Management of Accumark Data Storage using MS-SQL-2005 Server

This document illustrates how Microsoft SQL Server 2005 can be used with AccuMark Family Professional Edition software (SQL is not supported on Advanced Edition) to allow AccuMark users to create storage areas and to access them. While all permissions below can be defined for single users, it is highly suggested to define a Group of users to reduce administrative workload. The example below defines only one UserGroup, giving all users the same access to all storage areas. Using the same procedure to define multiple UserGroups assigning different access permissions for users or for storage areas. On most networks AccuMark users will be defined as standard Users (with no Administration rights). By default, such users are not able to create new databases on an SQL server 2005 (databases are where the AccuMark storage area data is stored). User and Group Management A user account is a collection of information that tells Windows which user rights and access permissions a user has on a computer. A group is a collection of user accounts, computers, contacts or other user groups. By adding a user account to a group, you can avoid having to grant the same access and permission to many different users one by one. Members of a group can make the same types of changes to settings and have the same access to folders, printers, and other network services. Many companies use network domains and have an IT department that will be the ones who have the ability to create groups and users. The instructions below will describe how to set up groups and users for access to AccuMark storage areas. The person creating the groups and users must have administrative permissions. These sections describe how to create groups and assign users to these groups on Windows XP and Windows Vista systems. It assumes the users already exist on this system or a domain server and can be accessed from this server. You must create the User Groups first and then specify in SQL Server where and how these users and groups will have access to the AccuMark data.

1 Page 1 of 16

The User Group will need to be created on the server that will has SQL Server installed for access to the storage areas on that server. The process below describes how to create on the server in User Management a User Group containing all AccuMark users NOTE: the instructions below show how to create user groups for Windows XP and Windows Vista (Windows 2000 will no longer be supported for use with AccuMark starting with version 8.3). MSDE and SQL Server 2000 can be used on Windows XP, however MSDE is not supported on Vista. For information on using Windows XP or Vista and SQL 2005 Server or Express, please refer to the document SQL Server 2005 and AccuMark.doc Creating User Groups on Windows XP: These instructions are based on using the Category View. Select Start, Control Panel. Select User Accounts from the Category Select user Accounts from the Control Panel icon section In the Users Accounts dialog, select the Advanced tab and then the Advanced button

2 Page 2 of 16

Highlight the Groups entry in the left window. Place the mouse in the right side of the window pane, right-click and select New Group

Type in the name of the new group. In this example, the UserGroup is called AM-SQLUsers. Enter an optional description Select the Add button

3 Page 3 of 16

From the From this location drop-down list select the Locations button to access the server or domain where the users you would like to add to the AMSQL-Users group exist. Select the Advanced button. Select the Find Now button to get a list of user names from this location.

Highlight one or more users and select the OK Button (use the ctrl or shift keys to select more than one).

4 Page 4 of 16

The user name(s) will appear in the window.

You can choose another domain to add additional users or select Ok to finish. Select the Create button to complete the creation of this new group. Select close to close the dialog windows. The new group should now appear in the list for Local Users and Groups.

Creating User Groups on Windows Vista:

Note : These steps cannot be completed on Windows Vista Starter,

Windows Vista Home Basic, and Windows Vista Home Premium. 1. Click to open Microsoft Management Console. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

2. In the left pane of Microsoft Management Console, click Local Users and Groups.

If you don't see Local Users and Groups

If you don't see Local Users and Groups, it's probably because that snap-in has not been added to Microsoft Management Console. Follow these steps to install it: 1. In Microsoft Management Console, click the File menu, and then click Add/Remove Snap-in. 2. Click Local Users and Groups, and then click Add. 3. Click Local computer, and then click Finish. 4. Click OK.
5 Page 5 of 16

3. Double-click the Groups folder. 4. Right-click the group you want to add the user account to, and then click Add to Group. 5. Click Add, and then type the name of the user account. 6. Click Check Names, and then click OK.

Note: To help make your computer more secure, add a user to the
Administrators group only if it is absolutely necessary. Users in the Administrators group have complete control of the computer. They can see everyone's files, change anyone's password, and install any software they want. SQL Server 2005 User Management Setting Permissions for the Groups Define the Login for the AccuMark UserGroup in SQL Server Management Studio Express On the server, open Microsoft SQL Server Management Studio Express. Connect to the SQL Server that will be used for AccuMark storage: The authentication being used will depend on how the SQL server was configured during installation. Contact your IT department for details. Most WebPDM servers are configured for mixed mode authentication which means you could log in using either Windows Authentication or SQL Authentication. Select the Connect button. Open the SQL server to get the display of associated entries like Databases, Security,.. Open the Security item to get Logins displayed. Right-click on Logins and select to create a New Login:

6 Page 6 of 16

On the tab General, define the name by selecting via the lookup-button the UserGroup. Check that groups are selectable by selecting the Object Types button and the entry for Groups is checked on. Then select OK

You can use the Advanced button, then the Find Now to get a list of groups. Highlight the group that is to be added to this server (for example: AM-SQL-Users) and select OK.

