What SQL rights are needed for the Application Identity service account (or SQL account)?

book

Article ID: 181352

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

What SQL rights or database permissions are needed for the Application Identity service account (or SQL account)?  

Resolution

The following content applies to Notification Server or Symantec Management Platform versions 8.x and prior versions.

Minimum SQL Security Requirements

The account that Notification Server uses to access the SQL database needs to be able to do the following:

  • Add, modify, and remove tables
  • Add, modify, drop, and execute stored procedures
  • Add, modify, and remove views
  • view, insert, and drop records in these tables.
  • Be the owner of the database

Additionally, this account needs to:

  • view information from the msdb database
  • execute some system stored procedures.

The Notification Server user account will need “dbcreator” permissions in order for the Notification Server installation process to create the Symantec_CMDB Database. If the SQL administrator creates the Symantec_CMDB Database prior to Notification Server installation, then this permission is not necessary.

Just point the installation process to the already present Symantec_CMDB Database.

On the Symantec_CMDB Database itself, the user will need the following permissions:

  • Public - General access to the database.
  • db_ddladmin - Adds, modifies, or drops objects in the database.
  • db_datareader - Sees all data from all user tables in the database.
  • db_datawriter - Adds, changes, or deletes data from all user tables in the database.
  • dbo_owner - Owns the database.

    Note: Required server roles:
    sysadmin, diskadmin, serveradmin

    Note: Preferred server permissions:
    CREATE DATABASE, CREATE ANY DATABASE, ALTER ANY DATABASE

Additionally, when the Symantec Installation Manager (SIM) is installing SMP; If the Altiris database does not already exist, then this account needs to be able to create the Altiris database.

To verify that the Application Identity is DBO on the database, run the following SQL command as the Application Identity:

  • use Symantec_CMDB  --or replace with the name of the Notification Server database
  • select user
If that returns anything other than "dbo" then the user is not the DBO of the database.