Security Center does not require the SQL Sysadmin server role on the database server. Each role requires a different set of permissions.
Server-level roles
A broader set of permissions is necessary during the first execution of Security Center for the creation of the Security Center role databases. Therefore, it is possible to restrict the permission set after the first execution. You can also start with the restricted permission set by creating the required databases outside of Security Center. Refer to the table below for more information.
The Directory role requires the View server state permission to work properly. This is mandatory when Directory failover is configured. This permission should always be enabled.
The public server-level role allows the execution of some stored procedure created by default in SQL Server. It is recommended to revoke the execute permission of the xp_dirtree stored procedure.
| Roles | public | dbCreator | processAdmin |
|---|---|---|---|
| Access Manager | X | X1 | X |
| ALPR Manager | X | X1 | X |
| Archiver | X | X1 | X |
| Auxiliary Archiver | X | X1 | X |
| Directory | X | X2 | X |
| Health Monitor | X | X1 | X |
| Intrusion Manager | X | X1 | X |
| Media Router | X | X1 | X |
| Mobile Credential Manager | X | X1 | X |
| Mobile Server | X | X1 | X |
| Plugin: KiwiVision Manager | X | X1 | X |
| Point of Sale | X | X1 | X |
| Record Caching Service | X | X1 | X |
| Unit Assistant | X | X1 | X |
| Zone Manager | X | X1 | X |
1 dbCreator is only necessary if you want Security Center to create the databases for you; and only for the first system execution. You should remove it after the first execution. You also have the option to create empty databases yourself. When the system runs for the first time, the service user creates the tables in the empty databases and therefore the dbCreator role is not needed.
2 dbCreator is necessary when using Directory database failover through backup and restore. If database failover through backup and restore is not used, dbCreator is only necessary for the first system execution, and only if you are letting the system create the Directory database.
Database-level roles
Databases are created during the first execution of a Security Center role.
The db_owner role is automatically created on the databases of Security Center roles after their creation. However, they only need the following database-level roles during normal operations:
| Roles | public | db_data reader | db_data writer | db_backup operator | db_ddl admin |
|---|---|---|---|---|---|
| Access Manager | X | X | X | X | X |
| ALPR Manager | X | X | X | X | X |
| Archiver | X | X | X | X | |
| Auxiliary Archiver | X | X | X | X | |
| Directory | X | X | X | X | X |
| Health Monitor | X | X | X | X | X |
| Intrusion Manager | X | X | X | X | |
| Media Router | X | X | X | X | |
| Mobile Credential Manager | X | X | X | X | X |
| Mobile Server | X | X | X | X | |
| Plugin: KiwiVision Manager | X | X | X | X | X |
| Point of Sale | X | X | X | X | X |
| Record Caching Service | X | X | X | X | X |
| Unit Assistant | X | X | X | X | |
| Zone Manager | X | X | X | X | X |
GRANT EXECUTE ON SCHEMA::[dbo] TO [ principal used by the Security Center role ]