7 Page 7 of 16

Select the entry : Server Roles. Select (place checkmark) on Database Creators: dbcreator Save the new Login (OK button). The new Login will be listed in the right window.

Accumark users are now able to create new storage areas using this SQL-server. However, only the creator of the database will have access to the storage area. Setting Group Access Permission to AccuMark Storage Areas To allow other users access to a storage area on SQL-server, you need to give Access-permisison . There are 2 possibilities to define access for AccuMark Users : 1) Allow all users to access all databases = storage areas SQL Server 2005 allows to pre-define configuration values in the database model (never delete this database ), which is used as a template to create new databases, which is equivalent to a new storage area. This method can be used for SQL servers, which are used only to store AccuMark data. If the customer is using the SQL server also to store other data , then this method should not be used, since it will cause a security issue for the non-Accumark databases (please discuss this issue with the IT personal of the customer ) Note : it is required to define this before new storage areas are created ! Note : Users creating new storage areas are required to have SQL Express installed on their systems (see below)

8 Page 8 of 16

To configure default access to new Accumark storage areas : Using the SQL Server Management Studio Express, expand your SQL server Expand System Databases, Expand the database model, expand Security, then expand Users Right-click on Users and select New User

Use the ellipse button [] to open the Select Login dialog. Then select Browse button and select (check on) the UserGroup of AM-SQL-Users. Select OK, and OK.

Enter the User name (you can use the same as the Login name):

9 Page 9 of 16

As Database role membership, please select (by placing a check-mark): - Public (should already be selected by default) - db_datareader - db_datewriter

Click OK to save this information.

All members of the Accumark Usergroup have now immediately access to any newly created database = storage area.

2) Manual assignment of access to all storage areas In cases where the customer can not allow to grant automatically access for all Accumark users to all new databases = Accumark storage areas (because the SQL server is either used also to store other non-Accumark data or if the customer like to assign different access rights for storage areas for users by defining multiple Accumark usergroups ), then the User Administration of SQL server 2005 can be used. Note : The storage area must first be created from an Accumark workstation, before Access permisisons can be assigned ! Note : Users creating new storage areas are required to have SQL Express installed on their systems (see below)

10 Page 10 of 16

To define the access to the specific storage areas, display the Login for the AccuMark users group (in this example : Am-SQL-Users) under Security Logins (by a double-click or Properties from the toolbar) :

Select the User Mapping entry in the Select a page window on the right. Then select in the upper list the databases containing storage areas (which must first have been created from an AccuMark workstation ) to be accessible by this usergroup by placing a checkmark. For EACH of these databases, you must select in the lower list as Database Role db_datawriter and db_datareader to allow AccuMark to work with this storage area, by placing a check-mark

11 Page 11 of 16

Note: the databases will include the AccuMark storage areas as well as the CAD Relational database like the one that is used for WebPDM. NOTE: if you select only db_datareader but not db_datawriter, then you have a read-only storage area, where users can view and read data, but are not able to update data or store new data.

UserPerm Database The UserPerm database allows the AccuMark administrator to assign further permissions on a data item level. Thus the users must be granted db_datareader and db_datawriter rights to this UserPerm database so the AccuMark applications can read and write these extended permissions. For more details on restricting access on a data item level, see the document Read-Write Controls.pdf Select the UserPerm entry in the Database Access window and enable the db_datareader and db_datawriter permissions in the Database roles window.

CAD Relational Database If you are using a CAD Relational Database (RDBMS) then db_datareader and db_datawriter permissions must be granted as well. Grant the Execute permission in order to be able to run the stored procedures that are used for the RDBMS. Other permissions may be needed when using the CAD relational database for WebPDM. Contact your WebPDM administrator for assistance.

12 Page 12 of 16

Granting Execute Permission to the CAD Relational Database Note: the CAD Relational database (RDBMS) must be named WebPDM when populating data for access by WebPDM applications. Otherwise the name for the RDBMS needs to conform to the same rules as for AccuMark storage area names. To grant execute permission to the CAD Relational Database on SQL 2005 Server or SQL 2005 Express: Open the SQL Server Management Studio Express Connect to the SQL server that contains the RDBMS Expand the Databases tree view Expand the RDBMS (in this example the cad relational database is called webpdm) Right-click on the RDBMS name and select properties In the Users or roles window select the group to grant permissions for. The Explicit Permissions window will populate with the permissions that are available for setting.

13 Page 13 of 16

Select the Execute permission and click in the Grant column to enable this permission.

Continue to grant the Execute permission to any other groups as needed. Select OK to finish.

14 Page 14 of 16

Users creating new storage areas are required to have SQL Express installed on their systems When creating via Accumark Explorer a new storage area using SQL server :

A script is processed to create the required tables inside the SQL server database and to define the default Accumark data items :

15 Page 15 of 16

Attempting to create a storage area on a system without MSDE or SQL-Express will result into an error message (Error 1027), a database is created but not usable for Accumar data storage :

Note : SQL Express is only required to be installed on the systems creating a storage area, it is not required to have the database execute on such systems. There is no need to install MSDE or SQL-Express on Accumark systsems accessing such SQL-based storage areas

16 Page 16 of 16