Cannot upgrade Endpoint Encryption Management Server using an account without the SQL Server sysadmin role
search cancel

Cannot upgrade Endpoint Encryption Management Server using an account without the SQL Server sysadmin role

book

Article ID: 206626

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Starting with Endpoint Encryption 11.3.1, when upgrading, it is no longer necessary to connect to the Endpoint Encryption database (SEEMSDb by default) using SQL Server Authentication and an account that has the sysadmin role.

Instead, you can upgrade by connecting to the database using an account that has the db_owner role. Note that a sysadmin account is still needed in order to do a fresh install because the installer needs to create the database.

Using an account with db_owner membership is far more convenient because in most organizations, obtaining even temporary access to a sysadmin account can prove difficult.

The db_owner role can be assigned to a Windows account. You can then connect to the database using Windows Authentication during the upgrade.

You may see this error when trying to upgrade:

 

 

Environment

Symantec Endpoint Encryption 11.3.1 and above.

Cause

The account does not have db_owner membership.

Resolution

In order to grant the account db_owner membership, please do the following:

  1. Login to SQL Server using SQL Server Management Studio and a sysadmin account.
  2. In Object Explorer, expand Databases.
  3. Expand SEEMSDb.
  4. Expand Security.
  5. Expand Users.
  6. Double click on the user you wish to modify.
  7. Click on Membership.
  8. Enable the db_owner role.
  9. Click OK.

Note that the account with db_owner membership will not necessarily be able to manage the SEEMSDb database using SQL Server Management Studio. This is by design. However, that account can still be used to upgrade Endpoint Encryption Management Server.

The Endpoint Encryption database access account is used by the Endpoint Encryption web service to interact with the database. It is specified in SEEMS Configuration Manager. At a minimum, it requires db_datareader, db_datawriter and public membership. You can add db_owner membership to this account and use it to upgrade Endpoint Encryption. However, please bear in mind the principle of least privilege and consider removing db_owner membership from this account once you have upgraded Endpoint Encryption Management Server.