Service Account Permissions - Metasys - LIT-1201528 - General System Information - Metasys System - 12.0

Security Administrator System Technical Bulletin

Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
Revision date

The Metasys system requires that the service account for Active Directory service allows for a minimal set of permissions. This section lists these permissions but does not dictate how they should be applied; the customer’s IT department determines how they should be applied when the permissions are created. The permissions are as follows:

  • Read-only access to the domain object of each domain that includes Active Directory service users who are Metasys system users.
  • Read-only access to the each organizational unit that includes Active Directory service users who are Metasys system users.
  • Read-only access to the attributes of each Active Directory service User Object that are Metasys system users or read access to only the following individual attributes on those user objects (if full read access is not allowed):
    • objectSID
    • sAMAccountName
    • displayName
    • description
    • mail
    • userPrincipalName
    • telephoneNumber
    • userAccountControl
  • Non-expiring service account password (see Service Account Rules).

  • The service account must be able to access all domains with Metasys system users to do LDAP queries. For example, accounts cannot be denied access to the domain controller by the domain's security policy.