Security Requirements

The Meridian Enterprise setup program creates an application pool named BCEnterprise (by default) with the correct settings. To ease the configuration and maintenance, we recommend that you use this application pool with a dedicated system account that is also used for the Meridian Enterprise Server service.

The Meridian Enterprise Server service must run under an account with the following privileges:

  • On the Meridian Enterprise Server computer:

    • A member of the Administrators group

    • Read/write access to C:\ProgramData\BlueCieloECM

    • Read/write access to any folders used by the rendering modules or system links

  • On the SQL Server computer:

    • If the Integrated Windows authentication option is enabled, the account that is assigned to the application pool must have the sysadmin role for the Meridian Enterprise Server configuration database. If the option is not enabled, the SQL Server account that is configured for the database connection as described in Create the Configuration Database must have the sysadmin role.

    • If Meridian Enterprise Server will be allowed to create the configuration database, the account does not need the sysadmin role, however the sysadmin role is still required to restore or create a repository. The role can be reduced to db_creator after the database is created. If that is not permitted due to your organization’s security policy, create the database either with the database configuration wizard as described in Create the Configuration Database or with the script in SQL Server Database Creation Script. Specify this account for the IIS application pool and the account under which the Meridian Enterprise Server web service is run in the preceding descriptions.

  • On the Oracle server:

    • Create a user account and database with the script in Oracle Database Creation Script. Specify this account for the IIS application pool and the account under which the Meridian Enterprise Server web service is run in the preceding descriptions.

  • On the source and destination systems:

    • Sufficient privileges to perform the configured actions (for example, updating the feedback property in a source system).

    The destination system account credentials are specified in the publishing job.

Note:
  • All computers where documents are published from (by the Accruent File Publishing Service or PowerUser extension) or where the Publisher Queue website is opened in a web browser must have access to the Meridian Enterprise Server web services.

    For example, if Meridian Enterprise and Accruent Publisher are running on separate computers, we recommend that you change the EDM Server service from using the default SYSTEM account to use a domain account with sufficient permissions to access the web services on the Meridian Enterprise Server computer. If this is not done, users attempting to register documents for publishing in Meridian Enterprise PowerUser will see errors and registration will fail.

    The Meridian Enterprise Server server, the web server that hosts the Meridian Enterprise Server website (if separate), and the cluster nodes (if any) must all be able to communicate through Windows Communication Foundation (WCF) on HTTP port 8686. The primary node and the secondary nodes of a cluster also communicate push notifications on port 40865.

  • If a Meridian Explorer feedback type page will be used in web browsers other than Internet Explorer (for example, Firefox or Chrome), access denial errors can occur if the Meridian Enterprise Server application pool account is not the same as the Meridian Enterprise EDM Server service account.

  • To authenticate with Microsoft Online Services, the Windows Identity Foundation must be installed as described in Meridian Enterprise Server System Requirements. Only Azure Active Directory with DirSync is supported.

  • Internet Explorer Enhanced Security Configuration can cause the Meridian Explorer client home page to fail to load and to show JavaScript errors. It can be disabled in Windows Server Manager.

  • If your Meridian Enterprise system will use more than one server, the services might need to be configured to allow security delegation as described in Security Delegation.

  • Access denied errors can occur during import package scanning and import if the Meridian Enterprise Server and the Meridian Enterprise EDM Server are not running under the same account.

  • Path or access errors can occur for Novell NetWare mapped drives if the drives are not available to the Meridian Enterprise Server application pool account in administrator mode. To ensure that the drives are available, run a scheduled task at system startup as the NT AUTHORITY\SYSTEM account with the Run with highest privileges option enabled and the following command line:

    cmd.exe /C net use <drive letter:> "<UNC path>" /persistent:yes
    

The account under which the Windows file system publishing service or the Accruent Project Portal publishing service is run must have the following privileges:

  • On the Meridian Enterprise Server computer:

    • Access to the Meridian Enterprise Server web service

    • Write access to the Kronodoc.Service.exe.config file located in the Meridian Enterprise Server program folder.

  • On the server where the monitored folder resides:

    • Full control

2021 R2