Skip to content

Accounts and Security#

This guide will walk you through the process of planning and preparing the security objects required by Critical Manufacturing MES.

Critical Manufacturing Windows Services Account#

All Critical Manufacturing services will be created to run under an account that is configured in deployment time in the installation wizard. To better understand Service User Accounts, please refer to this section ⧉ on Microsoft documentation.

As a reminder, please make sure that your service user account:

  • Has been granted the Log on as service permission in the host computer
  • Has permissions to access the network shares and the deployment folder
  • If Remote Shipping is able to read/write the queues created for Remote Shipping
  • The password never expires or there is a company mechanism to renew it before it expires

SQL Server Accounts#

If the database system was deployed in Always On on Availability Groups it is fundamental to run all instances of the same component (example: Database Engine) under the same account. Additionally, unless there is a critical security requirement forcing to do otherwise, it is recommend to use the same account for all the SQL Server Components:

  • Microsoft SQL Server User Account
  • Microsoft SQL Server Analysis Service User Account
  • Microsoft SQL Server Reporting Services User Account

If the account hosting Reporting Services is not the same as the one hosting Critical Manufacturing services the Critical Manufacturing services user must be granted administration privileges in Reporting services.

ClickHouse#

To communicate with ClickHouse, Critical Manufacturing MES uses traditional username and password authentication. To operate correctly, the user must have permissions to create and alter databases related to MES (including but not limited to the default ClickHouse database), which typically have the SystemName prefix, followed by a pertinent suffix (example: SystemNameCDM). For more information, see Access Control Lists (ACLs).

For the backup and recovery procedures described in ClickHouse Database Backup and Restore, ClickHouse must have access to the S3 storage server used by the MES.

Kafka#

To communicate with Kafka, Critical Manufacturing MES provides two forms of authentication:

  • Mutual TLS (client certificates)
  • SASL Plain (username and password)

In terms of access, the user must be granted the following permissions:

  • Topic Permissions:

    • Alter
    • AlterConfigs
    • Create
    • Delete
    • Describe
    • DescribeConfigs
    • Read
    • Write

  • Consumer Group Permissions:

    • Read
    • Delete
    • Describe

  • Cluster Permissions:

    • AlterConfigs
    • Create
    • Describe
    • DescribeConfigs

Note

These permissions must be granted to resources with the prefix SystemName and _SystemName.

RabbitMQ#

No additional account or security requirements are required for RabbitMQ installation.

S3#

No additional account or security requirements are required for S3 installation.