Web Application Environment Permissions
When configuring a WebApp Server, for security reasons, it is best to set up users and server with only as much permission as needed for the various tasks: running of the service and applications, and webapp administration.
Your WebApp Environment running on a Local User Account
System Administrators have more control over access of a local user account (our group) than any built-in system accounts (like LocalSystem, which has complete unrestricted access to local resources) and should configure accounts with the minimum permissions required to perform the tasks that need to be performed. That is specially true in a web environment and the reason we recommend reviewing and configuring permissions.
In a DataFlex Web Application Server environment, a local user account configured to run the WebApp Server service must have access to all information required by the WebApp Server. This comprises both read access to the data it needs in order to function and write access to modify settings that control the environment where web applications run, in addition to executing the web applications themselves.
The local user will need permission to access:
- the runtime - to run the service and access encryption keys
- that includes the windows service and files in Bin64
- the database - to access tables used by applications
- the web application - to run the application, create and update webapp.log
- that includes program and data folders
- the registry - to update application settings
- that includes create, delete and update values and keys
- register, start and stop applications
- the license folder - to access and update license information The following table describes the location/object programs need access to and what kind of access a local user would need to be able to run
| To run | Where | Access Needed |
|---|---|---|
| WebApp Server service | Services | Log On As a Service |
| Database backend/database | log in/RW | |
| SPLF using encryption key | %ALLUSERSPROFILE%\Microsoft\Crypto\Keys | R |
| DataFlex runtime | Bin64 | R/E |
| ProgramData...\License Files | R/W | |
| Web Application (webapp.exe) | Programs and Data folders of the application | R/W |
| Web Application Administrator | [HKLM] WebApp registry keys | R/W/D* |
*Modify is equivalent to the combination of write and delete rights, see Modify vs Write Permissions
Configuration
The minimum rights to be able to run and manage web applications in a DataFlex WebApp Server environment are as follows:
- DataFlex Web Application Server service - local user with Log On As A Service right
- Windows CNG key files - read
- DataFlex runtime folder - read/execute
- Database backend - read/write
- Web Application program and data folders - read/write
- Web Application Administrator - registry read/modify
- License folder - read/write
Note: Consider using groups and setting necessary permissions to the groups instead of changing permissions for a single local user account. It optimizes maintenance by having permissions set in one place and adding local users to the corresponding groups.
DataFlex Web Application Server service
As per Microsoft's own guidelines, one should run services with the minimum set of permissions required to perform the service operations. In this case, running the DataFlex Web Application Service under a local user account can be done as long as the user has the necessary permission to "Log On As A Service", which Windows will automatically grant when adding a valid user to the service properties and saving the change.
If using a database server, the user will need to have access to the database backend as well.
Microsoft CNG key files
If using encryption tokens in an SPLF environment, the Web Application Server Administrator creates CNG key files in %ALLUSERSPROFILE%\Microsoft\Crypto\Keys. This key can normally only be accessed by LocalSystem and Administrator accounts.
If you set your service account to be a local user with limited permission, you must give that account read access to the key file or the %ALLUSERSPROFILE%\Microsoft\Crypto\Keys folder.
After setting the permission, restart the DataFlex Web Application Server service on the application server and restart the DataFlex web application on the load balance server.
DataFlex runtime folder
The DataFlex Bin64 folder contains the runtime, drivers and applications. To use DataFlex Web Application Server and run web applications, this folder (default: C:\Program Files\DataFlex XX.X\Bin64) must be accessible for Read.
Database backend
When setting a local user to run the DataFlex Web Application Server service, that same user will need to be given access (a login) to the database server backend as well as read/write privileges to the database accessed by the web application.
Web Application program and data folders
The Program folder is where the web application executable (webapp.exe) and log (webapp.log) live - DataFlex Web Application Server needs read/write access to that as well as to the data folder where DataFlex native DAT/K? files or, in the case of a different backend, INT/CCH files are located.
WebApp Server Administrator
The Web Application Administrator needs access to the Windows registry to add, configure and modify registered web applications. The following are the keys that must be available for the Administrator with read/write/delete permission:
HKEY_LOCAL_MACHINE\SOFTWARE\Data Access Worldwide\DataFlex\25.0\WebApp Server (read/write)
HKEY_LOCAL_MACHINE\SOFTWARE\Data Access Worldwide\DataFlex\25.0\WebApp Server Commands (read/write/delete)
License folder
To access license information and be able to activate licenses, the runtime needs access to the license folder with read/write permission - default location: C:\ProgramData\Data Access Worldwide\DataFlex\XX.X\License Files.
Checking effective access
- To check effective access to a folder:
- Open File Explorer
- Right-click on a folder
- Select Properties | Security
- Click on Advanced
- Select the Effective Access tab
- Click on Select a user to select the user
- Click on View effective access
- To check effective access to a registry key:
- Open Registry Editor
- Right-click on a key
- Select Properties
- Click on Advanced
- Select the Effective Access tab
- Click on Select a user to select the user
- Click on View effective access
