Required network privileges for the Control Compliance Suite infrastructure

book

Article ID: 179578

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

 

Resolution

Required network privileges for the Control Compliance Suite infrastructure

The Control Compliance Suite must access your network during installation and during normal operation. When you install the Control Compliance Suite components, the account must have certain privileges. In addition, the accounts that you supply for the Control Compliance Suite to use must have certain privileges.

lists the privileges that are required for the account that is used to install the Control Compliance Suite components.

Table: Required Installation Privileges

Component

Privileges

Notes

Directory Server

Local Administrator equivalent

Must be a Domain user account.

The account that you use to install the Directory Server is automatically an administrator in the Control Compliance Suite directory.

Application Server

Local Administrator equivalent

Must be a Domain user account.

Must have the sysadmin role assigned on the Microsoft SQL Server that hosts the databases. This privilege lets the installer create the required SQL Agent proxy objects.

The user who performs the installation also needs the credentials that are used to install the Directory Service.

The installer also adds this user to the CCS Administrator role.

Data Processing Service (DPS)

Local Administrator equivalent

Can be a Domain user account or a local computer account.

Web Portal

Local Administrator equivalent

Can be a Domain user account or a local computer account.

If the Web Portal uses Windows Server 2003 and you use a Domain user account to perform the installation, the account must have the following attributes:

  • Must have the Log on as a service right.

  • Must be a member of the IIS_WPG group.


The user who performs the installation must be Local Administrator equivalent accounts to access the digital certificates that are required for secure communications. In addition, the user account must be a Domain account to grant other Domain accounts access to the Control Compliance Suite components.

lists the privileges that are required by the account that you supply for the Control Compliance Suite components to use.

Table: Required Component Privileges

Component

Privileges

Notes

Directory Server

Local Administrator Equivalent

Must be a Domain user account.

Application Server

Local Administrator Equivalent

The account should also have the Logon as batch job privilege on the SSIS host.

Must be a Domain user account.

The installer also adds this account to the Public role in Microsoft SQL Server.

The account must have the SQLAgentUserRole, the db_datareader, and the db_dtsoperator roles set for the MSDB system database. The account must also have the db_datareader role set for the CSM_DB production database. These roles let the account access SSIS packages and use SQLAgent jobs to execute the packages.

The Logon as batch job privilege lets the DPS Reporter impersonate the Application Server service account.

The install adds the service account to the CCS Administrator role.

DPS Load Balancer or DPS Collector

Local Administrator equivalent

Can be a Domain user account or a local computer account.

DPS Evaluator

Local Administrator equivalent

The service account that is used for the DPS Evaluator and the Application Server must have the log on locally privilege on the DPS Evaluator host.

Can be a Domain user account or a local computer account.

The log on locally privilege lets the DPS Evaluator impersonate the Application Server service account.

DPS Reporter

Local Administrator equivalent

The service account that is used for the Application Server must have the "log on locally" privilege on the DPS Reporter host.

Must be a Domain user account.

Account must have access to the reporting database.

The account must have the db_datareader and db_datawriter groups for the CSM_Reports reporting database.

The account must have the Delete, Execute, Insert, and Update privileges on the CSM_Reports reporting database.

The database privileges are required to let the dashboard jobs access and update the reporting database.

The log on locally privilege lets the DPS Evaluator impersonate the Application Server service account.

If the DPS host is a Windows Server 2008 computer, UAC is enabled and in admin approval mode, the account must be granted full control of the DPS\Config and DPS\Temp folders.


Component service accounts must be Local Administrator equivalent accounts to access the digital certificates that are required for secure communications. In addition, the service accounts must be Domain accounts to grant other Domain accounts access to the Control Compliance Suite components.

You must also use the SetSpn tool to create Service Principal Names (SPN) for the Directory Support Service and the Application Server service. Finally, you must enable delegation for the account that is used by the Application Server.

For more information about Service Principal Names and delegation, see the Symantec Control Compliance Suite Installation Guide.

Note:
You should set up the Microsoft SQL Agent Service as a local system account. If you use a domain account, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, you must add the account to the group SQLServer2005SQLAgentUserComputer_NameInstance_Name.