--- alias: installation-guide-accountsandsecurity description: "This guide outlines security account configurations for Critical Manufacturing MES components and their access permissions" --- # Accounts and Security This guide will walk you through the process of planning and preparing the security objects required by Critical Manufacturing MES. ## Critical Manufacturing Windows Services Account All Critical Manufacturing services will be created to run under an account that is configured in deployment time in the installation wizard. To better understand Service User Accounts, please refer to this [section](https://docs.microsoft.com/en-us/windows/desktop/ad/service-logon-accounts) on Microsoft documentation. As a reminder, please make sure that your service user account: * Has been granted the **Log on as service** permission in the host computer * Has permissions to access the network shares and the deployment folder * If Remote Shipping is able to read/write the queues created for Remote Shipping * The password never expires or there is a company mechanism to renew it before it expires ## SQL Server Accounts If the database system was deployed in Always On on Availability Groups it is fundamental to run all instances of the same component (example: Database Engine) under the same account. Additionally, unless there is a critical security requirement forcing to do otherwise, it is recommend to use the same account for all the SQL Server Components: * Microsoft SQL Server User Account * Microsoft SQL Server Analysis Service User Account * Microsoft SQL Server Reporting Services User Account If the account hosting Reporting Services is not the same as the one hosting Critical Manufacturing services the Critical Manufacturing services user must be granted administration privileges in Reporting services. ## ClickHouse To communicate with ClickHouse, Critical Manufacturing MES uses traditional username and password authentication. To operate correctly, the user must have permissions to create and alter databases related to MES (including but not limited to the default ClickHouse database), which typically have the **SystemName** prefix, followed by a pertinent suffix (example: **SystemName**CDM). For more information, see [Access Control Lists (ACLs)](../../../systemrequirements/persistency-layer/external-components/clickhouse-data-platform/#access-control-lists-acls). For the backup and recovery procedures described in [[operation-guide-clickhouse-backupandrestoreoverview]], ClickHouse must have access to the S3 storage server used by the MES. ## Kafka To communicate with Kafka, Critical Manufacturing MES provides two forms of authentication: * Mutual TLS (client certificates) * SASL Plain (username and password) In terms of access, the user must be granted the following permissions: * Topic Permissions: * Alter * AlterConfigs * Create * Delete * Describe * DescribeConfigs * Read * Write * Consumer Group Permissions: * Read * Delete * Describe * Cluster Permissions: * AlterConfigs * Create * Describe * DescribeConfigs !!! note These permissions must be granted to resources with the prefix **SystemName** and **_SystemName**. ## RabbitMQ No additional account or security requirements are required for RabbitMQ installation. ## S3 No additional account or security requirements are required for S3 installation.