Permissions Required for the App Control Service Account
search cancel

Permissions Required for the App Control Service Account

book

Article ID: 290347

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Windows and SQL Server permissions required for the Carbon Black Service Account.

Environment

  • App Control Server: All Supported Versions
  • Microsoft Windows Server: All Supported Versions
  • Microsoft SQL Server: All Supported Versions

Resolution

SQL Server Permissions:

  1. The Service Account requires SYSADMIN during Server installation or upgrade.
  2. The Service Account requires DB_OWNER on the das database at all times.
  3. The Service Account need the following server-level permissions for Health Checks & Diagnostic tasks:
    PermissionRequiredReason
    VIEW SERVER STATEYesAllows collection of App Control performance statistics.
    VIEW ANY DEFINITIONYesAllows collection of App Control performance statistics.
    ALTER TRACEYesAllows collection of on-demand SQL trace for performance diagnostics
    ALTER SERVER STATENo (but Recommended)Allows Server to reset performance counters on daily basis, and provides better performance diagnostics

To assign the roles:

  1. Launch SQL Server Management Studio and connect to the SQL Server.
  2. Expand the Security folder > Logins
  3. Right click the App Control Service Account > Properties > Server Roles
  4. Check sysadmin and click OK.


To assign the permissions:

  1. Verify the Service Account used for App Control Server (ex: Domain\Username).
  2. Launch SQL Server Management Studio and connect to the SQL Server.
  3. Click New Query, paste the script below and change Domain\Username to reference the Service Account accordingly.
    use master;
    GRANT ALTER TRACE TO [Domain\Username]
    GRANT VIEW ANY DEFINITION TO [Domain\Username]
    GRANT VIEW SERVER STATE TO [Domain\Username]
    GRANT ALTER SERVER STATE TO [Domain\Username]
  4. Click Execute

Windows Permissions:

  • Local Administrators group membership on the application server hosting the server software (web console).
  • Logon as Batch Job
  • Logon as Service

Additional Information

  • DB_OWNER permissions on das is automatically assigned to the Service Account during database creation, and should never be removed.
  • There should be an active SA account in SQL or the install may fail with "a critical database script".
  • More details can be found in the SQL Server Configuration Guide on Tech Docs > Server Documentation > SQL Server Configuration Guide.