Video Screencast Help

CA and DA service account permissions/roles

Created: 20 Feb 2013 • Updated: 20 Feb 2013 | 4 comments
This issue has been solved. See solution.


EV/CA/DA 9.0.2

I am not sure why, but the VSA was set up historically in CA/DA as a user with high level rights.

e.g. CA - Super User - Application

       DA - Discovery System Admin

As part of locking down permissions, I would like to remove the VSA as a user in the apps (at least in CA, in DA, I will remove the roles from the user account).

Any issues as long as a I have another (not VSA) user with those same high level rights?


Comments 4 CommentsJump to latest comment

TonySterling's picture

Nope, no issues at all.  One thing to remember, the VSA by default has right on the customer database to be able to log in.  You can restrict this in the EVBAAdmin page on the Customer property tab you can assign an Admin user:

Administrator User or Group

Optionally nominates an Active Directory user account or group account as an administrator for the Discovery Accelerator customer database. This user or group has full administrative permissions in the customer database and typically assigns application-wide roles to other users. Specify the account details in the form domain\user_or_group_name; for example, "OurDomain\Marie.Lopez".

Note that the Vault Service account already has full administrative permissions in the customer database, so there is usually no need to nominate another user or group. However, you may want to do this if your company policy restricts the use of service accounts.

goatboy's picture

Thanks Tony.

Just to confirm the second part, the rights on the customer database....

Let's say I remove the VSA from CA/DA users/roles in the CA/DA clients.

Can it still log in after this with the VSA to the clients, if the VSA has default rights as per the EVBAAdmin page?

TonySterling's picture

Yes, if you remove the Role Assignment from the VSA it will still have the default Administrative permissions and be able to log into DA\CA via the client.

goatboy's picture

Many thanks for the explanation and clarification.