WATS Services can be run as a named service account instead of using the default machine account (network service). This gives the availability to provide more fine-grained control to what the service(s) actually need access to.
Keep in mind that configuring a different service account also implies somewhat more administrative effort with regards to documentation.
The webservice need access to the two or three WATS databases, usually named WATS_TDM, WATS_MES and WATS_WIS. Not all implemenations include the WIS database.
The following rights and roles must be granted the service user:
- Logon as a service permission on the application server
- Public server role on the database server
- Dbowner rights on all the wats databases
- Read/write permissions on c:\ProgramData\Virinco\WATS and subfolders
Further lockdown is possible, but not recommended.
Using IIS Manager to change the WATS Application pool(s) to use this service account, will automatically grant the user logon as a service permission.