Understanding service account configuration

AX Server is installed with three Windows Services which perform most of the application functions on the server. Each of the services is configured during installation based on the Windows user account you select to run the service. The following sections outline the security considerations and configuration requirements for each of these services.

ACL Analytics Exchange Geronimo

The ACL Analytics Exchange Geronimo service is installed on the AX Server and each AX Engine Node you configure. You need to select an existing domain account, or create a new domain account, to run the ACL Analytics Exchange Geronimo service. The user account you choose must be able to access the folders specified for the Data directory and Archive and restore data directory in the AX Server Configuration web application.

Read and write permissions are required for the Data directory folder. The permissions must be configured manually if the folder is on a different server, or if the user account doesn’t have rights to the specified folder by default. The setup wizard assigns the local permissions on the server required to run the service.

Full permissions are required for the Archive and restore data directory, and the user account must be configured manually if the user account does not have rights to the specified folder by default.

If your installation has multiple instances of the ACL Analytics Exchange Geronimo service running on different servers, you should create a domain account with the rights required to run the service and access AX Server data before you install the system, and specify that account to run the ACL Analytics Exchange Geronimo service in each setup wizard.

If AX Link is installed on a server that will run AX Server analytics that include Direct Link-specific commands, either on AX Server or AX Engine Node, the user account configured to run the ACL Analytics Exchange Geronimo service must also have sufficient permissions to run saplogon.exe and sapgui.exe. Typically, this requires that Full Control permissions be assigned to the folder where these files are installed. The default location is C:\Program Files\SAP\FrontEnd\SAPgui.

Using the built-in Local System account to run the service is not supported. This account does not have the appropriate privileges to run some ACL commands.

ACL Analytics Exchange Connector

The AX Server setup wizard configures the AX Connector service to use the Local System account. You can change the account used to either a local user account on the server or a domain account provided that the account you specify has the rights required to run the service and read and write data to the appropriate locations in the file system.

ACL_AXDatabase - PostgreSQL

The PostgreSQL database server setup wizard configures the PostgreSQL service with all of the necessary local permissions on the server required to run the service. You can use an existing local user account on the server, have the installer create a new local user account, or you can specify a domain account. You cannot use the built in Local System account to run the service because the database server must access network resources, which the Local System account does not permit. The Windows Service is installed on the sever where PostgreSQL is installed, and it is only present if you use PostgreSQL as your database platform.


(C) 2015 ACL Services Ltd. All Rights Reserved.