Contents
Accounts for work with the DBMS
To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:
- DBMS type:
- Microsoft SQL Server (with Windows authentication or SQL Server authentication)
- MySQL or MariaDB
- DBMS location:
- Local DBMS. A local DBMS is a DBMS installed on the same device as Administration Server.
- Remote DBMS. A remote DBMS is a DBMS installed on a different device.
- Method of the Administration Server database creation:
- Automatic. During the Administration Server installation, you can automatically create an Administration Server database (hereinafter also referred to as a Server database) by using the installer.
- Manual. You can use a third-party application (for example, SQL Server Management Studio) or a script to create an empty database. After that, you can specify this database as the Server database during the Administration Server installation.
Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.
The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.
Microsoft SQL Server with Windows authentication
If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).
DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
|---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
|
|
Administration Server service account |
|
|
Rights of the Administration Server service account |
|
|
Microsoft SQL Server with SQL Server authentication
If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).
DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
|---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
System rights: local administrator rights. |
Administration Server service account |
|
|
Rights of the Administration Server service account |
System rights: the required rights assigned by the installer. |
System rights: the required rights assigned by the installer. |
Rights of the login used for SQL Server authentication |
SQL Server rights required to create a database and install Administration Server:
|
SQL Server rights:
|
Configuring SQL Server rights for Administration Server data recovery
To restore Administration Server data from the backup, start the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the sysadmin server-level role to the SQL Server login associated with this Windows account.
MySQL and MariaDB
If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.
DBMS: MySQL and MariaDB
|
Automatic or manual database creation |
Account under which the installer is running |
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
Administration Server service account |
|
Rights of the Administration Server service account |
System rights: The required rights assigned by the installer. |
Rights of the DBMS internal account |
Schema privileges:
Global privileges for all schemes: PROCESS, SUPER. |
Configuring privileges for Administration Server data recovery
Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.
Configuring accounts for work with SQL Server (Windows authentication)
Prerequisites
Before you assign rights to the accounts, perform the following actions:
- Make sure that you log in to the system under the local administrator account.
- Install an environment for working with SQL Server.
- Make sure that you have a Windows account under which you will install Administration Server.
- Make sure that you have a Windows account under which you will start the Administration Server service.
- On SQL Server, create a login for the Windows account used to run the Administration Server installer (hereinafter also referred to as the installer). Also, create a login for the Windows account used to start the Administration Server service.
If you use SQL Server Management Studio, on the General page of the login properties window, select the Windows Authentication option.
If you want to install Administration Server and SQL Server on devices that are located in separate Windows domains, note that these domains must have two-way trust relationships to ensure the correct operation of Administration Server, including running tasks and applying policies. For information about the required accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.
Configuring the accounts to install Administration Server (automatic creation of the Administration Server database)
To configure the accounts for the Administration Server installation:
- On SQL Server, assign the sysadmin server-level role to the login of the Windows account used to run the installer.
- Log in to the system under the Windows account used to run the installer.
- Run the Administration Server installer.
The Administration Server Setup wizard starts. Follow the instructions of the wizard.
- Select the custom installation of Administration Server option.
- Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
- Select the Microsoft Windows Authentication mode to establish a connection between Administration Server and SQL Server through a Windows account.
- Specify the Windows account used to start the Administration Server service.
You can select the Windows user account for which you created an SQL Server login earlier. Alternatively, you can automatically create a new Windows account in the KL-AK-* format by using the installer. In this case, the installer automatically creates an SQL Server login for this account. Regardless of the account choice, the installer assigns the required system rights and SQL Server rights to the Administration Server service account.
After the installation finishes, the Server database is created, and all the required system rights and SQL Server rights are assigned to the Administration Server service account. Administration Server is ready to use.
Configuring the accounts to install Administration Server (manual creation of the Administration Server database)
To configure the accounts for the Administration Server installation:
- On SQL Server, create an empty database. This database will be used as an Administration Server database (hereinafter also referred to as a Server database).
