Permissions Required for the App Control Service Account
search cancel

Permissions Required for the App Control Service Account

book

Article ID: 290347

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Windows and SQL Server permissions required for the Carbon Black Service Account.

Environment

  • App Control Server: All Supported Versions
  • Microsoft Windows Server: All Supported Versions
  • Microsoft SQL Server: All Supported Versions

Resolution

SQL Server Permissions:

  1. The Service Account will require SYSADMIN  during Server installation or upgrade.
  2. The Service Account must be the DB_OWNER on the das database at all times.
  3. The Service Account will also need the following server-level permissions for Health Checks & Diagnostic tasks:
    Permission Required Reason
    VIEW SERVER STATE Yes Allows collection of App Control performance statistics.
    VIEW ANY DEFINITION Yes Allows collection of App Control performance statistics.
    ALTER TRACE Yes Allows collection of on-demand SQL trace for performance diagnostics
    ALTER SERVER STATE No (but Recommended) Allows Server to reset performance counters on daily basis, and provides better performance diagnostics

Windows Permissions:

  • Local Administrators group membership on the application server hosting the server software (web console).
  • Logon as Batch Job
  • Logon as Service

Additional Information

  • DB_OWNER permissions on das is automatically assigned to the Service Account during database creation, and should never be removed.
  • There should be an active SA account in SQL or the install may fail with "a critical database script".
  • More details can be found in the SQL Server Configuration Guide on VMware Docs > Server Documentation > SQL Server Configuration Guide.