Currently DSP has a hard requirement to use a SQL login as it's service account to allow the application to talk to the DB server. For years this has been a contention with many clients. In North America at least 50% of the time with new installs/new customers this is an issue to discuss. For many customers they have great controls and comfort with how to monitor/manage AD user accounts but not with local SQL user logins.
DSP needs to be able to leverage an Active Directory account as the service account used to allow the application to talk to the DB server. For higher security customers we will update the web.config to use integrated authentication for the web server, this eliminates some of the SQL login traffic but not all of it. We further mitigate this by always setting up the login with a highly complex password, we don't give out the password to anyone (Syniti, customer, etc), and we require all users accessing SQL to have dedicated logins.
Here are the specific types of accounts I feel that DSP should support using as a service account:
GMSA reference: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Thanks for logging Jake. PM will reach out to discuss in more detail after the calls this week.
And update on this votes?
Any updates on when this is planned for release?
Another idea that will be integral to this change: https://syniti.ideas.aha.io/ideas/FRAMEWORK-I-372