What Level of Access Will I Have?

Author:  Eric Vasbinder 

Summary of Access Allowed

Allowed:

• Create, edit, delete stored procedures, triggers, and views

• Custom UD fields, forms, and tables

• Custom reports including Crystal, SSRS, etc.

• Hosting SSIS Packages

• SSIS Packages CAN write files to the local Viewpoint Repository folder

  • Assists with exporting data from Vista on a regular basis

• Azure Expressroute WITHOUT vNet Peering

  • Possible to do, but without vNet peering, this can be slower than an IPSEC VPN, thus providing little to no benefit

• DBO Access to the Viewpoint Vista database

• Access to edit SQL Agent jobs owned by your SQL service account

  • More details here:  How can I edit SQL Jobs? 

• Creation of remotely hosted SQL Linked Server objects that point to the cloud Vista server

  • Network connection is provided in this instance by using the TLS Database Endpoint (TLS VPN) or an IPSEC VPN.

Denied:

• Direct file system access (e.g. xp_cmdshell)

  • We recommend using the File System API instead through the Vista rich client, or if files need to be automatically imported and exported, using the built-in pickup directory capability in Vista

• Root (Admin) access to the server hardware itself

• SA level access to the database

  • See above that DBO is available upon request

• Editing SQL Agent jobs NOT owned by your specific account

  • Recommend assigning ownership of SQL jobs to a single account and then granting that SQL account the role "SQL Agent Operator".

• Azure vNet Peering is NOT allowed

  • There are significant security concerns around allowing such an extensive level of network intermingling.

• Windows Shell access through either the Windows OS's GUI itself or the Command Prompt or Powershell.

• Creation of custom SQL Linked Server Objects in the databases for Trimble Viewpoint products (e.g. Vista).

  • Please set these up externally, pointing to the appropriate DB (e.g. Vista) over a TLS Database Endpoint (TLS VPN) or IPSEC VPN.

• Hosting additional databases other than the Vista records or attachments database on the Vista Server

  • If having a database on the same instance as Vista is critical, then please use remotely hosted SQL linked server objects, connected over your TLS Database Endpoint (TLS VPN) or IPSEC VPN

Detailed Description of Access Allowed

Operating Systems

Any operations that require third party, or customer, administrator access to the operating system of any servers (Viewpoint products or third party) hosted in our environment is not allowed.  This level of access, also known as "root" access, is not allowed for security reasons.  This includes RDP access to the OS upon which our cloud solutions run.  In addition, direct file system access is not generally allowed:  this includes xp_cmdshell (Command shell) direct file system access.

This level of access is restricted to a small set of background-checked, verified personnel.  This restriction is critical to maintaining the SOC security certifications that we hold, including SOC 1 type 1, 1 type 2, 2 type 1, and 2 type 2.  Without this restriction, maintaining these certifications would become much more difficult.

Please note that NO third-party software is allowed to be installed on the Vista servers in our environment - again for compliance reasons.  In addition, though we used to regularly allow hosting of certain third-party applications in our environment (such as MSI Data Service Pro), we are moving away from this approach.  Third party applications will by default by hosted externally, connected over the TLS Database Endpoint (TLS VPN) or an IPSEC VPN.  For those customers that are hosting previously "hosting approved" applications with us, those third-party components MUST be installed on separate servers, UNIQUE to that integration.  

NOTE:  SSIS packages, depending on the content, may be possible in our cloud.  Please create a cloud support case and submit your SSIS package request for review.  Approval cannot be guaranteed however and depends on the extent of access needed by this package.

Database

Access to the Vista database is strictly controlled to allow us to adhere to our security certifications, including SOC 2, Type 2.  DBO access to the Vista database may be provided on an exception basis with justification.  Security Admin (SA) access to the Vista database is NOT ALLOWED for security reasons.  Needs that require SA access to the Vista database can be accommodated by coordinating with our cloud support team.

NOTE:  RATHER THAN USE "SA" ACCESS, THIRD PARTY APPLICATIONS SHOULD THOROUGHLY DOCUMENT THE LEAST PRIVILEGE PERMISSIONS NEEDED FOR THEIR APPLICATION (e.g. DBReader, DBWriter, etc.), ALONG WITH THE SPECIFIC TABLES WHERE ACCESS IS NEEDED.  

In summary, access directly to the Vista SQL database is allowed however, but with certain caveats and recommendations, including DBO approval only upon written justification, and no SA access.  See this page for more database access details:  Will I still be able to edit the Vista database if we're hosted in your cloud? SSMS? Custom Crystal Reports?

Tags:  sysadmin, security admin, SA account, database admin, admin user, Windows admin, server admin, root access, additional database, SQL linked server objects, Linked Server, Server Objects, SA access, Sys Admin, System Admin, Root Account, OS access, Azure vNet Peering, Azure Expressroute, Azure Express Route, local disk file access, file access, local server disk access, write to VP Repository