Run Apis Management Studio on user with limited rights
Limitation:
- Apis Foundation must be installed from a user with local administrator rights.
- Apis Foundation (windows) services cannot be Started or Stopped from users with limited rights, this is the nature of the operating system.
The following tasks must be fulfilled:
- Give the user appropriate DCOM rights.
- Give the user appropriate registry rights.
- Restart Honeystore and ApisHive services.
The examples below show how to setup the operating system to allow a “standard” user to run Apis Management Studio and connect to ApisHive and ApisHoneystore instances.
In this example:
- The “standard” user with limited rights is named AMSUser ( Apis Management Studio User)
- Operating system is Windows server 2016 (the procedure is the same on other system the dialogs looks a bit different)
- Computer is not a member of domain
Give the user appropriate DCOM rights
In principal the AMSUser must have DCOM access rights to ApisHive instance(s) and Apis Honeystore this can be done in several ways in DCOM configuration, through default settings, groups etc. Here is one of several possible procedures:
Start DCOM configuration, in Component services for ApisHive, in Security tab Edit Access permissions.
Add the AMSUser user and give it Local Access permission.
Still i Component services now select ApisHoneystore Properties/Security Access permissions
Add the AMSUser user and give it Local Access permission.
Still i Component services now select My Computer / COM Security / Access permission / Edit Default
Add the AMSUser user and give it Local Access permission.
Give the user appropriate registry rights
Give the user appropriate rights to config part of registry
Open registry editor, navigate to the following keys in order:
- HKEY_LOCAL_MACHINE\SOFTWARE\Prediktor
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Right click Permissions
Add the AMSUser user and give it Full Control rights
Setting registry permissions to COM part of registry
The user needs read/query-access to the COM part of registry where information about COM classes are stored.
Add special permissions for HKEY_CLASSES_ROOT\CLSID
Open registry editor, navigate to: HKEY_CLASSES_ROOT\CLSID
Right click and Permissions
Press add, and specify the AMSUser user.
Select the added user, and press the Advanced button
In the next dialog, select the AMSUser user again, and click the Edit button
Click “Show advanced permissions”
Make sure at least the permissions shown above is granted, and do NOT check the “Only apply these permissions to objects and/or containers within this container”
Press OK on the 3 open dialogs.
Restart Honeystore and ApisHive Services
Restart Honeystore and ApisHive Services to assure the DCOM security settings changes take effect.