Studio Analytics ArcGIS Server Agent service account permissions
Hi,
The help page states the following on agent permissions:
Permissions
Analytics requires read-access to various server directories for ArcGIS Server, including the configuration store, system directory, and logs. If these directories have strict permissions, you may need to grant the Analytics agent access to these directories. Typically, this is only necessary if the directories are on network shares or if this ArcGIS Server is configured in a multi-machine site.
The location of the directory determines how you configure the permissions:
•If the directory is a local directory on the server, you can give direct access to the "NT Service\VertiGISStudioAnalytics-Agent" service account.
•If the directory is on the network, you can grant the server access via <domainname>\<computername>$.
Does the agent windows service support also logging on as a custom domain user which has access to the ArcGIS Server network shares? In my case this is preferred over granting the server access as described above.
If yes, which permissions should be assigned to this account so the agent can function properly?
Thanks,
Laurens
-
Hi Laurens,
Thank you for your post! Just to clarify, are you looking to configure the VertiGIS Studio Analytics Agent service in a way that minimizes the permissions required, as opposed to granting broader access to the server as described? For instance, is your primary goal to ensure secure, least-privilege access to specific directories or network shares?
If so, we can explore strategies for tailoring the domain account's permissions to meet the agent's operational needs without overprovisioning access. Let us know a bit more about your specific setup and requirements, and we’d be happy to assist further!
0 -
Hi Gareth,
Thanks for the follow up.
Indeed, as you point out my goal is to minimize permissions from a security perspective.
The authorization <domainname>\<computername>$ for the shared network folder seems to be quite extensive.I have tried to configure the agent service running as a custom network service service account identity, but this results in a non functional agent.
0
Please sign in to leave a comment.
Comments
2 comments