What system account privileges are required for Data Protection 15.2?

book

Article ID: 16939

calendar_today

Updated On:

Products

SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

By default the CA Data Protection Infrastructure Service runs as the Windows "NT Authority\System" account (also known as the LocalSystem account).  Depending upon your security policy there may be requirements to run CA Data Protection Services as a named account with fewer privileges and these are detailed below.



If I want to use a named domain account to run Data Protection what are the minimum privilege requirements?

Environment

CA Data protection 15.2

Resolution

When installing a CA Data Protection server or client machine, you are prompted to specify a logon account for the infrastructure service.  This account defaults to LocalSystem, but if necessary you can specify a named user account.  You can use a named user account with specific considerations in the following scenarios:

 

CMS or Gateway:

If you specify a remote Data folder, the local infrastructure must log in as a Domain User with administrative rights to read and write to the remote folder. 

 

Remote Data Manager (RDM):

The infrastructure must log in as a named Domain User account.  This user account must have the 'Log on a service' security permission and permissions to retrieve data from archives. See Archive Integration for more details. 

 

To running the CA Data Protection Infrastructure service (wgninfra.exe) under a named user account (Domain User), that account should have read\write privileges to the following file locations:

The 32-bit Data Protection Installation path depicted by the system variable %WGNINSTALLDIR%

The 64-bit Data Protection Installation path depicted by the system variable %WGNINSTALLDIR64% 

and read\write\modify privileges to the CA Data protection data path depicted by the system variable %WGNDATADIR%. 

 

This account should have read privileges to registry hives

"HKEY_CLASSES_ROOT" ,

"HKEY_CURRENT_USER",

"HKEY_LOCAL_MACHINE"

 

and read,write privileges to 

 

"HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\CA DataMinder",

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\CA DataMinder" 

 

Note:

You can run the service under a named user account (Domain user account) on the CMS and\or a GATEWAY machine while installing the Data Product Product. 

Additional Information

More information on privileges can be found in the CA Data Protection 15.2 Product documentation.

https://docops.ca.com/ca-data-protection/15-2/en/administrating/machine-administration/infrastructure