About connecting to SQL Server with an account that has administrative privileges (Basic) - Security Center 5.11

Security Center Hardening Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2023-03-13

Security Center does not require the SQL Sysadmin server role on the database server. Each role requires a different set of permissions.

Server-level roles

A broader set of permissions is necessary during the first execution of Security Center for the creation of the Security Center role databases. Therefore, it is possible to restrict the permission set after the first execution. You can also start with the restricted permission set by creating the required databases outside of Security Center. Refer to the table below for more information.

The Directory role requires the View server state permission to work properly. This is mandatory when Directory failover is configured. This permission should always be enabled.

The public server-level role allows the execution of some stored procedure created by default in SQL Server. It is recommended to revoke the execute permission of the xp_dirtree stored procedure.

Server-level roles
Roles public dbCreator processAdmin
Access Manager X X1 X
ALPR Manager X X1 X
Archiver X X1 X
Auxiliary Archiver X X1 X
Directory X X2 X
Health Monitor X X1 X
Intrusion Manager X X1 X
Media Router X X1 X
Mobile Credential Manager X X1 X
Mobile Server X X1 X
Plugin: KiwiVision Manager X X1 X
Point of Sale X X1 X
Record Caching Service X X1 X
Unit Assistant X X1 X
Zone Manager X X1 X

1 dbCreator is only necessary if you want Security Center to create the databases for you; and only for the first system execution. You should remove it after the first execution. You also have the option to create empty databases yourself. When the system runs for the first time, the service user creates the tables in the empty databases and therefore the dbCreator role is not needed.

2 dbCreator is necessary when using Directory database failover through backup and restore. If database failover through backup and restore is not used, dbCreator is only necessary for the first system execution, and only if you are letting the system create the Directory database.

Database-level roles

Databases are created during the first execution of a Security Center role.

The db_owner role is automatically created on the databases of Security Center roles after their creation. However, they only need the following database-level roles during normal operations:

Database-level roles
Roles public db_data reader db_data writer db_backup operator db_ddl admin
Access Manager X X X X X
ALPR Manager X X X X X
Archiver X X X X  
Auxiliary Archiver X X X X  
Directory X X X X X
Health Monitor X X X X X
Intrusion Manager X X X X  
Media Router X X X X  
Mobile Credential Manager X X X X X
Mobile Server X X X X  
Plugin: KiwiVision Manager X X X X X
Point of Sale X X X X X
Record Caching Service X X X X X
Unit Assistant X X X X  
Zone Manager X X X X X
NOTE: Security Center roles require the execute permission on the dbo schema. This permission can be granted by using the following T-SQL command on each database:
Code
GRANT EXECUTE ON SCHEMA::[dbo] TO [ principal used by the Security Center role ]