How-to User Privileges in Qinsy

Introduction

This document contains some information on the required user privileges and user rights when using Qinsy 9.6 and newer versions to perform certain tasks.

Special User Privileges

The following user privileges may be required in certain situations. Below you will find a table with the affected privileges and the use cases in which they may be required.

User Privilege

User Privilege Description

Use Case

SeSystemtimePrivilege

Change the system time

When using certain 'Time Synchronization' systems Qinsy offers the option to synchronize the system time with the Qinsy PPS time.

This action is performed by the 'Controller.exe' process.

Optionally this action is also performed by the 'ClientController.exe' process.

SeShutdownPrivilege

Shut down the system

When using certain I/O drivers the driver has the capability to initiate a shutdown of the system.

Current the following drivers have this capability:

DrvDeepCAFS.exe
DrvRemoteControlTcpServer.exe

The actual shutdown of the system is performed by the 'Controller.exe' process.

SeIncreaseBasePriorityPrivilege

Increase scheduling priority

When using certain I/O drivers it may be required to give these drivers more CPU time.

This is accomplished by increasing the process base priority.

Functional User Rights

Below you will find information on the user rights required to enable certain functionality.

Remote Display Client Functionality

The remote display client functionality is implement by two processes:

SocketServer.exe	Read all required information from the IPC buffers on the online system. Send all required information to the remote displays via network sockets.
ClientController.exe	Receives all required information from the online system. Recreates the IPC buffers on the remote client system. Starts/Stops display process which read the recreated IPC buffers. Optionally synchronizes the system time on the remote PC to the system time on the Online PC

In order to implement the functionality described in the table above the SocketServer/ClientController need to perform the following tasks:

User Right Description	Use Case
Created Shared File Folders	When using the Remote Display functionality of Qinsy it is necessary to share certain files from the online system to the remote display systems. To share these files some shared file folders are created on the online system by the the 'SocketServer.exe' process.
Read data from Shared File Folders	When using the Remote Display functionality of Qinsy it is necessary to access certain files on the online system in order to display the information on the remote display. To access these files several display processes need to: Connect to the shared file folders on the online system. Read data from the files present in the shared file folders on the online system.
Listen for a new TCP connection on a specific port	In order to allow the 'ClientController.exe' process to connect to the 'SocketServer.exe' process the 'SocketServer.exe' process needs to listen on a certain network port for new connections. The base network port on which the 'SocketServer.exe' process is listening is controlled through a setting in the 'SocketServer.exe' process. The 'SocketServer.exe' process will listen on the 'base network port' number and on the 'base network port + 1' number. Once the connection is established the communication is offloaded on another network connection of which the port numbers are issued by the operating system based on availability.
Initiate a new TCP connection on a specific port	In order to allow an 'ClientController.exe' process to establish a connection to the 'SocketServer.exe' process the 'ClientController.exe' process needs to initiate a new connection. The base network port to which the 'ClientController.exe' process is connecting is controlled through a setting in the 'ClientController.exe' process. The 'ClientController.exe' process will initiate a connection on the 'base network port' number and on the 'base network port +1' number. Once the connection is established the communication is offloaded on another network connection of which the port numbers are issued by the operating system based on availability.
Send data via a TCP socket	In order to allow the 'SocketServer.exe' & 'ClientController' processes to exchange data both the 'SocketServer.exe' & 'ClientController' processes need to send data via a TCP socket.
Receive data via a TCP socket	In order to allow the 'SocketServer.exe' & 'ClientController' processes to exchange data both the 'SocketServer.exe' & 'ClientController' processes need to receive data via a TCP socket.Syn
Change system time	In order to allow the 'ClientController.exe' process to synchronize the system time on the Remote PC to the system time on the Online PC it requires the SeSystemtimePrivilege privilege. If the user account is a member of the Local Administrators group the 'Console.exe' process will attempt to start the 'ClientController.exe' elevated to make this functionality available tot the user.

