AVEVA Production Management service account
- Last UpdatedNov 07, 2024
- 2 minute read
The service runs on a Windows user account, which you need to specify during installation.
Guidance for service account
We recommend these guidelines for service account.
-
Use Windows integrated authentication when possible (SSPI).
-
When it is not possible to use SSPI authentication, use a Domain account with Roaming Profile Enabled.
-
The configured service account must have a permanent profile on the machine where the AVEVA Production Management service is running. To have a permanent profile, the service account must log interactively into the machine at least once.
This is required for the Data Protection API (DPAPI) used in the application to encrypt or decrypt passwords saved through Studio. The certificate to encrypt the passwords is stored in the users profile. If a user profile is not permanent, the passwords will not be decrypted in succeeding sessions.
-
The service account with least privilege permissions must be a member of the systems's Performance Monitor Users group.
-
As a security best practice, we recommend that the service account have restricted permissions to reduce security risk. For more information on the least privilege account, refer to Install AVEVA Production Management with least-privilege account.
-
The service account that runs the AVEVA Production Management workflow service has to be configured as part of the application's user group to process the web service calls from the workflow service.
AVEVA Production Management Server needs to retrieve security group information of any client logged in through Production Analyst. Therefore, it is necessary that the service account be a member of the Windows Authorization Access group in the domain controller.
This is a very common scenario for applications that require security group membership information. For more information, refer to https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/apps-apis-require-access