The normal runtime permissions and administrative permissions used by the XenDesktop site are described separately in the following sections. The database access performed is summarized in the following diagram: For this reason, certain key actions on the site are considered privileged administrative operations that require additional database server level permissions not granted to the XenDesktop services themselves these operations cannot be performed except by a database user with elevated privileges. However, the creation and manipulation of the machine account logons at the database server is an inherently privileged operation that falls outside the scope of the permissions granted within the XenDesktop database itself. Use of machine accounts provides a simple and secure model for protecting the critical data in the XenDesktop database. It also ensures that only machines that have been configured with appropriate database access at the database server can act as XenDesktop controllers for a particular site. The use of machine accounts for database access removes the need to securely store SQL logon (SQL authentication) passwords on the controller. The controller machine accounts and users in the database are granted only the minimum access to the XenDesktop database required for the services to operate.
This database access is sufficient to allow full day-to-day operation of the site including use of Desktop Studio, Desktop Director, and the service-specific SDKs. These services gain access to the database through their Active Directory machine accounts. BackgroundĪll runtime access to the central XenDesktop site database is performed by the services running on each controller. This article describes the SQL Server database access and permission model used by XenDesktop 5 and later.
0 kommentar(er)
