Security Center does not require the SQL Sysadmin server role on the database server. Each role requires a different set of permissions.
A broader set of permissions is necessary during the first execution of Security Center. Therefore, it is possible to restrict the permission set before and after the first execution. Refer to the table below for more information.
The Directory role requires the View server state permission to work properly. This is mandatory when Directory failover is configured. This permission should always be enabled.
The public server-level role allows the execution of some stored procedure created by default in SQL server. It is recommended to revoke the execute permission of the xp_dirtree stored procedure.
|Plugin: KiwiVision Manager||X||X1||X|
1 dbCreator is only necessary for the first Security Center execution; it should be removed after.
2 dbCreator is necessary when using Directory database failover through backup and restore. If failover through backup and restore is not used, dbCreator is only necessary for the first Security Center execution and should be removed after.
Databases are created during the first execution of a Security Center role.
The db_owner role is automatically created on the databases of Security Center roles after their creation. However, they only need the following database-level roles during normal operations:
|Roles||Public||db_data reader||db_data writer||db_backup operator||db_ddl admin|
|Plugin: KiwiVision Manager||X||X||X||X||X|
GRANT EXECUTE ON SCHEMA::[dbo] TO [ principal used by the Security Center role ]