Chromeleon and Windows Vista (or later)

One of the most prominent features in Windows Vista® and later operating systems is the way applications interact with the Windows security infrastructure. While previous Windows operating systems such as Windows NT by default granted excessive rights to standard users, Vista was designed with the concept of least-privilege. The result of this concept is User Account Control (UAC), a mechanism, which protects certain areas of the operating system from being accessed by users who don't have the necessary administration privileges.

When a user attempts to perform a task that requires elevated privileges to run, UAC automatically prompts the user either for approval or an administrator password, depending on the user account privileges or type of application to run, before continuing with the operation. The UAC prompt is called an elevation prompt and its behavior can be configured in the Local Security Policy.

Running Chromeleon under Windows Vista or later

In Chromeleon, UAC is configured such that it provides three different user account levels to control access to the individual Chromeleon applications and tasks. Each level results in a specific UAC prompt - either a consent or a credential prompt - that is displayed when a user attempts to run an application or task that requires elevated privileges. The consent prompt is displayed to administrators in Admin Approval Mode (AAM) when they attempt to perform an administrative task. (Note: AAM is the default setting when UAC is enabled.) The credential prompt is displayed to both standard users and users with advanced privileges (e.g. the Impersonate a client after authentication privilege) when they attempt to perform an administrative task.

Applications, such as the Server Configuration, or basic user functions of the Chromeleon Server Monitor program run with standard user rights, while elevated privileges are needed for the Chromeleon Client. Full administrator privileges are required for typical administrative tools such as the Security Activation Tool (CMSecure program), System Status Report, Database Installation Qualification or Chromeleon Installation Qualification (IQ) programs.

 

The following table displays an overview of the possible elevation prompt settings exemplified for selected Chromeleon applications:

User Account Type

Chromeleon Server Configuration

Chromeleon Client

Security Activation Tool (CMSecure)

 

 

 

 

Standard User

No prompt

A credential prompt appears requesting a valid user name and password.

A credential prompt appears requesting a valid administrator user name and password.

 

 

 

 

Advanced Privilege User

No prompt

A credential prompt appears requesting a
valid user password.

A credential prompt appears requesting a valid administrator user name and password.

 

 

 

 

Administrator

No prompt

A consent prompt appears requesting the administrator for approval.

A consent prompt appears requesting the administrator for approval.

 

Note:

Administrators who need to perform administrative tasks in the Chromeleon Server Monitor or in the Chromeleon Client, e.g. to configure the License Provider (Chromeleon Client > Preferences > License) need to start these programs via the Run As Administrator command dialog. To do so, quit the program, right-click the program icon, select Run As Administrator on the menu, and then enter an administrator name and password.

 

Important

In Chromeleon, running the typical user applications and tasks either as an administrator or standard user usually does not invoke any UAC prompts. However, the specific UAC configuration choices made in your environment will affect the prompts and dialogs seen by standard users, administrators, or both, and may result in unexpected program behavior.

 

Tip:

For detailed information about the security policy of your Windows operating system, also refer to the Microsoft web page (www.microsoft.com).