- For both SQL Server logins created for the Windows accounts, specify the public server-level role, and then configure the mapping to the created database:
- Server-level role: public
- Database role membership: db_owner, public
- Default schema: dbo
- Log in to the system under the Windows account used to run the installer.
- Run the Administration Server installer.
The Administration Server Setup wizard starts. Follow the instructions of the wizard.
- Select the custom installation of Administration Server option.
- Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
- Specify the name of the created database as the Administration Server database name.
- Select the Microsoft Windows Authentication mode to establish a connection between Administration Server and SQL Server through a Windows account.
- Specify the Windows account used to start the Administration Server service.
You can select the Windows user account for which you created an SQL Server login and configured the login rights earlier.
We do not recommend that you automatically create a new Windows account in the KL-AK-* format. In this case, the installer creates a new Windows account for which you have not created and configured an SQL Server account. Administration Server cannot use this account to start the Administration Server service. If it is necessary to create a KL-AK-* Windows account, do not start Administration Console after the installation. Do the following, instead:
- Stop the kladminserver service.
- On SQL Server, create an SQL Server login for the created KL-AK-* Windows account.
- Grant the rights to this SQL Server login and configure the mapping to the created database:
- Server-level role: public
- Database role membership: db_owner, public
- Default schema: dbo
- Restart the kladminserver service, and then run the Administration console.
After the installation finishes, the Administration Server will use the created database to store the Server data. Administration Server is ready to use.
Page topConfiguring accounts for work with SQL Server (SQL Server authentication)
Prerequisites
Before you assign rights to the accounts, perform the following actions:
- Make sure that you log in to the system under the local administrator account.
- Install an environment for working with SQL Server.
- Make sure that you have a Windows account under which you will install Administration Server.
- Make sure that you have a Windows account under which you will start the Administration Server service.
- On SQL Server, enable the SQL Server authentication mode.
If you use SQL Server Management Studio, in the SQL Server Properties window, on the Security page, select the SQL Server and Windows Authentication mode option.
- On SQL Server, create a login with a password. The Administration Server installer (hereinafter also referred to as the installer) and the Administration Server service will use this SQL Server account to access SQL Server.
If you use SQL Server Management Studio, on the General page of the login properties window, select the SQL Server authentication option.
If you want to install Administration Server and SQL Server on devices that are located in separate Windows domains, note that these domains must have two-way trust relationships to ensure the correct operation of Administration Server, including running tasks and applying policies. For information about the required accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.
Configuring the accounts to install Administration Server (automatic creation of the Administration Server database)
To configure the accounts for the Administration Server installation:
- On SQL Server, map the SQL Server account to the default master database. The master database is a template for the Administration Server database (hereinafter also referred to as a Server database). The master database is used for mapping until the installer creates a Server database. Grant the following rights and permissions to the SQL Server account:
- Server-level role: public
- Database role membership for the master database: db_owner
- Default schema for the master database: dbo
- Permissions:
- CONNECT ANY DATABASE
- CONNECT SQL
- CREATE ANY DATABASE
- VIEW ANY DATABASE
- Log in to the system under the Windows account used to run the installer.
- Run the installer.
The Administration Server Setup wizard starts. Follow the instructions of the wizard.
- Select the custom installation of Administration Server option.
- Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
- Specify the Administration Server database name.
- Select the SQL Server Authentication mode to establish a connection between Administration Server and SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
- Specify the Windows account used to start the Administration Server service.
You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.
After the installation finishes, the Server database is created and all the required system rights are assigned to the Administration Server service account. Administration Server is ready to use.
You can cancel the mapping to the master database, because the installer created a Server database and configured the mapping to this database during the Administration Server installation.
Since the automatic database creation requires more permissions than normal work with Administration Server, you can revoke some permissions. On SQL Server, select the SQL Server account, and then grant the following rights for work with Administration Server:
- Server-level role: public
- Database role membership for the Server database: db_owner
- Default schema for the Server database: dbo
- Permissions:
- CONNECT SQL
- VIEW ANY DATABASE
Configuring the accounts to install Administration Server (manual creation of the Administration Server database)
To configure the accounts for the Administration Server installation:
- On SQL Server, create an empty database. This database will be used as an Administration Server database.
