Skip to main content

ArcGIS Data Pipelines Server account

ArcGIS Data Pipelines Server starts and stops processes, reads and writes data to locations on the file system, and communicates between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS Data Pipelines Server. This is known throughout the documentation as the ArcGIS Data Pipelines Server account.

When the ArcGIS Data Pipelines Server account is used

The ArcGIS Data Pipelines Server account is used for the following purposes:

  • Start and stop processes that support ArcGIS Data Pipelines Server and services.

  • Read and write files to the ArcGIS Data Pipelines Server directories.

  • Read and write files to the configuration store.

  • Read and write files to the ArcGIS Data Pipelines Server installation location and system temp directory. For example, the account writes log files that you can use to troubleshoot the server.

  • Read and write log messages to the logs directory.

  • Read and write ArcGIS Data Pipelines scheduled task run results and standalone run results to the config-store.

Note:

The ArcGIS Data Pipelines Server account is not the same as the primary site administrator that you define when you create the ArcGIS Data Pipelines Server site. For more information, see Create an ArcGIS Data Pipelines Server site.

Designate the ArcGIS Data Pipelines Server account

The ArcGIS Server account is the one you used when you installed the software. The installation makes this account the owner of all files that it places on the system. In a site with multiple ArcGIS Server machines, the user ID (UID) for the ArcGIS Server account should be the same across all machines so that they can access data, the configuration store, and the server directories using the same NFS permissions.

For security reasons, the root account cannot be used as the ArcGIS Server account and cannot be used to install the software.

The ArcGIS Data Pipelines Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, Esri recommends that you create a domain or Active Directory account prior to installing ArcGIS Data Pipelines Server.

You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Data Pipelines Server on the first machine in your site and use the configuration file when you install ArcGIS Data Pipelines Server on the other machines in your site. This ensures that the ArcGIS Data Pipelines Server account is configured the same on all the machines in your site.

Domain account

A domain account makes it easier to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.

When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Data Pipelines Server installation wizard creates a local account with the username you specified. If you specify a domain account that does not exist, the installation returns an error.

If your login settings deny login rights to the machine where ArcGIS Data Pipelines Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Data Pipelines Server account.

Local account

If you've chosen a local account, the local account and password must exist on each machine in the ArcGIS Data Pipelines Server site and must be identical. You can create the local account with the same password on each machine before installing ArcGIS Data Pipelines Server, or you can allow the ArcGIS Data Pipelines Server installation wizard to create the local account; just be sure to use the same username and password on every machine in the site.

If you're creating a new local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does not meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version of Windows you are using to learn how to check the security policy on your machines.

Group managed service account

A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.

Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Data Pipelines Server site. Because the gMSA works at the domain level, it can regularly change the service account password on each machine with no manual steps required.

The configureserviceaccount command line tool, which is described below, can be used to configure the ArcGIS Data Pipelines Server service to run under a gMSA. You can find this tool in the following location: <ArcGIS Data Pipelines Server install directory>\tools. For the username parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.

The following is a sample command to configure a gMSA as the ArcGIS Data Pipelines Server account:

configureserviceaccount.bat --username mydomain\enterprise-gmsa$ --writeconfig c:\temp\domainaccountconfig.xml

Permissions to grant to the ArcGIS Data Pipelines Server account

Before you create your site, you must grant the ArcGIS Data Pipelines Server account the following permissions:

  • Full control permissions to the location where your server directories will be created. Keep in mind that you must grant the ArcGIS Data Pipelines Server account read and write permissions to any new server directories that you create after configuring your site. By default, this directory is <ArcGIS Data Pipelines Server installation directory>/datapipelines/usr/directories.

  • Full control permissions to the location where your configuration store will be created. By default, this directory is <ArcGIS Data Pipelines Server installation directory>/datapipelines/usr/config-store.

  • Full control permissions to the directory that will contain ArcGIS Data Pipelines Server logs and permission to create this folder if you have not already manually created it. This directory is <ArcGIS Data Pipelines Server installation directory>/datapipelines/usr/logs.

  • Read permissions to the data folders that you will register with the ArcGIS Data Pipelines Server site before data pipeline authors can read data from File share inputs.

  • Full control permissions to the location where your server directories will be created. Keep in mind that you must grant the ArcGIS Data Pipelines Server account read and write permissions to any new server directories that you create after configuring your site. By default, this directory is C:\arcgisdatapipelinesserver\directories.

  • Full control permissions to the location where your configuration store will be created. By default, this directory is C:\arcgisdatapipelinesserver\config-store.

  • Full control permissions to the directory that will contain ArcGIS Data Pipelines Server logs and permission to create this folder if you have not already manually created it. By default, this directory is C:\arcgisdatapipelinesserver\logs.

  • Read permissions to the data folders that you will register with the ArcGIS Data Pipelines Server site before data pipeline authors can read data from File share inputs.

The ArcGIS Data Pipelines Server account does not need to be in the Windows Administrators group on any machine in your site.

Change the ArcGIS Data Pipelines Server account

You do not need to rerun the ArcGIS Data Pipelines Server installation to change the ArcGIS Data Pipelines Server account. After you install, you can change the account by running the Configure ArcGIS Data Pipelines Server Account utility, which is included with the software. For example, you can do this to respond to a change in security policy or when troubleshooting your server.

To change the ArcGIS Data Pipelines Server account using the utility, run the executable from a command prompt. The ServerConfigurationUtility.exe command line utility is installed in <ArcGIS Data Pipelines Server install directory>\tools.

The command line parameters for the utility are as follows:

  • --username—The name to use for the ArcGIS Server account.

  • --password—The password for the ArcGIS Server account.

  • --readconfig—Optional path to a configuration file you have saved from a previous run of the utility.

  • --writeconfig—Optional path where a configuration file will be saved so you can apply the same properties in future runs of the utility.

  • --help—Displays command line help and exits.

The following is a sample command to change the account and export a configuration file:

configureserviceaccount.bat --username arcgisnew --password secret --writeconfig c:\temp\myconfig.xml

Back to top