search cancel

Domain Service Account Requirements

book

Article ID: 256644

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Often, there is a requirement to run the Data Loss Prevention services as a non-local user, such as a Domain account.  Finding the minimum permissions required for security purposes is of utmost priority.  In this article, steps to create a successful Active Directory Service account will be shared.

 

 

Environment

Release : DLP 15.7+

Cause

Security posture may specify that software services should run as a non-local Domain account.

Resolution

Data Loss Prevention services function by calling a Java Wrapper, which launches the appropriate processes to run Data Loss Prevention and it's associated supporting infrastructure.  As such, the requirements for the Service Account are low.

1. Chosen Active Directory service account must possess Log in as a Service - Constant: SeServiceLogonRight. 

2. The given Active Directory service account must possess permission to access all product file system structure, both for Linux and for Windows.