About connecting to SQL Server with an account that has administrative privileges (Basic, Advanced) - Security Center 5.9

Security Center Hardening Guide 5.9

series
Security Center 5.9
revised_modified
2020-11-30

Security Center does not require the SQL Sysadmin server role on the database server. Each role requires a different set of permissions.

Server-level roles

A broader set of permissions is necessary during the first execution of Security Center. Therefore, it is possible to restrict the permission set before and after the first execution. Refer to the table below for more information.

The Directory role requires the View server state permission to work properly. This is mandatory when Directory failover is configured. This permission should always be enabled.

The public server-level role allows the execution of some stored procedure created by default in SQL server. It is recommended to revoke the execute permission of the xp_dirtree stored procedure.

Server-level roles
Roles Public dbCreator Process admin
Access Manager X X1 X
ALPR Manager X X1 X
Archiver X X1 X
Auxiliary Archiver X X1 X
Directory X X2 X
Health Monitor X X1 X
Media Router X X1 X
Zone Manager X X1 X
Intrusion Manager X X1 X
Plugin: KiwiVision Manager X X1 X
Mobile Server X X1 X

1 dbCreator is only necessary for the first Security Center execution; it should be removed after.

2 dbCreator is necessary when using Directory database failover through backup and restore. If failover through backup and restore is not used, dbCreator is only necessary for the first Security Center execution and should be removed after.

Database-level roles

Databases are created during the first execution of a Security Center role.

The db_owner role is automatically created on the databases of Security Center roles after their creation. However, they only need the following database-level roles during normal operations:

Database-level roles
Roles Public db_data reader db_data writer db_backup operator db_ddl admin
Access manager X X X X X
Archiver X X X X  
Auxiliary Archiver X X X X  
Directory X X X X X
Health Monitor X X X X X
ALPR Manager X X X X X
Media Router X X X X  
Zone Manager X X X X X
Intrusion Manager X X X X  
Plugin: KiwiVision Manager X X X X X
Mobile server X X X X  
NOTE: Security Center roles require the execute permission on the dbo schema. This permission can be granted by using the following T-SQL command on each database:
GRANT EXECUTE ON SCHEMA::[dbo] TO [ principal used by the Security Center role ]