The Metasys system requires that the service account in Active Directory service allow a minimal set of permissions. This section lists these permissions, but does not dictate how they should be applied; the customer's IT department determines this at the time of creation. The required permissions include the following:
-
Read access to the domain object of each domain that contains Active Directory service users who are Metasys system users.
-
Read access to each organizational unit that contains Active Directory service users who are also Metasys system users.
-
Read access to the attributes of each User Object in Active Directory service that relates to Metasys system users or read access to only the following individual attributes on those user objects (if full read access is not allowed):
- ObjectSID
- samAccountName
- displayName
- Description
- userPrincipalName
- telephoneNumber
- UserAccountControl
- CanonicalName
In addition, a non-expiring Service Account password is required. See Service account rules. Also, the Service Account must be able to access all domains with Metasys system users to perform LDAP queries. For example, accounts cannot be denied access to the domain controller in the domain security policy.