I/O Drivers

In order to allow the exchange of information between I/O Sensors (the actual measurement devices) and I/O Drivers (the Qinsy component responsible for converting the information) an I/O Driver need to perform certain tasks. The actual tasks per I/O Driver depend on the exactly mechanism that is implemented by the I/O Sensor. More information may be found in the I/O Driver specific entry in the Drivers Manual. The tasks that may be required are listed below:

TCP based connections

Listen for a new TCP connection on a specific port	In order to allow an I/O Sensor to establish a connection to its corresponding I/O Driver the I/O driver needs to listen for new connections. The network port on which the I/O Driver is listening is normally controlled through a setting in the Database Setup program. Once the connection is established the communication is offloaded on another network connection of which the port numbers are issued by the I/O driver's operating system based on availability.
Initiate a new TCP connection on a specific port	In order to allow an I/O Driver to establish a connection to its corresponding I/O Sensor the I/O Driver needs to initiate a new connection. The network port on the I/O Sensor to which this connection is initiated is normally controlled through a setting in the Database Setup program. Once the connection is established the communication may be offloaded on another network connection of which the port numbers are issued by the I/O Sensor's operating system based on availability.
Send data via a TCP socket	In order to allow the I/O Driver to exchange data with the I/O Sensor they may need to send data via a TCP socket.
Receive data via a TCP socket	In order to allow the I/O Driver to exchange data with the I/O Sensor they may need to receive send data via a TCP socket.

UDP based connections

Send data via
an UDP socket

In order to allow the I/O Driver to exchange data with the I/O Sensor it may need to send data via an UDP socket.

The IP number and network port to which the I/O Driver is sending the data is normally controlled through I/O driver specific settings in the Database Setup program.

Receive data via
an UDP socket

In order to allow the I/O Driver to exchange data with the I/O Sensor it may need to receive data via an UDP socket.

The IP number and network port from which the I/O Driver is receiving the data is normally controlled through I/O driver specific settings in the Database Setup program.

OPC Client

Registration and Unregistering of the OpcClient is done by the MSI and requires administrative privileges. Only one instance of the 'OpcClassicServer.exe' component may be registered within the Windows OS.
Administrative privileges are required to run these commands.

Registering the driver	<Install location>\OpcClassicServer.exe" /regserver
Unregistering the driver	<Install location>\OpcClassicServer.exe" /unregserver

Squire Server

During installation

Right description

Use case

Open ports on the firewall

Squire needs to be able to open a HTTP port for the SVM and other clients to connect to.
PostgreSQL needs a TCP port to communicate with its clients.

Squire communicates with PostgreSQL using port 5438 on localhost.

A number of applications can communicate with Squire over port 7834:

localhost
- SurveyManager.exe
- DspNavigationJs.exe
optional and outside localhost
- Browser (for example localhost:7834/status)
- QGIS / ArcGIS can use Squire as a tile server

Schedule a Task

Use schtasks.exe to set up a task that automatically starts Squire under the user's account upon login.

This task starts a VB script which launches the correct version of dotnet.exe to run the server application.

During runtime

Right description	Use case
Open a TCP server port	The HTTP server listens on port 7834. The PostgreSQL server listens on port 5438.
Start another executable	Squire needs to start up `pg_init.exe` and `postgres.exe` from its own PostgreSQL installation.
Create and write file and folders in the DB directory	PostgreSQL needs to initialize and use a database in a given folder. For this, files and subfolders need to be created and modified. In current installations, this is under `C:\ProgramData`. For future releases, it is under consideration to move this location under the user's LocalAppData, or the Public Documents folder.

HelpServer

From Qinsy 9.7.0 our contextual help system relies on a .NET server.

During installation

Right description

Use case

Open ports on the firewall

The HelpServer needs to be able to open a HTTP port for all clients to connect to: port 7027.

Add, remove, start or stop a service

Use New-Service, Start-Service to add a service that automatically starts the HelpServer under the user's account upon login.

When uninstalling, the service is stopped Stop-Service and removed sc.exe delete.

During runtime

Right description	Use case
Open a TCP server port	The HTTP server listens on port 7027.
Create and write file and folders in the local application data directory	The HelpServer will write indexing files in the LocalAppData folder.

Proxy.exe Process

Runtime

Open a TCP socket

Data communication happens on:

port 7400 (tcp://127.0.0.1:7400) and
port 7401 (tcp://127.0.0.1:7401)