Accounts and permissions for installation and deployment

Below is a summary of the account permissions that you need to install and deploy Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service.

The following topics are included:

Centrify Authentication and Privilege Elevation Services permissions

Access Manager account permissions
Account name (suggested) Type of account Required permissions Notes
n/a

Domain administrator

(when running Access Manager for the first time)

domain admin

(in most cases)

Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard.

For more information, see:

Zone Provisioning Agent permissions

Zone Provisioning Agent account permissions
Account name (suggested) Type of account Required permissions Notes
Cfy_SVC_ZPA Active Directory account Log on as a service The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy.

For more information, see:

Report Services permissions

Report services account permissions
User type Required Active Directory permissions Required security policy permissions(group policy, or local policy) Required SSRS permissions Required SQL Server or PostgreSQL permissions

report service account

to run the Reporting Service

For domain-based reporting: Replicating directory changes at the domain level (ADUC)

and replicate directory changes in ADSI

 

For zone-based reporting: Read permission

Log on as a service

 

 

SQL Server service account

to run SQL Server

n/a

Log on as a service

 

 

PostgreSQL service account

 

 

 

the account must have Create Database permission

report admin

to run the Report Configuration wizard or the Upgrade & Deployment wizard and deploy reports to an existing SQL Server instance

needs to be a member of the domain

n/a

Folder Settings > Content Manager role

member of the securityadmin role

(At the very least, the user needs permission to connect to SQL Server and create a database.)

report admin

to modify the Reports Control Panel

Read permission to the domain root object of the selected domain.

Read permission to all computer objects in the selected domain.

n/a

 

 

Report viewer

to view reports from SSRS/Internet Explorer

 

 

Site settings > System user role

Folder settings > browser

(assign SSRS roles to Active Directory group or users)

 

Report writer

read, write, edit access for reports, in addition to the permissions needed to view reports

 

 

Site settings > System user role

Folder settings > Content Manager role

(assign SSRS roles to Active Directory group or users)

 

SQL Server permissions set by the Report Services Configuration wizard

User type

Required SQL Server permissions

report services account

to run the SQL Server Reporting Service

Snapshot Service (predefined role)

SQL Server service account

to run SQL Server

If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account.

If you deploy to a new SQL Server instance:

--If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows:

SQL Server engine: NT SERVICE\MSSQL$<InstanceName>

SQL Server Agent: NT SERVICE\SQLAgent$<InstanceName>

Full text search: NT SERVICE\MSSQLFDLauncher$<InstanceName>

SSRS: NT SERVICE\ReportServer$<InstanceName>

--Otherwise, the SQL Server service accounts are configured as follows:

SQL Server engine: NT Authority\Network Service

SQL Server Agent: NT Authority\Network Service

Full text search: NT Authority\Local Service

SSRS: NT Authority\Local Service

report admin

to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance

Connect SQL (cannot be revoked after setup)

Create Database, Create any database, or Alter any database

member of securityadmin role, or Alter any login permission

report admin

to modify the Reports Control Panel

SnapshotAdmin (predefined role)

Report viewer

to view reports from SSRS/Internet Explorer

Login permission

SnapshotViewer (predefined role)

Report writer

read, write, edit access for reports, in addition to the permissions needed to view reports

Login permission

SnapshotViewer (predefined role)

Note:   Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.

For more information, see:

 

Audit & Monitoring permissions

Auditing permissions for SQL Server
SQL Server account Type of account Required permissions Notes
NT Authority\System machine account

SQL Server Roles: sysadmin role

 
Auditing security groups
Active Directory security groups Type of account Required SQL Server permissions Notes

Centrify-Admins for the user accounts that perform administrative tasks using Audit Manager.

Active Directory no explicit SQL Server permissions needed — Audit Manager handles the SQL Server permissions Creating Active Directory security groups with SQL Server logins enables you to manage access to the databases required for auditing through Active Directory group membership without the help of the database administrator.

Centrify-Auditors for the user accounts that use Audit Analyzer.

Centrify-Collectors for the computer accounts that host the collector service.

For more information, see: