Security Groups and Service Accounts

Author: [email protected] 96 views

The purpose of this document is to describe the process of how the the required service accounts, groups, and permissions for the deployment of the MyPass Gateway is configured.

This includes the Microsoft Active Directory Security Groups or Local Server groups required for the deployment of a MyPass Gateway. Services accounts and group requirements for integration intro credential repositories can be found in the integration guide for each system.

Note: All user and group names are provided as examples of possible naming conventions. These can, however, be aligned to the naming convention of the customer. Please take note of the user and group names in order to provide these to you deployment Project Manager.

MyPass Gateway Administrators Group

This group controls the access for local / domain users that perform administration and configuration tasks on the MyPass Gateway.

  • Group Type: Active Directory Security Group or Local Computer Group
  • Group Name Example: MP-GWGroup

MyPass Gateway Service Account

This account is required to perform all administration and configuration on the MyPass Gateway.

  • Account Type: Active Directory User Account / Local Computer User Account
  • Account Name Example: MP-GWUser
  • Account Permissions:
    • If the gateway server is not domain joined (local computer):
      • The account must be part of the Users group on the local server
    • If the gateway server is domain joined (member server):
      • The account must be part of the Domain Users security group within Active Directory
    • Additional Special Permissions:
      • Log on locally (on the gateway server(s))
      • Member of the MPGWGroup group (custom group created above as part of the “MyPass Gateway Administrators Group”)

MyPass Gateway Server IIS Application Pool Account

This account is required to host the Microsoft Internet Information Services (IIS) application pool in which the MyPass Gateway web services application will run. The MyPass Gateway installer will create this account during the setup process. Please ensure the account executing the installer has the appropriate permission to create an account in the specified target repository (either Active Directory or the local server)

  • Account Type: Active Directory User Account / Local Computer User Account
  • Account Name Example: MP-IISUser
  • Account Permission:
    • If the gateway server is not domain joined (local computer):
      • The account must be part of the Users and the IIS_IUSRS groups on the local server
    • If the gateway server is domain joined (member server):
      • The account must be part of the Domain Users and IIS_WPG security group within Active Directory
    • Additional Special Permissions:
      • Log on as a batch job