Managing Windows User Access to the Caché Instance
Managing Windows User Access to the Caché Instance
For Normal and Locked Down installations, two local user groups control access to the Caché instance. These groups are:
-
CacheServices, which grants the privileges to start, stop, and control the Caché instance.
-
Cache_Instance_<instancename>, which grants access to the installation tree—the directory in which Caché is installed and all its subdirectories.
Regarding these groups and their privileges:
-
When the CacheServices group is created, it is granted the Replace a process level token and Adjust memory quotas for a process privileges. Do not remove these privileges.
-
The CacheServices and Cache_Instance_instancename groups may not grant all the permissions that Caché requires to perform certain actions. To ensure Caché has the needed access to all instance, journal, and log files that are outside the installation tree, grant the Cache_Instance_instancename group full access to these files and the directories containing them. You may also grant this group additional permissions if necessary.
When you specify a service account other than the default local system account, Caché creates these two groups and adds the service account to each. See the Changing the Caché Service Account section below for details.
By default, any authenticated Windows users can access the installation tree, which may be undesirable. The following command removes the Windows access control entry (ACE) for authenticated users:
icacls <install-dir> /remove "NT AUTHORITY\Authenticated Users"
After running this command, only users that are administrators or in the Cache_Instance_<instancename> group have access to the installation tree.
If you do not do this, any user who can log in to the host Windows system can easily modify files, change settings, or disable the Caché instance entirely.
In some cases, you may want to give a Windows account other than the service account access to the installation tree. This could, for example, include accounts running automated tasks, or accounts that log in to the Windows server directly and then access Caché through a local Terminal session, or by invoking a custom callin executable. You can give any such account the needed access by adding it to the Cache_Instance_<instancename> group.
Changing the Caché Service Account
Enter the following in the command line to change the InterSystems service account:
<install-dir>\bin\cinstall.exe setserviceusername <instance-name> <username> <password>
This command changes the service account to the user you provide. It also adds the user to the CacheServices and Cache_Instance_<instancename> groups, creating these groups if necessary. After running this command and restarting a Caché instance, the instance runs under the new service account.