What Level of Access Will I Have?
A Lot is Allowed, but NOT Root / Admin / SA / OS Shell Access
A Lot is Allowed, but NOT Root / Admin / SA / OS Shell Access
Author: Eric Vasbinder
ERPs Applicable:
Vista
Spectrum
Procontractor
Please NOTE that access to deeper areas of systems is often more available in our older, Viewpoint for Cloud (VFC) solution. In addition, the Gold and Platinum tiers of our new Enterprise Solution Bundle provide deeper levels of access for customer admins due to the use of fully separate tenants in Azure with VWAN capabilities.
Though new customers are no longer allowed to sign up for VFC, our Enterprise Bundle at the Gold and Platinum tiers may be available to be added on to your TC1 contract at an additional cost. Please note that this cost for the Enterprise bundle, depending on the tier and your overall license count, may be substantial. For more information on this, please reach out to your account manager.
For the most part, our compliance and security requirements that apply to customers on our TC1, VP1, and Vista or Spectrum SaaS contracts prohibit deep level access to systems. This means that access to which you may be accustomed on-premise will not be possible once your ERP is hosted in our cloud. This includes root level access to the server OS, service level access for restarting, file system access directly on the file system outside of clearly delineated areas, etc.
Please see the following for details of what is allowed and not allowed in our cloud.
Create, edit, delete stored procedures, triggers, and views
Custom UD fields, forms, and tables
Custom reports including Crystal, SSRS, etc.
Hosting SSIS Packages
SSIS Packages CAN write files to the local Viewpoint Repository folder
Assists with exporting data from Vista on a regular basis
Azure Expressroute WITHOUT vNet Peering
Possible to do; depending on the ISP can provide significant latency improvements for performance reasons.
Small monthly cost from ISP usually encountered
NOTE: vNet Peering is still not allowed when ExpressRoute is implemented
More details on ExpressRoute HERE: Microsoft Azure ExpressRoute for Performance
DBO Access to the Viewpoint Vista database
Access to edit SQL Agent jobs owned by your SQL service account
More details here: How can I edit SQL Jobs?
Creation of remotely hosted SQL Linked Server objects that point to the cloud Vista server
Network connection is provided in this instance by using the TLS Database Endpoint (TLS VPN) or an IPSEC VPN.
Security Admin
HIGHLY DISCOURAGED
Case by case approval required / please file cloud support case to request this level of access
Backups over an IPSEC VPN Connection
Change Data Capture (CDC) data copying
NOTE: not all tables in Vista are supported for CDC.
Please see the following FAQ article for detailed information on the tables supported for CDC: Change Data Capture (CDC)
Direct file system access (e.g. xp_cmdshell) (with an exception for SSIS packages as detailed above)
Please evaluate Ryvit (AppXchange / DataXchange) as a powerful way to get data into and out of the ERP on an automated or manual basis: Ryvit (Cloud and Data Connectors)
We recommend using the File System API instead through the Vista rich client, or if files need to be automatically imported and exported, using the built-in pickup directory capability in Vista
OLE Automation
Due to significant security concerns, OLE Automation may not be enabled in our cloud.
If your integration needs to save files to the client file system, this may instead be enabled through the use of a custom button that calls a stored procedure to write that data to a file on the local client file system
If your integration needs to save files to the server file system, please rewrite your integration to use the DataXchange APIs instead: Ryvit (Cloud and Data Connectors)
Root (Admin) access to the server hardware itself
SA (System Administrator) level access to the database
See above that DBO is available upon request
Editing SQL Agent jobs NOT owned by your specific account
Recommend assigning ownership of SQL jobs to a single account and then granting that SQL account the role "SQL Agent Operator".
Azure vNet Peering is NOT allowed
There are significant security concerns around allowing such an extensive level of network intermingling.
More Details Here: Microsoft Azure ExpressRoute for Performance
Windows Shell access through either the Windows OS's GUI itself or the Command Prompt or Powershell.
Most creation of custom SQL Linked Server Objects in the databases for Trimble Viewpoint products (e.g. Vista)
Please set these up externally, pointing to the appropriate DB (e.g. Vista) over a TLS Database Endpoint (TLS VPN) or IPSEC VPN
For more information on Linked Server Objects and the methods to address this cloud restriction, please see the following cloud FAQ article: SQL Linked Server Object Compatibility
Hosting additional databases other than the Vista records or attachments database on the Vista Server
If having a database on the same instance as Vista is critical, then please use remotely hosted SQL linked server objects, connected over your TLS Database Endpoint (TLS VPN) or IPSEC VPN
Full SQL Replication across the boundary of our cloud
Though some setups in our cloud use replication between two fully hosted SQL servers in an environment hosted in our cloud, SQL replication across the cloud boundary is not supported: you cannot use SQL replication to create a SQL backup on-premise
The use of SQL Database Mail
There are maintainability issues associated with enabling this capability in the cloud. As such, we cannot support SQL Database Mail in our cloud. Please use a different solution such as Vista's built-in workflow and notifiers capabilities, or integrations to third party emailing systems, such as those provided by Trimble's AppXchange (formerly) Ryvit.
