This page refers to an older version of the product.
View the current version of the online Help.

Configure a Server using Low SQL Privileges

In many environments it is necessary to setup the Management Server whilst only having

minimal privileges to the SQL Server and database. In this scenario, there are two options

both with slightly different rights on the server.

Once the steps in this section have been followed, for additional security the configuration account can be disabled within the Microsoft SQL Management Studio. However, this account must be re-enabled to successfully use the SCU.

In this section:

Delegated Rights

This option allows an empty database and Service account to be setup by a SQL

Administrator and db_owner rights delegated to a Configuration account.

The following steps are performed by the SQL Administrator:

  1. Create a new database.
  2. Create a new login to represent the Configuration account and assign the account as the dbo of the database.
  3. Create a new login to represent the Service account.
  4. Supply the server and database name and both the username and password of both accounts to the user launching the SCU.

Export Scripts

This option involves supplying the SQL Administrator with exported SQL scripts allowing them to inspect and execute the scripts.

Export the Scripts to Send to the SQL Administrator

  1. Open the Server Configuration Utility from Start > All Programs > Ivanti > Management Center.
  2. In the Wizard Welcome screen, click Skip Wizard to launch the relevant Server Configuration Utility console.
  3. Select the Database node and Export Scripts.
  4. Select I want to create a new database and click Next.
  5. Select all three of the following scripts and click Next.

    • Create Database
    • Create Schema
    • Create Login
  6. Enter the path to which to export the scripts, for example:

    C:\Users\Administrator\Documents and click Save.

  7. Once the files have been exported, click Finish.
  8. Send the exported scripts to the SQL Administrator.

Actions For SQL Administrator To Perform

Using SQL Server Management Studio the following steps must be carried out to create the

database.

Create Database Script

To execute this script you must be a member of dbcreator Server Role.

  1. In SQL Server Management Studio, open the Create Database script, modify the following line:

    SET @DatabaseName = ’ ’ to contain the required database name, for example ’ManagementServer’

  2. Click Execute.

This script automatically creates the database. You can create the database manually if you prefer, there are no Ivantispecific settings for the database.

Create Schema Script

To execute this script you must be a member of db_owner for the database created in the Create Database Script step above.

  1. Open the Create Schema script and ensure the newly created database is selected in the Available Databases drop-down list.
  2. Click Execute.

This script creates the database tables and store procedures.

Create Login Script

To execute this script you must be a member of securityadmin Server Role.

Caution: The Configuration account and the Service account must be separate accounts.

  1. Open the Create Login script, enter the following details for the Configuration account:

    • Modify the following line:

    SET @UserName = ’ ’ to contain the login name. If this is a Windows login the value will be of the form ’Domain\User’.

    • Modify the following line:

    SET @password = ’ ’ to contain a password, for example ’abc123’

    • Ensure you set default values for the other following variables:

    @isSql2005 = '1' -- For all SQL Server versions >= 2005

    @enabled ='1'

    @forcePswdPolicy ='1'

    @forcePswdExpire = '0'

    @mustChange = '0'

  2. Click Execute.

    This automatically creates the Configuration account. You can create manually if you prefer. Refer to step 5 for required permissions.

  3. Open the Create Login script again to enter the following details for the Service account:

    • Modify the following line:

    SET @UserName = ’ ’ to contain the login name. If this is a Windows login the value will be of the form ’Domain\User’.

    • Modify the following line:

    SET @password = ’ ’ to contain a password, for example ’def456’

    • Ensure you set default values for the other following variables:

    @isSql2005 = '1' -- For all SQL Server versions >= 2005

    @enabled ='1'

    @forcePswdPolicy ='1'

    @forcePswdExpire = '0'

    @mustChange = '0'

  4. Click Execute.

    This automatically creates the Service account. You can create manually is you prefer. Refer to step 6 for required permissions.

  5. In the Login Properties dialog for the Configuration account select User Mapping and select db_owner and ManagementServerAdministrator roles on the database.
  6. In the Login Properties dialog for the Service account select User Mapping and select ManagementServerService role on the database.

Run the Server Configuration Utility

  1. Open the Server Configuration Utility, on the Management Server node click Run Wizard.
  2. Click Next until you get to the Configuration Credentials and Database Selection dialog.
  3. Select the Authentication Type, Username and Password for the Configuration account which you set up in Actions For SQL Administrator To Perform step 1.
  4. Enter the Server Name, in the format <Servername>\<Instance>,<Port> and the Database Name which you set up in Actions For SQL Administrator To Perform step 1. Click Next.
  5. In the Database Service Credentials dialog select the Authentication Type, Username and Password for the Service account which you set up in Actions For SQL Administrator To Perform step 3. Click Next to run the wizard.
  6. The wizard sets up the IIS settings and connects to the database using the Configuration account. The SCU checks the database to ensure it is the correct version and the schema is up to date and the Service account is assigned for communication between the management server and the database.
  7. After the wizard completes, click the Database node. Click Connect, select the Configuration account and click OK.