Data Warehouse Security Considerations
Estimate installations may span across multiple servers which must be able to communicate with one other. For example:
-
Services and Web applications require read & write access to databases.
-
Services that attach and detach database files require the SQL Server sysadmin role.
-
Services that start and stop SQL Server require the SQL Server sysadmin role.
-
Services and Web applications require read access to folders where application files reside.
Every service and Web application is assigned an identity under which it runs.
-
For a Service – the identity is defined on the Log On tab in the service’s Properties dialog box.
-
For a Web Application – the identity is defined by assigning the application to an application pool, and then defining the application pool’s identity in the pool’s Advanced Settings.
By default, services use identities that only have access to the local machine, such as the local System account. Local accounts cannot access resources on other computers. Since Estimate components must access resources (e.g., folders, files or service commands) on other computers, the default identities for all Estimate services must be changed.
It is recommended that you create a single network account for Estimate in Active Directory, and use it for all Estimate services. Give the account Log on as a service rights. On the Estimate SQL Server, add this account as a SQL Login and grant it the sysadmin role.
For Estimate Web applications, use the ASP.NET v4.0 application pool or create a new one just like it, and let that application pool use its own Application Pool Identity. Define credentials for accessing SQL Server in the application’s web.config file.
Job Consolidation Settings Considerations
Consider these questions as a planning worksheet prior to installing the Data Warehouse.
| Section |
Description |
|---|---|
|
RW. 1 |
What is the name of the Estimate application server where the Job Consolidation service will be installed? |
|
RW. 2 |
What is the name of the computer where the InEight Estimate Server service runs? |
|
RW. 3 |
What is the name of the database server computer where HDWarehouse will be stored? This database can become very large, and is a heavy consumer of system memory and disk I/O. For optimal performance, the HDWarehouse database should reside on a SQL Server computer separate from the SQL Server computer where Estimate jobs and the HDExecute database are stored. |
|
RW. 4 |
What is the SQL Server instance name? |
|
RW. 5 |
Do you want to allow the Job Consolidation service to attach the HDWarehouse database if it becomes detached? This requires sharing the data folder on the SQL Server, and giving access to the Job Consolidation login identity. It also requires granting the sysadmin role, in SQL Server, to this login identity. |
|
RW. 5.1 |
If yes, share the data folder in advance, and document the share name. Permit the Estimate network login Full Control. |
|
RW. 5.2 |
If no, be aware that the Job Consolidation service will fail to start whenever HDWarehouse is not attached. An error will appear in the JobConsolidationServer.log file. |
|
RW. 6 |
Where will your Data Warehouse data be stored? Create a folder to contain database data and log files. You will most likely want to select a different location than the default application folder, because Estimate applications are not likely to be installed on the database server. |
|
RW. 6.1 |
What is the path to this data folder, from the database server’s perspective? For example, if the files on the SQL Server are at C:\HD Data, then from the SQL Server’s perspective, the path is exactly that: C:\HD Data. |
|
RW. 6.2 |
What is the path to this data folder, from the application server’s perspective? For example, if the files on the SQL Server are at C:\Estimate Data, and that folder is shared as EstimateData, then from the application server’s perspective the file path is \\<dbserver>\estimatedata. |
|
RW. 7 |
How many jobs should the Job Consolidation server be allowed to update in the Data Warehouse, at one time? By default, Job Consolidation will update two jobs in one time. Other jobs wait in queue. Larger jobs require more memory, so this setting can be adjusted according to the typical size of your Estimate jobs, and according to how much memory is available on your Job Consolidation server. The default is 2 (minimum 1, maximum 10). |