When adding administrators for Symantec Endpoint Encryption (SEE), like help desk personnel, they cannot use SEE Management Console unless they are given Domain Administrator privileges.
Giving this level of network privilege to SEE administrators is contrary to your company's security policy. The SEE administrators need to be given the least amount of permissions needed to successfully administer SEE.
This document explains what the minimum level of permissions are needed in order to allow the SEE administrators to successfully use the SEE Management Console.
The Domain User accounts must be given the proper rights to the SEE database in Microsoft SQL Server.
In SQL Management Studio, on the left-hand-pane:
- Security -> Right-click Logins -> New Login...
- Use the ‘Search...’ button to find the new Windows User; Set ‘Default database’ to SEEMSDb or whatever the SEE Database is called; Set ‘Default Language’ to English.
- In the same ‘Login Properties’ box, on the left-hand-pane click on ‘User Mapping’; check the box for the SEE Database & select ‘db_datareader’ and ‘db_datawriter’ along with‘Public’; Click OK to complete
- On the left-hand-pane, drill down into ‘Database’, find the SEE database and bring up properties
- Select ‘Permissions’ on the left-hand-pane in the Database Properties dialog box
- Select the Windows user on the right and Grant ‘Execute’ in addition to ‘Connect’; Click OK to complete.
- The windows user should now be set to use the SEE Manager console from any machine.