Creating Service Accounts and Permissions

OneStream uses a minimum of three server processes that require service accounts for system communication.  The following information defines the required account permissions by server and serves as a guide to help configure OneStream’s service accounts in accordance with a company’s network and data center policies. By default, the IIS application pools created for the OneStream web and application servers run under the NT AUTHORITY\NETWORK SERVICE account.  For information on creating and managing service accounts see this Microsoft TechNet article: http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx.

OneStream server components communicate using the Windows Communication Foundation (WCF).  This makes inter server communications simple and flexible.  Configuring the product to work within firewall constraints is more straight forward than legacy DCOM based applications. 

Web Server Account

The service account used to run the OneStream web server IIS App Pool requires minimal privileges.  The default NT AUTHORITY\NETWORK SERVICE has sufficient permissions to run the OneStream web server.  If you cannot use NT AUTHORITY\NETWORK SERVICE, use a limited permission domain account, other managed service accounts and virtual accounts such as IIS AppPool\OneStreamWeb instead. This account should be created in the same domain as that of the OneStream Web Server.

Application Server Account

The service account used to run the OneStream application server IIS App Pool requires database access privileges and file share privileges.   OneStream recommends that a dedicated service account be created to run the OneStream application server IIS application pool.  This dedicated service account should be created in the same domain as that of the OneStream Application Server. Adding privileges to the default NT AUTHORITY\NETWORK SERVICE account may create a security risk because other services using this account will also gain these privileges.

Database Logon Permissions

The account that OneStream uses to access SQL Server should be granted the Public and Sysadmin privileges.  These privileges are required to allow the OneStream server process to create and maintain application database schemas.  Each OneStream application is contained in its own database schema.

Depending on how SQL Server security has been configured these privileges will either need to be assigned to the service account being used to run the OneStream application server, (If database uses Windows integrated security) or to a standalone SQL Server account if (If database does NOT use Windows integrated security).

Database Access Permission Note
SQL Server privileges may be reduced to a more restrictive level based on the organizations database security policies.  At a minimum the account used to access SQL Server must be able to Insert, Update, Delete, Create / Drop tables, and execute a bulk insert via ADO.Net bulk copy libraries.

OneStream can prevent application databases being created in the product, ensuring control by a corporate database management team.

Minimum SQL Server Account Permissions

App Databases
DBOwner and Public

Framework
DBOwner and Public

Master
DBOwner and Public

File Share Permissions

The OneStream application server IIS App Pool account must have Full Control privileges to the application server file share root folder. The application server uses location to create and delete files and folders for common task such as uploads, downloads, batch processing, and logging.