We've heard from a number of administrators that after they install Scribe and add users and user groups, the users still have Windows permissions issues that prevent them from running Scribe Workbench and Console. To run Scribe as a domain user, there are certain required Windows user permissions. This post describes all of the permissions required to run Scribe as a domain user.
How you access Windows Component Services and Computer Management depends on your Microsoft Windows environment. In addition, because Scribe runs in multiple Windows environments, some fields, dialogs, and components may have different names than described here.
This information is also available in the Scribe Insight Installation Guide that you can download from the Scribe Download page.
Setting permissions for all users or groups
Each user or group must have the following permissions:
-
Grant “Full Control” to the HKEY_LOCAL_MACHINE\SOFTWARE\Scribe registry key.
Editing the registry can have system-wide impact. If you are not familiar with the registry, the role it plays and how to edit and manage it, review the Microsoft Knowledge Base for Best Practices or work with your IT department to manage changes to the registry.
- Grant “Full Control” to the %SCRIBE% installation folder and sub-folders. By default, Scribe is installed to %Program Files%\Scribe\.
Domain users who will be running Scribe Services need:
- Permission to launch and access Scribe Services
- Full access to the Scribe message queues
Providing permission to launch and access Scribe services
When you install Scribe Insight, Scribe installs five services:
- Scribe AdminServer
- Scribe BridgeServer
- Scribe EventManager
- Scribe MessageServer
- Scribe MonitorServer
In Windows Component Services, you need to ensure that each domain user has permission to launch and access the Scribe services.
To provide access and launch permission for Scribe Services:
1. Start Windows Component Services.
2. Under Computers>My Computer, click on DCOM Config to open it.
3. For each Scribe service as well as for MessageProcessor, right-click on the Scribe service (Scribe AdminServer, for example) and select Properties.
4. Open the Security tab.
a. Under Launch and Activation Permissions, click Customize:
i. Click Edit to open the Launch and Activation Permission dialog box.
ii. Click Add, and add the domain user.
iii. Under Permissions, select Allow for Local Launch and Local Activation.
iv. Click OK to save your changes and close the Launch and Activation Permission dialog box.
b. Under Access Permissions, click Customize:
i. Click Edit to open the Access Permissions dialog box.
ii. Click Add and add the domain user.
iii. Under Permissions, select Allow for Local Access.
iv. Click OK to save your changes and close the Access Permissions dialog box.
5. Repeat steps 3 and 4 for each Scribe service and for MessageProcessor.
6. When you are done, exit Component Services.
Providing full access to the Scribe message queues
Under Windows Computer Management, you need to provide access to Scribe message queues and, depending on your installation, other message queues used by Scribe.
To provide access to message queues:
1. Start Computer Management.
2. In the Computer Management tree, browse to the Private or (Private Queues) node (Computer Management>Services and Applications >Message Queuing>Private Queues).
3. From the Private Queues node, right-click on scribedeadmessage and select Properties to open the Properties dialog box.
4. From the Properties dialog box:
a. Select the Security tab.
b. Click Add, and add the domain user.
c. Under Permissions for the domain user, click Allow Full Control.
d. Click OK to save your changes and close the Properties dialog box.
5. Repeat steps 3 and 4 for:
- ScribeIn queue
- ScribeRetry queue
- Any other queues used by Scribe (such as Publisher queues for Microsoft Dynamics CRM or Microsoft Dynamics NAV adapters).
6. When you are done, close Computer Management.
7. Restart Message Queuing service and the Scribe Services.
Other required privileges
If the domain user will be using one of the following adapters, you need to grant “Full Control” to the “Windows\Temp” folder:
- Microsoft Dynamics CRM
- Salesforce.com
- Web Services
If your site uses Windows Authentication, you need to set up the domain user as a principal in Microsoft SQL Server with access to the Scribe Internal database. This user must have alter, delete, execute, insert, select and update privileges.
Hello,
Why not make this a group and preconfigure these rights by installation (via installation option)?
This way we only need to add the domain user to a local group and voila...
That would be much more easier than to this routine.
Thanks,
Remon
Posted by: Remon Boonstra | 09/10/2010 at 04:11 AM
It is really unclear from the above which of the following require DCOM access & launch permissions, access to Message Queues and access to Windows Temp:
- Service account(s) running the Scribe Services
- Console Users
- Workbench Users
- Some combination of the above.
Please make the documentation much more explicit.
Regards, -- Simon
Posted by: Simon Hetzel | 04/13/2011 at 12:02 PM
Simon --
Many thanks for your feedback. We understand how adding this information could be helpful and would add value to the posting. We will look to make the changes in an upcoming release.
Please watch OpenMind to view items planned for future releases (https://openmind.scribesoftware.com/products/insight).
Thanks again,
Miriam Lezak, Scribe Techincal Documentation, and Morgan Pierce, Scribe Quality Assurance
Posted by: Miriam Lezak | 04/14/2011 at 11:04 AM