Home | Downloads | Support | About GGY | About AXIS

GridLink Permissions and User Rights

Various user accounts are involved when using GridLink. Certain permissions and user rights (logon rights and privileges) are required for these accounts in order to make GridLink work properly. You can find these user rights in "Administrative Tools - Local Security Policy - Local Policies - User Rights Assignment" from Control Panel.

If you are not using GridLink Access Group feature, which allows AXIS to be run in specific security context according to the user who submits the job, you can ignore "Access Group Feature" part in Section 2 and the entire Section 3.

1. the user account under which GridLink Utility is run

If you use the utility to deploy and manage GridLink service on servers on a farm, this account must belong to the local administrator group on all servers in order to access the default shares, create, start and stop service on the servers.

2. the user account (service account) under which GridLink Controller is run

2.1 General Permissions and User Rights

This account must have "Full Control" permission on all AXIS and GridLink folders:

  • AXIS program files folders
  • Folders where you store your datasets
  • DataLink source files folders
  • Import/Export databases folders
  • AXIS temporary files folder (default C:\SPARE)
  • GridLink program files folders

Since the controller is run as a Windows service, this account must have

  • Log on as a service

right in order to start the service.

Please note that if you are running GridLink Utility on Windows XP/2003 Server, the utility can grant "Log on as a service" right to the service account automatically when installing the service. However, if you are running the utility on Windows 2000, then you have to grant this right manually.

In the following two cases, this account must have the local administrator's right:

1) You want to be able to view AXIS windows on the server by remotely logging onto the server’s console session for troubleshooting. (i.e. you have enabled "Make the window of the AXIS remote master/helper visible" option in GridLink Utility.)

The service account needs the local administrator's right in order to switch to a visible desktop to launch AXIS. Without the local administrator's right, AXIS will be launched on a non-visible desktop and you will not be able to view AXIS windows.

2) You may run out of the non-interactive desktop heap space on the server. (This usually happens if the server has more than 4 CPU cores.)

If GridLink service has detected that you may run out of the non-interactive desktop heap space on the server, it will automatically try to switch to a visible desktop to launch AXIS. Without the local administrator's right, it will fail to switch the desktop. Once the operating system has run out of the non-interactive desktop heap space, AXIS will crash.

If you cannot assign the local administrator's right to the service account, you will have to modify the registry to allocate more memory for non-interactive desktop heap. For more information, please refer to Microsoft KB article #184802 (PRB: User32.dll or Kernel32.dll fails to initialize):

http://support.microsoft.com/default.aspx?scid=kb;en-us;184802

2.2 Output to Excel Files

If you want to run batches with output to Excel files, please make sure the service account has the permission to launch COM applications. Local administrator accounts have the permission by default. If the service account doesn't have the administrator's right, then you need to assign this permission to the account following the instructions below:

1) Run "Component Services Administrative Tool" from "Control Panel - Administrative Tools"
2) Expand the console tree on the left hand side, and find "Component Services - Computers - My Computer"
3) Right-click on "My Computer" icon, and select "Properties" from the popup menu
4) Click on "COM Security" tab in the Properties dialog
5) Click on "Edit Default" button in "Launch and Activation Permissions" (or "Launch Permissions", depending on the Windows version) box
6) In the Launch Permission dialog, click on "Add" button, enter the service account user name and click on "OK"
7) Make sure this account allows "Launch Permission" (or "DefaultLaunchPermission", "Local Launch Permission", depending on the Windows version). On Windows 2003 server, you also need to turn on "Local Activation Permission".
8) Click on "OK" to close all dialogs

2.3 Access Groups Feature

Please note that "Access Groups" feature is only available under the service mode.

If you use "Access Group" feature, this account must have the following privileges:

  • Replace a process level token
  • Adjust memory quotas for a process (or "Increase quotas")
  • Act as part of the operating system (required on Windows 2000 Professional and Server)
  • Bypass traverse checking (required on Windows 2000 Professional and Server)

in order to impersonate another user to launch AXIS.

Please note that after assigning the above privileges in "Local Security Settings", you need to restart the service to make the changes to take effect.

3. the user account (shadow account) specified in Access Groups under which AXIS is run

Please note that "Access Groups" feature is only available under the service mode.

This account must have "Full Control" permission on all AXIS and GridLink folders:

  • AXIS program files folders
  • Folders where you store your datasets
  • DataLink source files folders
  • Import/Export databases folders
  • AXIS temporary files folder (default C:\SPARE)
  • GridLink program files folders

This account must have

  • Log on as a batch job

right in order to be impersonated.

Output to Excel Files

If you want to run batches with output to Excel files, please make sure the shadow account has the permission to launch COM applications. Please refer to section 2.2 for detailed instructions.
Contact | Send a File to GGY | E-mail GGY   Search