You are viewing limited content. For full access, please sign in.

Question

Question

How to configure Laserfiche (server) to NOT be db_owner - least privileges

Laserfiche Administration How To
Updated July 6, 2023
asked on December 23, 2020 Show version history

We have begun an initiative to minimize service account privileges in our development environment and have started with the Laserfiche service. We are referencing the whitepaper, Building a Secure Laserfiche Ecosystem for Laserfiche, specifically the bottom of page 12:

After a repository has been created, the Laserfiche Server service account requires the following roles:
db_ddladmin to create tables for temporary data such as search results.
db_datawriter to write to the database.
db_datareader to read from the database.

 

We made those changes and were faced immediately with errors:

Help Button Link

Details:

Error Code: 9008
Error Message: Error executing SQL command.
General database error. [9008]

------------ Technical Details: ------------

LFSO:
    Call Stack: (Exception)
        ProcessResponseHeaders
        InternalDoLogin
        LFSession::Login
        CLFConnection::Create
    Additional Details:
        HRESULT: 0xc0042330 (ProcessResponseHeaders, lfsession.cpp:4942)
         (LFSO/10.4.1.81)
LF.exe (10.4.1.193):
    Call Stack: (Exception)
        CLoginDialog::AttemptLogin
        CLoginDialog::LoginToServer
        CFolderTreeView::EnsureValidDatabase
    Call Stack: (Current)
        CLoginDialog::LoginToServer
        CFolderTreeView::EnsureValidDatabase
    Additional Details:
        Exception: 0x80042330 [9008] (Error executing SQL command.) (CLoginDialog::AttemptLogin at logindialog.cpp:796)
    Call History:
           CLFClientAutomation::ExecuteAutomationCommand (GetWindows)
           CLFClientAutomation::ExecuteAutomationCommand (GetWindowInfo)
            GetRepositoryProperties
           CLFClientAutomation::ExecuteAutomationCommand (GetInstanceInfo)
           CLFClientAutomation::ExecuteAutomationCommand (GetWindows)
           CLFClientAutomation::ExecuteAutomationCommand (GetWindowInfo)
            GetRepositoryProperties
           CLFClientAutomation::ExecuteAutomationCommand (GetInstanceInfo)

 

From the event viewer:

An error occurred when executing an SQL query, retrieving the results of a query, or otherwise communicating with the database server. Session ID=0; Dialog ID=0; Repository="ESD112-DEV"; Function=SysLogin; Message="[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]The EXECUTE permission was denied on the object 'trustee_get_all_groups', database 'LF_Laserfiche', schema 'dbo'."; Statement="{call trustee_get_all_groups(:trustee_id<int,in>)}"; SQL Variable=""; SQL State="42000"

 

The above mentioned object, 'trustee_get_all_groups' is a stored procedure that is proprietary to Laserfiche. It is from within the Laserfiche database.

We actually predicted something like this would happen regarding stored procedures, so it wasn’t a big surprise. 

To clarify, we are seeking to know specifically what minimized settings the Laserfiche service needs on the SQL server to run all the stored procedures. Is there a select list of stored procedures that need specific permission? We are looking for the minimum privileges required for the Laserfiche application to fully work. 

 

Is there any documentation out there that actually paints the full picture better than the above mentioned whitepaper? I don't want to bash the whitepaper, it was good. I just need additional details. 

 

Backstory: I am in the K-12 Educational sector and we are configuring an environment to be FERPA compliant.

 

Thank you in advance!

 

0 0

Replies

replied on December 31, 2020 Show version history

@████████, any suggestions?

@████████, I hear this is your area of expertise. Any tips?

 

0 0
replied on January 6, 2021

My general guidance is that the LFS account needs full rights to its database. Some permissions - like creating stored procedures, or updating table schema - aren't needed day-to-day, but will be required as you apply updates.

1 0
replied on January 6, 2021

Thanks, Brian. Unfortunately, we found that the stored procedures needed permission immediately. We followed these guidelines from the whitepaper:

After a repository has been created, the Laserfiche Server service account requires the following roles:
db_ddladmin to create tables for temporary data such as search results.
db_datawriter to write to the database.
db_datareader to read from the database.

 

Am I missing something? I just want to confirm. We would really like to get this going if possible. 

0 0
replied on July 6, 2023

I know I'm replying to this very late, but hopefully this will be helpful to someone in the future. What I found is that you have to explicitly grant the account rights to Delete, Execute, Insert, Select, and Update. The way you do this is to go to the Security/Schema/dbo node, double-click, and go to the Permissions tab. There you add the appropriate user, and use the checkboxes to Grant those 5 rights.

There are screenshots in this Stack Overflow answer.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...