- On SQL Server, grant the following rights and permissions to the SQL Server account:
- Server-level role: public.
- Database role membership for the created database: db_owner.
- Default schema for the created database: dbo.
- Permissions:
- CONNECT SQL
- VIEW ANY DATABASE
- Log in to the system under the Windows account used to run the installer.
- Run the installer.
The Administration Server Setup wizard starts. Follow the instructions of the wizard.
- Select the custom installation of Administration Server option.
- Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
- Specify the name of the created database as the Administration Server database name.
- Select the SQL Server Authentication mode to establish a connection between Administration Server and SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
- Specify the Windows account used to start the Administration Server service.
You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.
After the installation finishes, the Administration Server will use the created database to store the Administration Server data. All the required system rights are assigned to the Administration Server service account. Administration Server is ready to use.
Page topConfiguring accounts for work with MySQL and MariaDB
Prerequisites
Before you assign rights to the accounts, perform the following actions:
- Make sure that you log in to the system under the local administrator account.
- Install an environment for working with MySQL or MariaDB.
- Make sure that you have a Windows account under which you will install Administration Server.
- Make sure that you have a Windows account under which you will start the Administration Server service.
Configuring the accounts to install Administration Server
To configure the accounts for the Administration Server installation:
- Run an environment for working with MySQL or MariaDB under the root account that you created when you installed the DBMS.
- Create an internal DBMS account with a password. The Administration Server installer (hereinafter also referred to as the installer) and the Administration Server service will use this internal DBMS account to access DBMS. Grant the following privileges to this account:
- Schema privileges:
- Administration Server database: ALL (excluding
GRANT OPTION) - System schemes (mysql and sys):
SELECT,SHOW VIEW - The sys.table_exists stored procedure:
EXECUTE
- Administration Server database: ALL (excluding
- Global privileges for all schemes:
PROCESS,SUPER
To create an internal DBMS account and grant the required privileges to this account, run the script below (in this script, the DBMS login is KCSAdmin, and the Administration Server database name is kav):
/* Create a user named KSCAdmin */CREATE USER 'KSCAdmin'/* Specify a password for KSCAdmin */IDENTIFIED BY '<password>';/* Grant privileges to KSCAdmin */GRANT USAGE ON *.* TO 'KSCAdmin';GRANT ALL ON kav.* TO 'KSCAdmin';GRANT SELECT, SHOW VIEW ON mysql.* TO 'KSCAdmin';GRANT SELECT, SHOW VIEW ON sys.* TO 'KSCAdmin';GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin';GRANT PROCESS ON *.* TO 'KSCAdmin';GRANT SUPER ON *.* TO 'KSCAdmin';If you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege. In this case, exclude the following command from the script:
GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin'. - Schema privileges:
- To view the list of privileges granted to the DBMS account, run the following script:
SHOW grants for 'KSCAdmin' - To create an Administration Server database manually, run the following script (in this script, the Administration Server database name is kav):
CREATE DATABASE kavDEFAULT CHARACTER SET 'ascii'COLLATE 'ascii_general_ci';Use the same database name that you specify in the script that creates the DBMS account.
- Log in to the system under the Windows account used to run the installer.
- Run the installer.
The Administration Server Setup wizard starts. Follow the instructions of the wizard.
- Select the custom installation of Administration Server option.
- Select the MySQL or MariaDB as a DBMS that stores the Administration Server database.
- Specify the Administration Server database name. Use the same database name that you specify in the script.
- Specify the credentials of the DBMS account that you created by the script.
- Specify the Windows account used to start the Administration Server service.
You can select an existing Windows user account or automatically create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.
After the installation finishes, the Administration Server database is created and Administration Server is ready to use.