The default user in a standard Windows Server Core image is ContainerAdministrator and it has full administrative rights. Like other environments, a best practice is the policy of least privilege. If the container has no need for administrative rights, a non-administrative user should be added when the image is built and used when the container instantiates. For details please refer to the USER section of the Dockerfile Reference documentation supplied by Docker.

While this is a best practice, it is not imperative in the ClearPath Extension Kit for MCP environment. Before the container can be instantiated, you must pass MCP security, Authentication Support validation, which includes Windows credential validation, and Docker permission validation. If you need administrative rights within your container, using the default ContainerAdministrator account inside the container is acceptable.

Another best practice from inside the container, is to use AUTOMAP when the container needs access to the user's file that resides on the MCP. AUTOMAP provides a secure mechanism for gaining access to an MCP share using the usercode of the user that is running the MCP codefile. This adds some time to container startup, so if MCP file access through a share mapping is not required, you should not use Automap.