1. Client Deployment Guide
  2. Client Application Loader (CAL)
  3. Security Considerations

Security Considerations

Each organization has a unique security policy in place, which could affect the software upgrade process. Security policies that restrict or block access to resources required by Oracle software can cause the upgrade to fail completely or prevent the upgrade from completing without manual user intervention.

Account Privileges

  • Local machine administrative privileges are required. In domain environments, ensure that the domain user has local administrative privileges until the upgrade is complete. This is minimally required for the initial setup of the workstation.

  • User Account Control (UAC) needs to be disabled during the installation processes to avoid operating system prompts, which require manual intervention. This is not required when upgrading to Simphony client release 18.1 or later.

Network Access

  • Sites using HTTPS certificates containing a Certificate Revocation List (CRL) URL should verify that this URL is reachable from the workstations.

  • Sites using HTTPS certificates containing an Online Certificate Status Protocol (OCSP) URL should verify that this URL is reachable from the workstations.

Database Access

  • Simphony client upgrades require access to the local database instance and database files during the upgrade.

  • Simphony clients must allow for a minimum of 8 login attempts per instance. Workstations running headless shared services, and POS operations, require a minimum of 16 login attempts.

  • Database credentials should not be rotated immediately before or during the upgrade process. Defer credential rotation until after the upgrade is finished and has been validated.

  • Sites using Microsoft Windows user account lockout policies can also impact the SQL Express connection attempts from your workstations. Adjust this policy accordingly before the upgrade to prevent Simphony database users from being locked out.

  • The Device Information module in the EMC identifies issues that may prevent the client from upgrading. Scheduling and Viewing Device Information contains more information.

File System Access

  • Several operating system directories and utilities are used during the upgrade process.

  • The upgrade process runs under the permissions of the user account logged in to the workstation. This user account might require access to the executable files, directories, and subdirectories listed in this table:

Table 1-1 File System Access

Package Access Type File System Object

CalVersionFixer

Read/Write/Execute

Read

Execute

%AppRoot%

%SYSTEMROOT%\System32

cscript.exe

CAPSOnIIS

Read/Write/Execute

Read/Write/Execute

%AppRoot%\CAPSOnIIS

%SYSTEMDRIVE%

Service Host Download

Read/Write/Execute

Read/Write/Execute

%AppRoot%\Micros\Simphony\Download

%AppRoot%\Micros\Simphony\Prereq

McrsCAL

Read/Write/Execute

Execute

%ProgramFiles%\micros

regedit.exe

MediaViewer

Read/Write/Execute

Execute

%AppRoot%

iisreset.exe

KDS Handler

Read/Write/Execute

Read/Write/Execute

Read/Write/Execute

Execute

%AppRoot%

%KDSRoot%

%SYSTEMDRIVE%

netsh

ServiceHost

Read/Write/Execute

Read/Write/Execute

Execute

Execute

Write

%AppRoot%

%SYSTEMDRIVE%

Regsvr32.exe

sc.exe

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs

msiexec.exe

WS KDS Display

Read/Write/Execute

Read/Write/Execute

Execute

Write

%KDSRoot%

%SYSTEMDRIVE%

netsh

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs

Parent topic: Client Application Loader (CAL)