Install AVEVA Production Management with least-privilege account

We recommend that you install AVEVA Production Management under an account with minimum permissions to reduce security risk and improve data reliability.

As part of the installation process, this least-privilege account is given full access to the following:

• Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citect\Ampla

• Local folders:

  • <Drive>:\Documents and Settings\All Users\Citect

  • <Drive>:\ProgramData\Citect\Ampla

Things to take note of when using least-privilege account:

• AVEVA Production Management uses the service account when an operation is done without any basic credentials, such as submitting a record request for auto-generated system records. For this type of operation to succeed, the service account permissions must be supplied through a group membership in the AVEVA Production Management user management setup. Otherwise, it fails.

• Ensure that the user account with least privilege has the required SQL Server permissions. User account accessing SQL Server requires these permissions:

  • dbcreator role at server level

  • db_datareader role on master database

  • db_datareader role on tempdb database

  • db_datawriter role on tempdb database

  • db_owner role on the state, data, and configuration databases

    User account accessing ASP.NET requires these permissions:

  • db_owner role on the state database

    Additional information on permissions

  • In cases where the AVEVA Production Management service is required to contact an external system, ensure that the system has provided the permissions required for the service.

  • The AD account under which the AVEVA Production Management service is going to run must be a member of the Windows Authorization Access group in the domain controller machine.