What Level of Access Will I Have?
A Lot is Allowed, but NOT Root / Admin / SA / OS Shell Access
Author: Eric Vasbinder
Summary of Access Allowed
Allowed:
Create, edit, delete stored procedures, triggers, and views
Custom UD fields, forms, and tables
Custom reports including Crystal, SSRS, etc.
Hosting SSIS Packages
SSIS Packages CAN write files to the local Viewpoint Repository folder
Assists with exporting data from Vista on a regular basis
Azure Expressroute WITHOUT vNet Peering
Possible to do, but without vNet peering, this can be slower than an IPSEC VPN, thus providing little to no benefit
DBO Access to the Viewpoint Vista database
Access to edit SQL Agent jobs owned by your SQL service account
More details here: How can I edit SQL Jobs?
Creation of remotely hosted SQL Linked Server objects that point to the cloud Vista server
Network connection is provided in this instance by using the TLS Database Endpoint (TLS VPN) or an IPSEC VPN.
Denied:
Direct file system access (e.g. xp_cmdshell)
We recommend using the File System API instead through the Vista rich client, or if files need to be automatically imported and exported, using the built-in pickup directory capability in Vista
Root (Admin) access to the server hardware itself
SA level access to the database
See above that DBO is available upon request
Editing SQL Agent jobs NOT owned by your specific account
Recommend assigning ownership of SQL jobs to a single account and then granting that SQL account the role "SQL Agent Operator".
Azure vNet Peering is NOT allowed
There are significant security concerns around allowing such an extensive level of network intermingling.
Windows Shell access through either the Windows OS's GUI itself or the Command Prompt or Powershell.
Creation of custom SQL Linked Server Objects in the databases for Trimble Viewpoint products (e.g. Vista).
Please set these up externally, pointing to the appropriate DB (e.g. Vista) over a TLS Database Endpoint (TLS VPN) or IPSEC VPN.
Hosting additional databases other than the Vista records or attachments database on the Vista Server
If having a database on the same instance as Vista is critical, then please use remotely hosted SQL linked server objects, connected over your TLS Database Endpoint (TLS VPN) or IPSEC VPN
Detailed Description of Access Allowed
Operating Systems
Any operations that require third party, or customer, administrator access to the operating system of any servers (Viewpoint products or third party) hosted in our environment is not allowed. This level of access, also known as "root" access, is not allowed for security reasons. This includes RDP access to the OS upon which our cloud solutions run. In addition, direct file system access is not generally allowed: this includes xp_cmdshell (Command shell) direct file system access.
This level of access is restricted to a small set of background-checked, verified personnel. This restriction is critical to maintaining the SOC security certifications that we hold, including SOC 1 type 1, 1 type 2, 2 type 1, and 2 type 2. Without this restriction, maintaining these certifications would become much more difficult.
Please note that NO third-party software is allowed to be installed on the Vista servers in our environment - again for compliance reasons. In addition, though we used to regularly allow hosting of certain third-party applications in our environment (such as MSI Data Service Pro), we are moving away from this approach. Third party applications will by default by hosted externally, connected over the TLS Database Endpoint (TLS VPN) or an IPSEC VPN. For those customers that are hosting previously "hosting approved" applications with us, those third-party components MUST be installed on separate servers, UNIQUE to that integration.
NOTE: SSIS packages, depending on the content, may be possible in our cloud. Please create a cloud support case and submit your SSIS package request for review. Approval cannot be guaranteed however and depends on the extent of access needed by this package.
Database
Access to the Vista database is strictly controlled to allow us to adhere to our security certifications, including SOC 2, Type 2. DBO access to the Vista database may be provided on an exception basis with justification. Security Admin (SA) access to the Vista database is NOT ALLOWED for security reasons. Needs that require SA access to the Vista database can be accommodated by coordinating with our cloud support team.
NOTE: RATHER THAN USE "SA" ACCESS, THIRD PARTY APPLICATIONS SHOULD THOROUGHLY DOCUMENT THE LEAST PRIVILEGE PERMISSIONS NEEDED FOR THEIR APPLICATION (e.g. DBReader, DBWriter, etc.), ALONG WITH THE SPECIFIC TABLES WHERE ACCESS IS NEEDED.
In summary, access directly to the Vista SQL database is allowed however, but with certain caveats and recommendations, including DBO approval only upon written justification, and no SA access. See this page for more database access details: Will I still be able to edit the Vista database if we're hosted in your cloud? SSMS? Custom Crystal Reports?
changelog
Monday, 26 February 2024 at 09:12AM:
Added information about local file access being allowed through an SSIS package.
Monday, 20 November 2023 at 11:30AM:
Added note about Azure vNet Peering not being allowed.
Monday, 20 November 2023 at 11:20AM:
added xp_cmdshell to the denied list, specified that local Linked servers are denied (must be remote), added reminder about SQL agent jobs not being editable except by owner, improved tags
Monday, 27 February 2023 at 01:40PM:
Clarified that REMOTELY HOSTED SQL Linked Server objects are supported, but additional, third party databases on the Vista server are not supported.
Monday, 24 October 2022 at 07:56PM:
clarified that windows shell access is denied: both GUI and command prompt / powershell.
Monday, 10 January 2022 at 12:07PM
Added clarifying summary section on what is allowed and what is not allowed.
Wednesday, 08 December 2021 at 08:44PM
Added tags
Thursday, 22 July 2021 at 11:37AM
Added specific callout about Database authorization
Tags: sysadmin, security admin, SA account, database admin, admin user, Windows admin, server admin, root access, additional database, SQL linked server objects, Linked Server, Server Objects, SA access, Sys Admin, System Admin, Root Account, OS access, Azure vNet Peering, Azure Expressroute, Azure Express Route, local disk file access, file access, local server disk access, write to VP Repository