Common Credentials used for ITMS

book

Article ID: 181041

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

SIM Credential – This is the user used to run the Symantec Installation Manager (SIM). This user must be a member of the Administrators group. Either a local or domain administrator will work.

App Identity Credential – This is the user context the console and several other ITMS process run under by default. It is highly recommended that a service account be created for the App Identity credential. The App Identity credential as well as the Classic .NET and DefaultAppPool need to have the “Log On As” A Service right.        

Agent Connectivity Credential – This credential is used to download packages over UNC.  By default is the same as the App Identity. However this can be setup as a separate credential.

Package Access Credential – This credential is used by the Notification Server to access packages that are not on the local file system. By default is the same as the App Identity. However this can be setup as a separate credential.

Database Access Credential – This credential is used to access and modify the database and requires db_owner rights to the Symantec_CMDB.

 

There are two good ways to approach preparing for database setup.  

1.     Create an empty NS database before running SIM. (More secure)

a.     The SQL administrator creates an empty NS database and then adds the Database Access Credential to the db_owner role.

b.     This allows the SQL administrator to limit the abilities of the Database Access Credential to just the NS database.

2.     The SQL administrator adds the Database Access Credential to the dbcreator role on the SQL server.

a.     This allows the administrator installing SIM to provide the database name at install time.

Sometimes, you are required to assign the Symantec Administrator role to the Local Administrator user on the computer where you installed the IT Management Suite (ITMS) solutions. This step is required for performing additional tasks in your ITMS environment, such as, upgrading to the latest version of ITMS. You use the Symantec Management Console to grant the Symantec Administrator role to a local administrator user account on the computer where the ITMS solutions are installed.

To grant the Symantec Administrator role to a local administrator user account:
1.       Log on to the computer where you installed the IT Management Suite solutions as an administrator.
2.       Click Start > Control Panel > User Accounts > User Accounts > Manage User Accounts.
Alternatively, click Start, in the Search field, type netplwiz to open the User Accounts dialog box. 
3.       Ensure that the user account that you used to log on to the computer belongs to the Administrators group.
Note: If the user account does not belong to the Administrators group, in the User Accounts dialog box, select your user account and then click Properties. Click the Group Membership tab and then select Administrators group. Click Apply and then OK to save the changes. You might be prompted to log off and log on again for the changes to take effect.
4.       Launch the Symantec Management Console.
5.       Click Settings > Security > Account Management. The Accounts page is displayed that lists the list of ITMS user accounts.
6.       Select the local administrator account from the list of ITMS user accounts.
Note: If the local administrator user account is not displayed in the list, you are required to add the user account to the ITMS user account. To create a new account for the local administrator, click Add. In the New Account dialog box that appears, type the new ITMS account name, and then click OK. In the right pane, click the General tab and then specify the general account details. These include the full name and email address of the user for whom the account is created, the account status, and the account credentials.
7.       In the right pane, click the Member of tab. A list of security roles to which the account belongs is displayed.
8.       Click Add Role.
9.       In the Select Roles page, browse and select the Symantec Administrators role.
10.    Click OK.
For more information on assigning an ITMS administrator role to a user account, see the following video on the Symantec Connect site:

You could also check the following KBs for further references:

179939 “What are the minimum rights requirements that SIM 7 looks for during an installation?”

181352 "What SQL rights are needed for the application identity?"