When adding administrators for Symantec Endpoint Encryption (SEE), like help desk personnel, they cannot use SEE Management Console unless they are given Domain Administrator privileges.
Giving this level of network privilege to SEE administrators is contrary to your company's security policy. The SEE administrators need to be given the least amount of permissions needed to successfully administer SEE.
This document explains what the minimum level of permissions are needed in order to allow the SEE administrators to successfully use the SEE Management Console.
The Domain User accounts must be given the proper rights to the SEE database in Microsoft SQL Server.
In SQL Management Studio, on the left-pane:
- Security -> Right-click Logins -> New Login...
- Use the ‘Search...’ button to find the new Windows User; Set ‘Default database’ to the name of your SEE Database (referred to as SEEMSDb from this point); Set ‘Default Language’ to English.
- In the same ‘Login Properties’ box, on the left-pane click on ‘User Mapping’; check the box for SEEMSDb & select ‘db_datareader’ and ‘db_datawriter’ along with ‘Public’; Click OK to complete
- On the left-pane, drill down into ‘Database’, find SEEMSDb and bring up properties
- Select ‘Permissions’ on the left-pane in the Database Properties dialog box
- Select the Windows user on the right and Grant ‘Execute’ in addition to ‘Connect’; Click OK to complete.
- The windows user should now be set to use the SEE Manager console from any machine.
Tip: In addition to the above permissions, the SQL Server service needs to have the proper permissions to be able to use with Symantec Endpoint Encryption. Local Service will not be enough permissions for Symantec Endpoint Encryption.