Skip to main content
Kofax

Minimum Windows Permissions for Capture and VRS

Article # 3035263 - Page views: 131

Issue

Security policies require that our Windows users have more restrictive permissions than those documented in the Capture and VRS Installation Guides.

What are the minimum Windows user permissions for installers and users of Capture and/or VRS products?

Solution

The Kofax Capture Installation Guide (Chapter 2, pages 18-22) details the user permissions required to run Capture. The Kofax VRS Installation Guide describes the permissions necessary to install and run VRS. The requirements documented in the Installation Guides are fully tested by Kofax and are simple to apply.

However, for administrators who wish to restrict user permissions further, there are minimum Windows User permissions that have been demonstrated to work with the following products:

  • Capture 11.x 
  • VRS 5.x
 

Minimum permissions for installing Kofax Capture and/or Kofax VRS 

Kofax Capture and Kofax VRS must be installed by a member of the local Administrator Group. For Kofax Capture installs, the local Administrator account must also have Full Control of the Capture share on the Kofax Capture server and all of the Capture share’s subfolders.

Minimum permissions for using Kofax Capture and/or Kofax VRS 

Kofax Capture and VRS users must have the following file permissions:

Folder or File  Typical Location Permissions
Kofax folder and all subfolders, if present C:\Program Files (x86)\Kofax Read & Execute
Kofax share and its subfolders on the Kofax Capture Server \\server\CaptureSV MODIFY+Delete Subfolders and Files
System and user Temp folder C:\Users\UserName\AppData \Local\Temp or C:\Windows \Temp Full Control
Temporary image folder Below the Kofax share, or elsewhere. For a new batch, the default path is \Images. For an imported batch, the path specified for the batch class is used. MODIFY+Delete Subfolders and Files
Calera.ini C:\Windows Read, Read & Execute, Modify
kpmsw.ini C:\Windows Read, Read & Execute, Modify
Kfxisis.ini C:\Windows Read, Read & Execute, Modify
odbc.ini C:\Windows Read, Read & Execute, Modify
Kofax200.ini C:\Windows Read, Read & Execute, Modify
odbcinst.ini C:\Windows Read, Read & Execute, Modify
Kofaxkim.ini C:\Windows Read, Read & Execute, Modify
pixcache.ini C:\Windows Read, Read & Execute, Modify
Kpm.ini C:\Windows Read, Read & Execute, Modify
setscan.ini C:\Windows Read, Read & Execute, Modify
Kpmadr.ini C:\Windows Read, Read & Execute, Modify
vcdem32p.ini C:\Windows Read, Read & Execute, Modify
Kpmcache.ini C:\Windows Read, Read & Execute, Modify
vrsinput.ini C:\Windows Read, Read & Execute, Modify
Kpmcolpr.ini C:\Windows Read, Read & Execute, Modify
Kpmcrtnt.ini C:\Windows Read, Read & Execute, Modify

 

All users must have the following Registry permissions:

Registry Key Permissions
HKEY_CURRENT_USER\Software\Kofax Image Products Full Control
HKEY_LOCAL MACHINE\Software\Kofax Image Products Read
HKEY_LOCAL_MACHINE\Software\Kofax Read (Kofax VRS users require Full Control)

 

SecurityBoost Permissions

Use SecurityBoost to protect critical Kofax Capture files. You must first set minimum system permissions for your operators so they cannot access critical Kofax Capture files and folders. Then you create a special SecurityBoost user with permissions that do allow access to these files and folders.

Note-Icon.png Note To use the Administration module, the SecurityBoost user must be a member of the local Administrators group. Otherwise, the Administration module cannot be started.

If SecurityBoost is enabled and you encounter an issue that prevents a module from running, the following error may occur:

<Module_name> is already running on this workstation. Only one instance is allowed.

You can resolve the error by updating the Local Security Policy.

1. In Control Panel, select Administrative Tools > Local Security Policy.
2. On the list of policies, select Local Policies > User Rights Assignment.
3. On the Policy list, double-click Impersonate a client after authentication.
4. As applicable, add the operator's user account and/or user groups to this privilege.
5. Click OK and restart the computer.

 

Minimum Permissions for the SecurityBoost User

To run Kofax Capture with SecurityBoost, the SecurityBoost user must have minimum permissions that are the equivalent of the required permissions described in Client/Server Required Permissions and Standalone Required Permissions. In a client/server installation, the SecurityBoost user must be a domain user.

If SecurityBoost is used strictly to protect the batch image folder, the SecurityBoost user needs the following permissions for the batch image folder:

File system:
• List folder / read data
• Create folders / append data
• Read permissions

Share:
• Full control

With SecurityBoost, additional permissions may be required, based on your Group Policy settings. The SecurityBoost account should be granted full control for the HKEY_CURRENT_USER Registry hive for all interactive users. As a result, the SecurityBoost account is permitted to access the current user's settings so that Windows can continue processing the credentials.

Note-Icon.png Note The SecurityBoost user must have access to all operator TEMP files

The SecurityBoost user is shared by the entire installation. SecurityBoost users must be either local (for standalone installations) or part of a Windows domain (for client/server or standalone installations)

 

Level of Complexity 

Easy

 

Applies to  

Product Version Build Environment Hardware
Kofax Capture 11.1
11.0
ALL ALL N/A
 Kofax VRS   5.2
5.1.2
5.1.1 
 ALL  ALL N/A

 

 

 
  • Was this article helpful?