MES security and permissions

Note the following about security and permissions when running an MES installation:

• The user performing the installation must have administrator privileges for the Windows operating system on the node on which the software is being installed.

• Beginning with the MES 2014 R3 (version 5.3) release, MES no longer uses the System Platform User Account (also known as Admin User) for its inter-node communication. Instead, during the installation, a services account named WCFHostService for the MES middleware service is created. When configuring the MES DB/MW Communications component, you can select an option that will provide the necessary permissions to the MES database server for this service account. See Configure the MES DB/MW communication security settings.

• When installing in a workgroup environment, permissions to access the MES database must be granted manually to the MES middleware service's user account.

• Beginning with MES 2020, the MES Middleware Web API uses AVEVA Identity Manager to authenticate users. This requires that the MES Security Mode in MES Client be set to either OS Group or OS User and that the AVEVA System Management Server component in the post‑install Configurator be configured.

• Other access to the MES middleware for remote users (e.g., using the Stateless API) should be secured through a VPN connection. It is also recommended that the Windows Firewall be used to limit the users who are authorized to access the middleware.

• If a memory dump is created for any reason, be aware that it may contain sensitive information. Therefore, the user should apply appropriate access controls (ACLs) and other protections to secure the memory dump.