Any operations that require third party, or customer, administrator access to the operating system of any servers (Viewpoint products or third party) hosted in our environment is not allowed. This level of access, also known as "root" access, is not allowed for security reasons. This includes RDP access to the OS upon which our cloud solutions run. In addition, direct file system access is not generally allowed: this includes xp_cmdshell (Command shell) direct file system access.
This level of access is restricted to a small set of background-checked, verified personnel. This restriction is critical to maintaining the SOC security certifications that we hold, including SOC 1 type 1, 1 type 2, 2 type 1, and 2 type 2. Without this restriction, maintaining these certifications would become much more difficult.
Please note that NO third-party software is allowed to be installed on the Vista servers in our environment - again for compliance reasons. In addition, though we used to regularly allow hosting of certain third-party applications in our environment (such as MSI Data Service Pro), we are moving away from this approach. Third party applications will by default by hosted externally, connected over the TLS Database Endpoint (TLS VPN) or an IPSEC VPN. For those customers that are hosting previously "hosting approved" applications with us, those third-party components MUST be installed on separate servers, UNIQUE to that integration.
NOTE: SSIS packages, depending on the content, may be possible in our cloud. Please create a cloud support case and submit your SSIS package request for review. Approval cannot be guaranteed however and depends on the extent of access needed by this package.
Access to the Vista database is strictly controlled to allow us to adhere to our security certifications, including SOC 2, Type 2. DBO access to the Vista database may be provided on an exception basis with justification. Server Admin (SA) access to the Vista database is NOT ALLOWED for security reasons. Needs that require SA access to the Vista database can be accommodated by coordinating with our cloud support team.
NOTE: RATHER THAN USE "SA" ACCESS, THIRD PARTY APPLICATIONS SHOULD THOROUGHLY DOCUMENT THE LEAST PRIVILEGE PERMISSIONS NEEDED FOR THEIR APPLICATION (e.g. DBReader, DBWriter, etc.), ALONG WITH THE SPECIFIC TABLES WHERE ACCESS IS NEEDED.
In summary, access directly to the Vista SQL database is allowed however, but with certain caveats and recommendations, including DBO approval only upon written justification, and no SA access. See this page for more database access details: Will I still be able to edit the Vista database if we're hosted in your cloud? SSMS? Custom Crystal Reports?
changelog
Wednesday, 07 May 2025 at 10:27AM:
Updated typo to mention SERVER admin is not allowed, but SECURITY admin is
Wednesday, 12 February 2025 at 12:26PM:
Added links to new Azure ExpressRoute article
Monday, 10 February 2025 at 08:52AM:
Added notes on ExpressRoute
Friday, 07 February 2025 at 11:09AM:
Added CDC FAQ link
Wednesday, 30 October 2024 at 08:59AM:
Noted that SQL Database Mail is not allowed due to ongoing maintenance concerns; recommended alternatives
Wednesday, 23 October 2024 at 01:47PM:
Added note that CDC and VPN based backups are allowed, but SQL replication across the cloud boundary is not allowed.
Wednesday, 23 October 2024 at 07:28AM:
Updated to fix verbiage in reference to VFC and how that is NOT allowed for new customers. In addition, noted that the Enterprise bundle may be fairly expensive depending on the tier desired and your number of licenses.
Thursday, 10 October 2024 at 11:04AM:
Called out that OLE Automation is denied. Restructured to add table of contents and to call out enterprise bundle at Gold tier or higher as a possibility for gaining deeper level access.
Tuesday, 06 August 2024 at 09:11PM:
Added a callout in the local file system access denied section that talks about SSIS packages writing to the VP Repository being allowed.
Wednesday, 31 July 2024 at 12:50PM:
Added Ryvit (AppXchange / DataXchange) as preferred way to get data out of the ERP.
Monday, 22 July 2024 at 10:09AM:
Added note that Security Admin rights are possible, but HIGHLY discouraged and require case by case approval.
Monday, 26 February 2024 at 09:12AM:
Added information about local file access being allowed through an SSIS package.
Monday, 20 November 2023 at 11:30AM:
Added note about Azure vNet Peering not being allowed.
Monday, 20 November 2023 at 11:20AM:
added xp_cmdshell to the denied list, specified that local Linked servers are denied (must be remote), added reminder about SQL agent jobs not being editable except by owner, improved tags
Monday, 27 February 2023 at 01:40PM:
Clarified that REMOTELY HOSTED SQL Linked Server objects are supported, but additional, third party databases on the Vista server are not supported.
Monday, 24 October 2022 at 07:56PM:
clarified that windows shell access is denied: both GUI and command prompt / powershell.
Monday, 10 January 2022 at 12:07PM
Added clarifying summary section on what is allowed and what is not allowed.
Wednesday, 08 December 2021 at 08:44PM
Added tags
Thursday, 22 July 2021 at 11:37AM
Added specific callout about Database authorization
Tags: sysadmin, security admin, SA account, database admin, admin user, Windows admin, server admin, root access, additional database, SQL linked server objects, Linked Server, Server Objects, SA access, Sys Admin, System Admin, Root Account, OS access, Azure vNet Peering, Azure Expressroute, Azure Express Route, local disk file access, file access, local server disk access, write to VP Repository