Server instances.

With Resource Throttling (more permissions)

The SQL Server Admin account(s) requires both the sysadmin and serveradmin roles in order to have the necessary permissions to access and manage the SQL Server Resource Governor and thus manipulate CPU and RAM on machines running Platform and guest service DBs.

Without Resource Throttling (fewer permissions)

The SQL Server Admin account(s) does not need access and manage the SQL Server Resource Governor. It only requires the following permissions for other Platform operations:

  • ALTER SETTINGS (for installs/upgrades only)

  • ALTER ANY DATABASE

  • ALTER ANY CONNECTION

  • ALTER ANY LINKED SERVER

  • ALTER ANY LOGIN

  • CONNECT SQL

  • VIEW SERVER STATE

After install, Operators can separate access to Platform databases using unique SQL Server accounts running with reduced privileges for “data-only” operations. All of these accounts would only require CONNECT SQL permissions, with the exception of Audit DB account which needs ALTER ANY DATABASE during Apprenda Installer-driven operations such as Platform Install, Upgrade, and Modify scenarios.

See more about SQL Server account rotation for Platform database servers.

Linux Accounts

If you plan to deploy Java web applications or arbitrary Linux executables on your Platform, you will need root access or an account with elevated ‘su’ or ‘sudo’ permissions to install the Apprenda RPM packages and configure the server to be a part of the Platform.

Once installed, the Platform’s Linux Container will be running as ‘root’ on all Linux nodes in order to launch workloads, impersonate users, change file permissions, and other important functions. The Linux Container will also require read-only access to the Linux mount points on the Platform Repository.

For increased workload isolation, Platform Operators can create and specify application component accounts, and optionally a security token to guard access to the accounts.  The account can then be utilized for any workload, or if using a token, for workloads where the token is specified in the Application Deployment Manifest.

Additional information on setting up Linux workload accounts can be found in the Specifying Guest Application Service Accounts page.