Skip to main content
Kofax

Least Privilege Service Account for Network Folders

In order to write to a network folder, Autostore must run under a service account as opposed to the Local System account.ᅠ This service account needs to be given proper permissions.ᅠ This article explains how to do that.It is recommended to follow the least privilege principle.ᅠ Least privilegeᅠmeans theᅠservice account shallᅠbe granted only theᅠminimum permissionsᅠto get the job done, but nothing more.ᅠThe service accountᅠshall be permitted toᅠwrite a file or create a sub folder, but not deleteᅠa file.ᅠ Additionally, it is recommend (but not required), to permit the service account to read folder contents, becauseᅠwithout seeing the folder it would be impossible toᅠtest or troubleshoot theᅠpermissions.ᅠ However, the service account shall not be permitted to read any files.ᅠ (which is accomplished by disabling "Read extended attributes")

Steps and Instructions

Step 1 - Set Access Control List (ACL)

  • Create a service account
  • Go to the network folder you want to access
  • Add the service account and apply the permissions exactly as shown in the picture below, allowing
    • List folder / read data
    • Read attributes
    • Create files / write data
    • Create foldersᅠ/ append data
    • Write attributes
    • Write extended attributeᅠᅠᅠ
  • Make sure that those permissions are inherited by all it's subfolders and files
  • If the network folder is large, then applying those permissions might take a while becauseᅠpermissionsᅠare individually assigned to allᅠit's child objects.

Step 2 - Set Network Share

  • Network folders are shared usingᅠshares
  • Set the correct permissions for the share as well
  • Your service account needs
    • Change, and
    • Read

Step 3 - Promote service account to local Administrator

  • Important:ᅠ You must add the service account to the administrators group on the local Autostore server.ᅠ (Do notᅠmake itᅠdomain administrator)

Step 4 - Test correct permissions

  • As a least privilege user account,ᅠthe Autostore service accountᅠshall beᅠallowed to write files and list folder contents, but itᅠshall notᅠhave permission to read a file or delete a file
  • You need to test this and make sure it works properly
  • Logon to the Autostore server as the service account
  • Click Start/Run
  • Enter your network folder
  • You should see your network folder
  • You will see the files in this network folder
  • Try to copy any file into this folder - This should work, because the service account has write permission
  • Try to open any file -ᅠThe expected behavior isᅠpermission denied, becauseᅠthe service account doesn't haveᅠ"read extended attributes permission"

  • Try to delete the file you copied in earlier - again, the expected behavior is "File Access Denied"

Stepᅠ5 - Run Autostore under the service account

  • Enter the service account credentials under the Autostore Process Designer's Service Manager
  • Restart the config

Troubleshooting

See Step 4 above

Attachments:

 

16056738.jpg (63 KB)

 

16056739.jpg (40 KB)

 

16056740.jpg (102 KB)

 

16056741.jpg (14 KB)

 

16056742.jpg (31 KB)

 

16056743.jpg (34 KB)