Database Accounts and Privileges
The Server Configuration Portal uses two SQL database accounts: the Configuration account and the Service account. Both are set up by the database administrator.
Accounts can be added, or changed. Once an account is added, it is assigned to all services.
The Configuration Account is used to connect to the database to perform operations, including creating, upgrading and configuring the Management Server and database. The account is used to perform the following tasks:
- Create the database - only performed if the database does not exist, requires dbcreator rights.
- Create logins - only performed if a login does not exist, requires securityadmin rights.
- Ensure the database schema matches the version defined by the product.
- Check for variances - whether the properties of the database match the product expectations.
- Confirm the database user logins.
- Populate the initial data set into the database.
The Configuration account must have dbo rights, or be a member of the ManagementServerAdministrator role. Some additional rights may be needed for optional tasks, which are detailed in the list above.
The account can use either Windows Authentication or SQL Authentication.
When using Windows Authentication, the account must have Log on Locally privileges for the Management Server.
For more information, please see the Knowledge Base article: User Workspace Manager Service Accounts and Password Changes
The Service account is used by the Windows services and web services that make up the Management Server. This role has access to all of the Management Server stored procedures.
The Server Configuration Portal persists the username and password of the Service account within the FileName.exe.config and web.config files.
The Service account must be a member of the ManagementServerService role and should not have any additional rights on the database of the SQL instance. The account can use either Windows Authentication or SQL Authentication.
The user running the portal must have administrator rights on the server being administered. If the user has administrator rights to the server, but not to the SQL server, you can use PowerShell to export the SQL Scripts that need to be run to create and configure the database.
For further details on PowerShell cmdlets refer to the Server Configuration Portal Scripting Guide.