Permissions Required for the App Control Service Account
search cancel

Permissions Required for the App Control Service Account

book

Article ID: 290347

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Windows and SQL Server permissions required for the Carbon Black Service Account.

Environment

  • App Control Server: All Supported Versions
  • Microsoft Windows Server: All Supported Versions
  • Microsoft SQL Server: All Supported Versions

Resolution

SQL Server Permissions:

  1. The Service Account requires SYSADMIN during Server installation or upgrade.
  2. The Service Account requires DB_OWNER on the das database at all times.
  3. The Service Account need the following server-level permissions for Health Checks & Diagnostic tasks:
    Permission Required Reason
    VIEW SERVER STATE Yes Allows collection of App Control performance statistics.
    VIEW ANY DEFINITION Yes Allows collection of App Control performance statistics.
    ALTER TRACE Yes Allows collection of on-demand SQL trace for performance diagnostics
    ALTER SERVER STATE No (but Recommended) Allows Server to reset performance counters on daily basis, and provides better performance diagnostics

To assign the roles:

  1. Launch SQL Server Management Studio and connect to the SQL Server.
  2. Expand the Security folder > Logins
  3. Right click the App Control Service Account > Properties > Server Roles
  4. Check sysadmin and click OK.


To assign the permissions:

  1. Launch SQL Server Management Studio and connect to the SQL Server.
  2. Click New Query and run the following scripts: 
    use das;
GRANT ALTER TRACE TO "App Control Service Account"
GRANT VIEW ANY DEFINITION TO "App Control Service Account"
GRANT VIEW SERVER STATE TO "App Control Service Account"
GRANT ALTER SERVER STATE TO "App Control Service Account"

Windows Permissions:

  • Local Administrators group membership on the application server hosting the server software (web console).
  • Logon as Batch Job
  • Logon as Service

Additional Information

  • DB_OWNER permissions on das is automatically assigned to the Service Account during database creation, and should never be removed.
  • There should be an active SA account in SQL or the install may fail with "a critical database script".
  • More details can be found in the SQL Server Configuration Guide on VMware Docs > Server Documentation > SQL Server Configuration Guide.
Powered by Wolken Software