Configure services in the Operations Center
After installing the server applications a shortcut to the Operations Center is placed in the server's desktop. This is where all the FotoWare services are configured. The first time you start it, it will ask you for credentials before you may access it.
Video: Installation and configuration of the Operations Center
The video below outlines the installation of the Operations Center and the configuration of the FotoWare service account. It also explains how to control access to the configuration of FotoWare services on the server through the Operations Center.
Who can access the Operations Center?
When the Operations Center is installed, it creates two user groups on the server - FotoWare Operators and FotoWare Administrators. By default, members of the local Administrators group on the server are automatically made members of both the FotoWare groups.
The idea behind these two groups is that members of the FotoWare Operators group can access the Operations Center and are allowed to start, stop and restart server services and individual processes. However, FotoWare Operators may not change the actual configuration and workflow on the installed server applications. This is the privilege of the FotoWare Administrators group, which has full access to the Operations Center and may configure the workflow and configuration of the server applications.
You can add any existing user on your network, for instance domain users, to one or both the FotoWare groups on the server to give them access to the system. Note, however, that you cannot add groups to these groups - users have be added explicitly.
Privilege | FotoWare Operator | FotoWare Administrator |
---|---|---|
Access the Operations Center | Yes | Yes |
Monitor server activity, performance and load | Yes | Yes |
Start and stop services | Yes | Yes |
Configure indexes in Index Manager | No | Yes |
Configure channels in Connect | No | Yes |
Configure workflow in Color Factory | No | Not implemented, Color Factory uses a separate administration program. |
Setting a process account for the FotoWare services
While each application's service runs under the Local System Account, the Process Account is used for scanning document folders, writing and maintaining indexes, handling FotoWeb requests and so on. In short, it's a common account that handles the processing that is carried out by all FotoWare applications on the server.
Choosing a process account
Important: This process account must be a member of the local Administrators group on the server that it runs. Learn why.
The first time you access the Operations Center you will be asked to provide credentials for the FotoWare process account. However, if FotoWeb has been installed on the server, the FotoWeb setup wizard will already have asked you to set a process account. If you want to change it, you can go to the Server Settings tab in the Operations Center and change its credentials in the Process account section.
Process account implications for FotoWeb
If you specify a domain account and fill in the Domain field as yourcompany.com, yourcompany.net or something similar using a suffix, you will not be able to use a trusted connection when connecting FotoWeb to the SQL database. That's because the SQL database stores the windows user with only the short form of the domain name, omitting the three-letter suffix (.net, .com etc.) so that the SQL server will not be able to find the user.
You should also be aware that if your FotoWeb site runs on Internet Information Services, the process account specified in the Operations Center will be used to power the FotoWeb application pool in IIS. You should make sure any password renewal policies in your domain do not affect the process account, as this may potentially lock out the process account and cause the FotoWare services on the server to stop. Also, if you change the process account in the Operations Center at any time, you must manually make sure to set the same account for the IIS app pool.
Using a domain account as the process account
Normally, when a FotoWare server is added to a domain, the local machine (System account) is automatically granted READ permissions for CN=Users in the directory. This is required to look up the appropriate AD account for the process account and to delegate the correct permissions for the process account on the machine. By using this approach, User Access Control can remain enabled on the server, as recommended by Microsoft.
If, for some reason, the local machine (System account) does not have this privilege, the FotoWare services will not to run and it will be necessary to grant those permissions explicitly in the directory.