Previous Topic: OverviewNext Topic: Create a SharePoint Preclassification Scan

Content Classification Service Integration GuidePreclassification ScansUser Accounts for Preclassification Agent

User Accounts for Preclassification Agent

To create a preclassification scanning job, you must provide credentials for two Windows domain users:

Job Setup User

The Job Setup user is the Windows account that you use to log onto the server hosting the preclassification agent and Administration console. The Administration console uses the Job Setup user to connect to the preclassification agent when you create or manage scanning jobs.

The Job Setup User must have write access to the \FSA\Jobs subfolder on the preclassification agent host server. Find this subfolder in CA's folder in the Windows All Users profile on the machine hosting the preclassification agent.

Run As User

The Run As user is the account that a scanning job runs as. You specify the Run As user when you schedule a scanning job using the Job Definition wizard.

When choosing a Run As user, we recommend that you choose a bespoke account created for exclusive use by scanning jobs. This is because it is essential that nobody logs onto a scanned machine using the Run As account while a scheduled scan is running.

Account Requirements for SharePoint Scans

Preclassification scans use the SharePoint Object Model to scan documents. Therefore, a Run As account that only has permission to browse files using HTTP is not enough. The Run As User account must have the following permissions:

  • Domain User with Local Administrator rights on the SharePoint front-end web server that hosts the preclassifcation agent.
  • A member of the MSSQL db_owner role for the SharePoint configuration database and any SharePoint content databases that contain the site data being scanned.
Create a Bespoke Account for the Run As user

Important! When a scheduled scanning job is running, nobody must log onto the target machine using the same account as the preclassification agent!

If a user and the preclassification agent are logged on to the same computer , at the same time, and using the same Windows user account, this can adversely affect the scanning job. The job may terminate prematurely or it may even fail to respond to attempts to terminate it manually.

For this reason, we recommend that the Run As User is a bespoke accounts created for exclusive use by the CCS preclassification agent. Do not choose a Run As user that corresponds to a real user account if there is any possibility that this user will be logged on to the target machine while a scheduled scanning job runs.

Avoid this situation! The classic mistake is when a network administrator schedules a scanning job and enters their own domain account as the Run As user (because they know that they have access to all the required scan locations). While performing an unrelated task, they subsequently log on to the target machine while the scan is in progress, so causing the scan to fail.