We recommend that a CLC Genomics Server service is run by a non-privileged system user account for security reasons.

For Linux and Mac OS X systems:

The information here covers the steps to take if you have previously run the CLC Genomics Server using a privileged user account such as root and now wish to switch to running the service using a non-privileged account.

Most of the work here involves changing ownership on files associated with the CLC Genomics Server and altering the service script to ensure the service is started up by the appropriate user. To carry out the steps here, you need to:

• use an account that has administrative privileges for the CLC Genomics Server, AND
• have appropriate privileges on the system where data is stored to change the ownership of the folders and files relevant to the CLC Genomics Server.

For Genomics Servers with job nodes or grid nodes, please ensure that the user you plan to use to run the CLC Server process has the same uid and gid on all nodes.

Steps to take

1. Notify users that there will be a temporary service interruption and ask them to stop submitting new jobs to the CLC Genomics Server.
    
2. Take notes of the current File System locations and the Import/Export locations on the Genomics Server interface by navigating to the Configuration tab, click on the Main configuration tab, and then click on the File system locations heading to expand that section. More information about these two settings can be found in the following manual area:
   
   https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=File_system_locations.html
   
    
3. (Optional) Backup data associated with the CLC Server File System Locations and Import/Export locations. Backing up data is recommended if backups are not otherwise already in place at your site. The only changes needed to perform here are filesystem ownership modifications, which are not expected to affect the data itself but it is always a good policy to have at least one extra copy of the data to prevent possible data loss.
    
4. Make sure that there are no CLC Server jobs currently running or scheduled to run (queued) on the CLC Server and on any job nodes or grid nodes.
5. Stop the CLC Server service by using the startup/stop script as described on the following Server manual page link:
   
   https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=Starting_stopping_server.html
   
   You will need to do that as the user that is currently running the CLC Genomics Server service, or as the administrative user account through the startup/stop script.
   
   This service can be shut down or restarted through the web interface:
   
6.  
7. Change the ownership recursively on the folders listed in the following section, using a system user account that has the privileges to do this.
   
   The command below is an example of how to change the owner and the group (owner:group) on a Linux system where the installation location of the software was /opt/CLCGenomicsServer. Here, the ownership is being changed so that the folder /opt/CLCGenomicsServer and all folders and files under it will be owned by a normal user account called clcbio with a group called clcbio.
   
   chown -R clcbio:clcbio /opt/CLCGenomicsServer
   
   The folders to apply recursive ownership changes to are:
    
   • The folder where the CLC Genomics Server software is installed.
      
   • All folders configured as File System Locations in the CLC Genomics Server.
      
8. Modify your start/stop script used to start and stop the CLC Genomics Server service so that it refers to the user account that should be running the CLC Genomics Server.
   
   Further information about starting and stopping the service can be found in the manual at:
   
   https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=Starting_stopping_server.html
   
   On some Linux systems, the service script can be found under /etc/init.d/. For example, in the case of the CLC Genomics Server, under 
   /etc/init.d/CLCGenomicsServer.
   
   To run the service as a non-administrative user, please ensure that the line starting with CUSTOM_USER is set to true, i.e.
   
   CUSTOM_USER=true
   
   and that the line beginning with USER is set to the user that you wish to use. For example, if that user was called clcbio, that line would look like:
   
   USER=clcbio
9. Check that there are no CLC folders and files under the temporary directory called things like
   
   /tmp/i4jdaemon__usr_local_CLCGenomicsServer*_CLCGenomicsServer*.
   
   If there are any such files, delete them.
    
10. Start the CLC Server service with the user account you wish to run it as.
     
11. Check the server settings by following the instructions in the manual:
    
    https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=Check_setup.html
    
    Examine the output report for any errors.
    
    You may also want to consider running a few CLC jobs submitted from the Workbench with the input and output data on the CLC Genomics Server to verify it is working as you expect.

Notes for CLC Servers with grid nodes

For CLC Servers with grid nodes, please make sure the ownership of the following areas is also changed: 

• Grid Shared Work Directory
  The grid shared work directory is used and should be accessed by both of the CLC Genomics Server and the grid scheduler software and is specified in the grid preset.
• Path to CLC Grid Worker
  The path to the CLC Grid Worker points to the directory that holds the executable binaries of the CLC Genomics Server that will be used to run the CLC jobs on the grid nodes.

The path for both of the above locations can be found in the grid preset configurations. More details about the grid preset settings are available on the following Genomics Server manual link:

https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=Configure_grid_presets.html

Some grid scheduling systems may be configured to create temporary files of the CLC jobs as the system user account that runs the grid scheduler software, rather than the user account that runs the CLC Server. Thus, if you are changing the ownership of the CLC Server, please refer to the manual for your grid system and make sure the new CLC Server owner account is used by the grid scheduler for running CLC jobs from start to finish. You may also want to consider to use the same account for running both the grid scheduler / resource manager and the CLC Server service in order to avoid the possible permission issues, as long as the non-privileged system user account is used for running the grid scheduler software.

For Microsoft Windows systems (Windows 7/8/10, Windows Server 2012/2016/2019):

After the installation, the CLC Genomics Server service is run by the Local System account by default. The account has full access to the local system but may not have sufficient permission to access network storage share or mapped drives.

We recommend to change the account used to run the CLC Genomics Server service from Local System account to a normal user account. And then make sure this user account has full access to the shared CLC data and import/export locations.

To change the account used to run the service, you can use the GUI windows service snap-in by typing the following in an elevated command prompt (right click on the "command prompt" icon of the Start menu | All Programs | Accessories, then choose Run as Administrator option from the drop-down menu):

services.msc

Then

• Right click on the service on the service list. The name of the service will reflect the Server product you are using. For example, when running the CLC Genomics Server, it would be CLCGenomicsServer. 
• Choose Properties.
• Go to "Log on" tab.
• Choose the radio button for "This account:".
• Click on Browse button to type in the username you would like to use to run the CLC Genomics Server service.
• Once the user account is chosen, please enter the user's password twice in the password fields, then click OK.

You will need to restart the service for the new account to be in effect. To do this, simply right click on the CLC Genomics Server service and choose restart in the service snap-in window.

For a CLC Genomics Server cluster running on windows machines, please make sure the same account is used for running all CLC Genomics Server service on all machines.

Please make sure that this user account has permissions to read and write the data folders used for the CLC Genomics Server (both the master and the job nodes) at both the filesystem level (the Security tab in folder's properties window) and at the sharing level (the Sharing tab in folder's properties window).

Once the CLC Genomics Server service is restarted on all the nodes, you can then use server check setup script method mentioned in the following Server manual link

https://resources.qiagenbioinformatics.com/manuals/clcgenomicsserver/current/admin/index.php?manual=Check_setup.html

to make sure that all nodes have sufficient access to the data locations and no error are generated.