Required Permissions
The IQService supports configuration of the minimum permissions. The sources supporting IQService minimum permissions are:
-
Active Directory
-
Microsoft SharePoint Server
Prerequisites
-
The IQService must have been installed with the admin permission.
-
A domain user or local user can be used to run the IQService with minimum required permission.
Note
If the IQService host machine is not added to any domain, instead of the domain user, you must use the Windows local user.
Note
The IQService can run under user context of minimum permission user or gMSA user. Ensure the user have proper minimum permission.
Steps for running service with minimum permission user
-
Install the IQService with admin permission.
-
In registry, assign full permissions to the domain user or Local user or GMSA user created previously (as mentioned in the Prerequisites) to the IQService instance that is installed and needs to be run.
Note
The default location for the registry isComputer\HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService Instances\IQService-InstanceName
Steps to assign full permissions to the user that is required to manage the IQService instance
-
Assume a new IQService instance is installed on machine (
IQService-InstanceName
). -
Navigate to registry and search for SailPoint registry hive.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService Instances\IQService-InstanceName
Right-click on the Instance and select permission.
-
Add the required user and assign full Control Permission. Save the changes.
-
Use the same user for "log on as service" from Services tab for the IQService instance.
-
Restart the IQService to work with the user defined above.
Log file must also have the required permission to user for writing files. The IQService Instance folder must also have the required permissions.
For enabling TLS for IQService settings, a normal user or gMSA user must have full permission to access the IQService certificate that is required for communication between secure TLS communication between Identity Security Cloud and IQService. Perform the following:
-
On IQService host, navigate to Personal Folder (on Local System) where the certificate exists.
-
Add full control access on Certificate to the user
-
Right click on IQService Certificate > All tasks > Manage Private keys > Add user > Full control > Ok
-
Add the user and provide full permission that is used for managing the IQService.
-
Note
For managing Skype for Active Directory Connector, IQService must be running in Admin mode only.
Note
Also, for managing Before /After scripts, user must have required permission to execute cmdlets in the script.
Configuring IQService to use gMSA as a service account for Active Directory
For all the gMSA(s) that will be used during Active Directory source configuration, PrincipalsAllowedToRetrieveManagedPassword
permission is required to be added to the IQSerivce Log On User.
Add the following permission to the Log-On User of the IQService using the Active Directory PowerShell module:
Set-ADServiceAccount -Identity <gMSA-SAMAccountName> -PrincipalsAllowedToRetrieveManagedPassword "<IQService-LogOn-User>"
For example,
Set-ADServiceAccount -Identity Aug13u1$ -PrincipalsAllowedToRetrieveManagedPassword IQserviceuser1
Refer to Using gMSA as a Service Account, for more information.