Configuring CA Automation Point › Component Privileges › Requirement 2

Requirement 2

Your decision to run the CA Automation Point Desktop as an administrator or as a standard user may vary based on the Windows operating system that you run at your site.

Windows Server 2003

Starting the Automation Point Desktop using AP Autostart Manager or AP Remote Viewer

The user name specified in the "Automation Services Startup Options" dialog and/or the "Remote Viewing" dialog must be a member of the Administrators group.

Starting the Automation Point Desktop as an Application

The CA Automation Desktop is started as an application when you start it from the Windows Start Menu. In this situation, you can run the Automation Point Desktop as either an administrator or a standard user.

In addition to the ‘privileges required for standard users’, which are listed below, if you are running the Automation Point Desktop as a standard user on Windows Server 2003, you must also assign the user Read permission for the following Windows registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib 

A standard user does not have this permission by default on Windows Server 2003. You can assign Read permission to this registry key using the apAddRegRead program.

Windows Server 2008

Running the Automation Point Desktop as a Standard User

Typically, it is easiest to configure the Automation Point Desktop as a standard user and assign to that user the ‘privileges required for standard users’, which are listed below. Such a configuration works when the Automation Point Desktop is started from the AP Autostart Manager, the AP Remote Viewer, or the Windows Start Menu.

Autostarting the Automation Point Desktop as an Administrator

You can start the Automation Point Desktop from the Windows Start Menu as an administrator with no special configuration. However, if you choose to start the Automation Point Desktop, from the AP Autostart Manager or the AP Remote Viewer as a user who is a member of the Administrators group (but who is not the built-in Administrator), you must re-configure a value in the Windows User Account control (UAC) security settings.

Beginning with Windows Vista, Microsoft has included an enhanced security feature called User Account Control (UAC). A primary function of this UAC component is to prompt the user for acknowledgment when a program elevates into a privileged state. Because the Automation Point Desktop can require one or more advanced privileges, UAC displays an interactive prompt for acknowledgment before allowing execution of the Automation Point Desktop. No interactive prompt displays when you start the Automation Point Desktop using either the AP Autostart Manager or the AP Remote Viewer. Therefore, the prompt goes unanswered and the application appears to hang. The application can then only be stopped using the Windows Task Manager. You can prevent this hang by reconfiguring a value in the Windows UAC security settings.

To reconfigure UAC so that the AP Autostart Manager and the AP Remote Viewer can start the Automation Point Desktop as an administrator

1. Log in as an administrator.
2. From a Windows command prompt, type secpol.msc and press Enter.
3. If a UAC prompt displays, click Continue.

   The Local Security Policy dialog displays.

4. Navigate to the following tree item located in the left pane of this dialog: Security Settings, Local Policies, Security Options.
5. To run the Automation Point Desktop using the built-in ‘Administrator‘ account, find the following security policy in the right pane of this dialog:

   ‘User Account Control: Admin Approval Mode for the Built-in Administrator account‘.

   The Windows default value for this UAC setting is ‘Disabled’. If that is your current value, no change is required to run the Automation Point Desktop as the built-in Administrator.

6. To run the CA Automation Point Desktop using a member of the local ‘Administrators‘ user group (who is not the built-in ‘Administrator‘), find the following security policy in the right pane of this dialog:

   ‘User Account Control: Run all administrators in Admin Approval Mode‘.

   The Windows default value for this UAC setting is ‘Enabled’. This value must be changed to ‘Disabled’ to run the Automation Point Desktop as an administrator other than the built-in Administrator.

   Important: Setting this value to ‘Disabled’ reduces the overall security of your system. For this reason, only choose this option if your corporate policy prevents you from running the Automation Point Desktop as a standard user.

7. Double-click the appropriate security policy entry, and make sure the Disabled radio button is selected.
8. Click OK on the Security Policy dialog to save your changes (if any).

Note: This configuration setting will affect all applications.

Privileges Required for Standard Users

Regardless of operating system, if your site uses the following features and chooses to run the Automation Point Desktop as a standard user, you must assign the following rights to that standard user:

If you do one of the following:

• Send or receive messages from CA NSM Event Manager
• Send or receive messages from CA OPS/MVS

then the CA Automation Point user must have the following user right:

• Create global objects

If you monitor the Windows Security Event log, the CA Automation Point user must have the following rights:

• 'Manage auditing and security log' user right
• Read permission for the following Windows registry key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security 
  

  You can assign Read permission to this registry key with the apAddRegRead program.