Allow the CSA, Marketplace Portal, and Global Search Services to be Run as a Non-Administrator User on Windows

By default, the CSA, Marketplace Portal, and global search services are run as the service user. This section explains how to configure CSA so that these services can be run by non-administrator users. This process involves the following tasks:

  • Create non-administrator users

  • Configure the services

  • Configure file system permissions

Caution If the CSA, Marketplace Portal, and global search services are run as non-administrator users, you will not be able to do the following:

  • Upgrade CSA
  • Deploy hotfixes
  • Install patches
  • Use external tools such as the component tool, content archive tool, database purge tool, provider tool, schema installation tool, and support tool.
  • Modify Autopass license data

Note Certificates must be replaced and regenerated as the Administrator user.

Create Non-Administrator Users

The following tasks show how to create a non-administrator user account. You may choose to create a separate user for each service or one user to run all services. The examples in this section demonstrate how to run each service as a single and separate non-administrator user.

  1. Log in as the Administrator.
  2. Navigate to Start > Control Panel on the CSA system and click Add or remove user accounts that is under User Accounts.

  3. Click Create a new account in the Manage Accounts window that appears.

  4. Enter a name for the user, select the Standard user radio button if it is not selected, and then click the Create Account button to create the user account.

    Create three user accounts: CSAUser, MPPUser, and SearchUser.

Configure the Services

  1. Log in as the Administrator.
  2. Stop CSA. See Stop CSA for instructions.

  3. Back up and then delete the log files in the CSA_HOME\jboss-as\standalone\log\ directory.

  4. Delete all files in the CSA_HOME\jboss-as\standalone\tmp\ directory.

  5. Configure the CSA service to be run as CSAUser:

    1. Navigate to Start > Control Panel > Administrative Tools > Services.

    2. Right-click on the CSA service and select Properties.

    3. Select the Log On tab.

    4. Select This account.

    5. In the first field, enter CSAUser.
    6. Enter the password for CSAUser, confirm the password, and click OK.
  6. Configure the HPE Marketplace Portal service to be run as MPPUser:

    1. Navigate to Start > Control Panel > Administrative Tools > Services.

    2. Right-click on the HPE Marketplace Portal service and select Properties.

    3. Select the Log On tab.

    4. Select This account.

    5. In the first field, enter MPPUser.
    6. Enter the password for MPPUser, confirm the password, and click OK.
  7. Configure the Elasticsearch service to be run as SearchUser:

    1. Navigate to Start > Control Panel > Administrative Tools > Services.

    2. Right-click on the Elasticsearch service and select Properties.

    3. Select the Log On tab.

    4. Select This account.

    5. In the first field, enter SearchUser.
    6. Enter the password for SearchUser, confirm the password, and click OK.

Configure File System Permissions for the Non-Administrator Users

Assign permissions to each user for the specified directories in the CSA file system.

  1. Log in as the Administrator.
  2. Open the File Explorer.

  3. For each of the directories listed in the following table, do the following (where C:\Program Files\HPE\CSA is the directory in which CSA has been installed):

    1. Right-click on the directory and select Properties.
    2. Click the Security tab.
    3. Click Edit.
    4. Select a user (CSAUser, MPPUser, or SearchUser) and select the permissions listed in the table.
    5. Click OK to exit the Permissions dialog.
    6. Click OK to exit the Properties dialog.
    Directory User(s) Allowed
    Permission(s)
    C:\ CSAUser
    MPPUser
    SearchUser
    Full Control
    Modify
    Read & execute
    List folder contents
    Read
    Write
    C:\Program Files\HPE CSAUser
    MPPUser
    SearchUser
    Full Control
    Modify
    Read & execute
    List folder contents
    Read
    Write
    C:\Program Files\HPE\CSA CSAUser
    MPPUser
    SearchUser
    Full Control
    Modify
    Read & execute
    List folder contents
    Read
    Write
    C:\Program Files\HPE\CSA\Autopass CSAUser
    MPPUser
    Full Control
    Read
    C:\Program Files\HPE\CSA\CONTENT_IMPORT_LOGS CSAUser Write
    C:\Program Files\HPE\CSA\csa-search-service SearchUser Read
    C:\Program Files\HPE\CSA\csa-search-service\bin\daemon SearchUser Write
    C:\Program Files\HPE\CSA\elasticsearch-1.6.1 SearchUser Read
    C:\Program Files\HPE\CSA\elasticsearch-1.6.1\logs SearchUser Write
    C:\Program Files\HPE\CSA\jboss-as CSAUser Read
    C:\Program Files\HPE\CSA\jboss-as\bin CSAUser Write
    C:\Program Files\HPE\CSA\jboss-as\
    standalone
    CSAUser Write
    C:\Program Files\HPE\CSA\jboss-as\
    standalone\deployments
    CSAUser
    MPPUser
    SearchUser
    Modify
    Read & execute
    List folder contents
    Read
    Write
    C:Program Files\HPE\CSA\jboss-as\
    standalone\configuration
    CSAUser
    MPPUser
    SearchUser
    Modify
    Read & execute
    List folder contents
    Read
    Write
    C:\Program Files\HPE\CSA\node.js MPPUser
    SearchUser
    Read
    C:\Program Files\HPE\CSA\openjre*
    *This is the JRE used by CSA. If you are using a different JRE, set the permissions to that JRE's directory.
    CSAUser
    MPPUser
    SearchUser
    Read & execute
    List folder contents
    Read
    Write
    C:\Program FilesHPE\CSA\portal MPPUser
    SearchUser
    Read
    C:\Program Files\HPE\CSA\portal\bin\daemon MPPUser Write
    C:\Program Files\HPE\CSA\portal\logs MPPUser Write
    C:\Program Files\HPE\CSA\scripts CSAUser Read
    C:\Program Files\HPE\CSA\Tools CSAUser Read
  4. Start CSA. See Start CSA for instructions.
  5. Examine the CSA_HOME\jboss-as\standalone\log\server.log file and verify the changes deployed correctly.