Don't get lost: IMan Guides » Administration Guide » IMan Security Considerations » Local Machine Required Permissions

Local Machine Required Permissions

This section describes the various local Windows permissions required by IMan for correct and normal execution.

If the security context under which the services & AppPool is changed from default the different privileges required by the various IMan services all need to allow the user relevant access to that resource.

The section following describes the permissions helper function which auto-sets these privileges on the local workstation or server.

File Permissions

IMan Shared Data

The IMan Services & the IIS Application Pool must all have read/write/modify rights to the IMan ‘Shared Data’ directory set during installation.

IMan will not function at all without this privilege.

IMan Install Directory

The IMan Services & the IIS Application Pool must all have read/execute rights to the \inetpub\wwwroot\IMan directory and sub-directories.

IMan will not function at all without this privilege.

Logon As a Service Privilege

A user must have ‘Logon As A Service’ rights in order to run any service application, therefore the user under which the IMan services execute must have this right in order for the service(s) to start.

Replace a Process Level Token Privilege

The Process Task in IMan has facility to specify an alternative login details under which a process(s) is launched. ‘Replace a Process Level Token’ rights are required for the IMan Data & Scheduler services in order to create a process with alternative login credentials.

Without this right the Process Task will fail.

Rights for IMan Data Service

Service Permissions

The IMan Data Service contains three WCF modules which provide:

  • Preview Function
    • Whenever the Preview button is pressed in the designer it sends a request to the data service to generate a dataset to be displayed in the preview area.
  • Connector Meta Data
    • Provide the various drop down options such as Import Types, possible update modes & field lists on connector (and Read transforms such as the CRM Reader).
  • Test Function
    • Provides the test functionality for setup items.
    • Each of these services listens to incoming requests on a set of TCP ports where the port number starts from the port specified on the Admin Console.

DCOM Permissions

When the Sage300 connector prints or exports forms such as an A/R Invoice or O/E Order Confirmation it creates an out-of-process DCOM Server to perform the printing