Accounts and permissions for installation and deployment
Below is a summary of the account permissions that you need to install and deploy Server Suite.
The following topics are included:
Centrify Authentication and Privilege Elevation Services permissions
For more information, see:
Zone Provisioning Agent permissions
Account name (suggested) | Type of account | Required permissions | Notes |
---|---|---|---|
Cfy_SVC_ZPA | Active Directory account | Log on as a service | The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy. |
For more information, see:
Report Services permissions
User type |
Required SQL Server permissions |
report services account to run the SQL Server Reporting Service |
Snapshot Service (predefined role) |
SQL Server service account to run SQL Server |
If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account. If you deploy to a new SQL Server instance: --If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows: SQL Server engine: NT SERVICE\MSSQL$<InstanceName> SQL Server Agent: NT SERVICE\SQLAgent$<InstanceName> Full text search: NT SERVICE\MSSQLFDLauncher$<InstanceName> SSRS: NT SERVICE\ReportServer$<InstanceName> --Otherwise, the SQL Server service accounts are configured as follows: SQL Server engine: NT Authority\Network Service SQL Server Agent: NT Authority\Network Service Full text search: NT Authority\Local Service SSRS: NT Authority\Local Service |
report admin to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance |
Connect SQL (cannot be revoked after setup) Create Database, Create any database, or Alter any database member of securityadmin role, or Alter any login permission |
report admin to modify the Reports Control Panel |
SnapshotAdmin (predefined role) |
Report viewer to view reports from SSRS/Internet Explorer |
Login permission SnapshotViewer (predefined role) |
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports |
Login permission SnapshotViewer (predefined role) |
Note: Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.
For more information, see:
- Required user permissions for report services
- SQL Server permissions that are set by the Configuration Wizard
Audit & Monitoring permissions
SQL Server account | Type of account | Required permissions | Notes |
---|---|---|---|
NT Authority\System | machine account |
SQL Server Roles: sysadmin role |
Active Directory security groups | Type of account | Required SQL Server permissions | Notes |
---|---|---|---|
Centrify-Admins for the user accounts that perform administrative tasks using Audit Manager. |
Active Directory | no explicit SQL Server permissions needed — Audit Manager handles the SQL Server permissions | Creating Active Directory security groups with SQL Server logins enables you to manage access to the databases required for auditing through Active Directory group membership without the help of the database administrator. |
Centrify-Auditors for the user accounts that use Audit Analyzer. |
|||
Centrify-Collectors for the computer accounts that host the collector service. |
For more information, see: