Understanding the Web Access server privileges

When using Web Access with a default installation of Internet Information Services, updating thumbnails, synchronizing properties and other functionality may seem to fail without any direct cause. Users may also receive Access denied errors.

All Meridian Web Access users and the IIS service account require the following minimum privileges on the server running Internet Information Services, whether it is also the Meridian application server or another server:

• Read access to C:\Inetpub\AMM.
• Modify access to C:\Inetpub\AMM\AMTemp.
• Full access to C:\Inetpub\AMM\Profiles.
• Full access to the folder specified by the Windows TEMP system variable or if a TEMP user variable is defined for the application pool account, that folder, which overrides the system variable.
• Full access to the local workspace folder, C:\BC-Workspace by default.
• Read access to C:\Program Files\BC-Meridian\Program.

If Web Access will only be used on your organization’s intranet, no additional configuration is necessary. Web Access is as secure as any other IIS website. But if you want to allow access from outside of the organization for remote users, contractors, vendors, or other business partners, we recommend that you:

• Create a separate domain in the demilitarized zone (DMZ). The DMZ is the zone between a first and second firewall. There you place computers that are accessible from the Internet (like DNS, SMTP, and IIS servers, and so on).
• Enable a one-way trust relationship between the DMZ domain and your corporate domain.

Note    We recommend that you use the Secure Sockets Layer (SSL) for connections to Web Access sites from the Internet because, depending on the authentication method used, IIS may need to forward passwords to the Meridian application server. If SSL is not used, the passwords will be in clear text between the Web Access clients and the IIS server.