It was mentioned in Empower 2021 that it is best to setup the Workflow account that is used to connect to a repository as a repository user instead of setting them up in Directory Server. Would the same hold true for other service accounts like Import Agent, Audit Trail, and Forms?
Question
Question
Best to Use Repository Users for all Service Accounts?
Answer
There's a marginal gain if the LFServer does not have to proxy your login to the Directory Server, and the resulting faster connection could add up to better performance in an application. But, we're talking milliseconds and Workflow pools connections, so really....marginal gain.
The other reason for using repository users is to absolutely positively ensure that this specific user will not be able to access other repositories.
The same is true for all background applications that log into the repository.
Replies
In general, yes. If you want to use Windows authentication between services, it means that the service needs to run as a domain account. You would prefer to run services as one of the low-trust service accounts built in to Windows, in accordance with the Principle of Least Privilege.
Brian, I apologize I wasn't very clear in my question. When I said service account, I meant the account that Workflow uses to access the repository. The same with the accounts that Import Agent, Audit Trail, and Forms would use to access the repository as well. I think the answer is the same, but just wanted to clarify.
Also, at what point do you start seeing performance degradation if an account like the one used for Workflow to connect to a repository is in LFDS vs. the repository?
I haven't timed it, but I'd expect you might see a (likely minuscule) difference if you have bursts of activity that would require Workflow to make lots of new connections in a very short period of time.