Pre-deployment account survey - Devolutions Documentation

Prior to deployment of a Devolutions Server instance, some accounts are needed to operate the various services involved in a secure deployment of Devolutions Server. The first decision is to use either domain accounts for operating the platform, or to use local SQL accounts paired with local service accounts. Since this decision is a matter of personal preference, we support both models.

Before proceeding, please take the following into account:

The names used in this guide are to ease comprehension of the role fulfilled by the account. Our documentation uses these names as well, but there is no requirement that you use them.
The following accounts interacting with the SQL database will be granted the least privileges permissions from scripts that will run during the creation and the upgrade of the Devolutions Server instance.

Domain-based operation (integrated security option)

The Administration credentials needs read permissions on the AD structure, and does NOT perform any changes to your directory. In most cases, it should be sufficient. Sadly, because of a side effect of how the net Directory Services are built, there is an issue when that account tries to read properties of AD groups that may reside in a protected area of your directory. The easiest fix was to grant full admin permissions, but we are looking into implementing a better fallback strategy to handle the case where access is denied. It may require higher privileges than being part of the Domain Users built-in Active Directory group.

#	Name	ORIGIN	DESCRIPTION	SET IN...
1	VaultDBOwner	AD	Account with full privileges on the DB. It needs the DB Creator right and the Alter any login securable in SQL. Account used to log in the Windows server and to install/upgrade Devolutions Server.	Interactive Windows session used to run the installation/upgrade of a Devolutions Server instance. This account must be a local administrator of the Devolutions Server host machine.
2	VaultDBRunner	AD	Least-privileged account to run the web application. Used to connect to the Database and to read from the file system. Account used by the IIS application pool. No need for specific permission since the installation script of Devolutions Server will give the account the permission needed on the SQL DB.	IIS Application pools that are running a Devolutions Server Instance.
3	VaultADReader	AD	Least-privileged account to query the AD. (Optional) Account configured in the Devolutions Server to use domain authentication.	Devolutions Server Instance Settings - Administration credentials.
4	VaultDBSchedulerService	AD	Least-privileged account to operate the scheduler service. Used to connect to the DB and to read/write from the file system. Account used by the Windows service. Click here for more information. No need for specific permission since the installation script of Devolutions Server will give the account the permission needed on the SQL DB.	Windows Service Control Manager.

Non-domain based operation or Azure SQL environment

On a non-domain-based deployment, a single connection string is used for three different aspects of the system. This will be improved in a future release to respect the least-privilege principle.

For Azure SQL hosted database, domain-based operation (integrated security option) is not supported.

#	NAME	ORIGIN	DESCRIPTION	SET IN...
1	VaultDBOwner	SQL	Account with full privileges on the DB. It needs the DB Creator right and the Alter any login securable in SQL.	The Devolutions Server Console only for installation/upgrade sessions.
2	VaultDBRunner	SQL	Least-privileged account to run the web application. No need for specific permission since the installation script of Devolutions Server will give the account the permission needed on the SQL DB.	The Devolutions Server Console for operations of the instance.
3	VaultADReader	AD	Least-privileged account to query the AD through LDAP. (Optionnal) Account configured in the Devolutions Server to use domain authentication.	Devolutions Server Instance Settings - Administration credentials.
4	VaultDBSchedulerService	SQL	Least-privileged account to operate the scheduler service. Used to read/write from the file system. No need for specific permission since the installation script of Devolutions Serverwill give the account the permission needed on the SQL DB.	Devolutions Server Console – Scheduler service. The database access will be performed by the single ConnectionString that is the subject of the informational note above.