Understanding the Microsoft Access Workflow Designer Configuration Security ModelThis content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
Summary: Server components of Microsoft® Access 2000 Workflow Designer for Microsoft SQL Server™ version 7.0 with Service Pack 1 (SP1) are affected by the configuration and security settings of the underlying platform. To function correctly, security settings for the following components must be set correctly: Microsoft Windows NT® 4.0 with Service Pack 5 (SP5), Distributed Component Object Model (DCOM), Microsoft Internet Information Services (IIS), Microsoft FrontPage® Server Extensions, and SQL Server. This article identifies the security components required by Microsoft Access Workflow Designer. (5 printed pages)
The server components of Microsoft® Access 2000 Workflow Designer for Microsoft SQL Server™ version 7.0 with Service Pack 1 (SP1) interact with several infrastructure components and, therefore, are affected by the security settings in each. The security model for a team solution is defined at the following levels:
- Microsoft Windows NT® 4.0 (SP5), including Distributed Component Object Model (DCOM) and Microsoft Internet Information Services (IIS)
- Microsoft FrontPage® Server Extensions
- Microsoft SQL Server 7.0 (SP1)
This article examines the configuration settings applied during installation and explains how you must manage them as part of your administration activities.
It is important to remember that if you change the security settings or user information in any one of the security components, you must make sure all of the security components identified here are changed. For additional information about how to change these settings, see the documentation for the specific component.
During installation of the server components, Microsoft Access Workflow Designer creates and sets a number of security accounts. This includes a Windows NT group, modAppOwners, which is used to define permissions for solution developers and owners. This group is the core of the Microsoft Access Workflow Designer security model and is used to define components in Windows NT, FrontPage, and SQL Server.
To set up the appropriate permissions, the user installing the Microsoft Access Workflow Designer server components must have administrator permissions on both the Windows NT server and on the SQL Server system.
Team Solution Owner Permissions
Microsoft Access Workflow Designer server components Setup creates a Windows NT group called modAppOwners. If you install the server components on a domain controller, this group is created as a domain group. Otherwise, it is created as a local Windows NT group. If this group already exists when you run Setup, Microsoft Access Workflow Designer uses the existing group to set security permissions. When the server components are uninstalled, the modAppOwners group is left intact, because you may have started using this for other purposes.
Note You should remove the modAppOwners group if you have uninstalled Microsoft Office Developer and no longer require the group. Otherwise, members of the group will continue to have additional privileges beyond ordinary users in your Windows NT and SQL Server installation.
During installation, the currently logged-on user is added to this group. You can add additional users to this group using Windows NT User Manager. Any developers and others you add should be those you would trust to build or manage their team solutions.
As members of the modAppOwners group, these solution owners have special privileges:
- As FrontPage administrators on the root Web site, they can create new Web sites from within the Microsoft Access Workflow Designer administration tools, as well as from FrontPage, Visual InterDev®, and any other tool capable of creating FrontPage Web sites.
- With special privileges on SQL Server (see the section on Impersonation later in this article), they can create new solutions from templates, create offline publications, and otherwise manage their team solutions.
Launch and access privileges
The modAppOwners group is given DCOM launch and access privileges on the MODTBAD server component installed by Microsoft Access Workflow Designer. The MODTBAD component makes it possible for the Microsoft Access Workflow Designer administration tools to perform required activities on the server, such as template building and deployment.
DCOM has a property called identity. During Setup, this property is set to the Windows NT user that is used by SQL Server. This ensures the component has administrator privileges on the server.
Note If you change the login password of the SQL Server account, you must change this password in multiple places, including DCOM. For details, search for "Passwords" in the Access Workflow Designer Administrator's Guide online documentation.
Additional Windows NT Privileges
Microsoft Access Workflow Designer Setup also gives Windows NT "advanced" privileges (SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege) to the Windows NT account. Follow these steps if you are administrator for an NT Server:
- Start -> Programs -> Admin. Tools -> User Manager for Domains.
- Select menu: User + Select Domain: enter your machine name and then OK.
- Select a user or group in the lower window.
- Select menu: Policies + User Rights.
- Select the checkbox at the bottom of the dialog to "Show Advanced User Rights."
Generally, these privileges are given to administrators while setting up Windows NT Option Pack components. However, if your installation of SQL Server is running as a different user, this new user may not have these privileges. In addition, these privileges are not available by default on domain controllers.
Note If you change the Windows NT account SQL Server uses to log in to the domain, you must give these privileges to the new account. If the old account no longer exists, you must also change the MODTBAD DCOM identity property to this new account.
During installation of the Microsoft Access Workflow Designer server components, a SQL Server login is created for the modAppOwners Windows NT group. This login is added to the dbcreator fixed server role. By using Windows NT integrated security, database security can be managed more easily using the modAppOwners group.
In addition, this login is given these privileges:
- dbuser in the modSystem database
- member of db_ddladmin in the modSystem database
- member of db_owner of every database that is deployed using the Microsoft Office Developer tools
- execute privileges on several Microsoft Office Developer stored procedures and extended stored procedures
Typically, a database owner is not permitted to make it possible for the database to be published. Usually, this task is reserved for system administrators. However, the Microsoft Access Workflow Designer security model requires solution developers and administrators to be able to enable and disable their databases for publishing, as well as create publications.
As a result, a special extended stored procedure that runs in the security context of the system administrator is used. In addition, the modAppOwners group is given execute privileges on this extended stored procedure. Among other things, this stored procedure makes it possible for developers and administrators using the Microsoft Access Workflow Designer tools to set database-level properties.
For the latest information about Microsoft Access Workflow Designer for SQL Server, see the Microsoft Office Developer Web site http://www.microsoft.com/office/developer.
To access Knowledge Base information, consult the Product Support section of the Microsoft Office Developer Web site.
For information about developing and managing team solutions, consult the Access Workflow Designer Developer's Guide and the Access Workflow Designer Administrator's Guide in the online documentation.