Welcome to TechNet Blogs Sign in | Join | Help

OpsMgr security account rights mapping - what accounts need what privileges?

 

Do you ever wish you had a list of the rights needed to install OpsMgr on each server role?  Or what each service account needs for steady state?  Or how about ongoing support... for your Admin group - to have enough rights in SQL to support OpsMgr?

I have created a spreadsheet of the typical security accounts, and what rights they need on each server role, or database. 

 

Attachment is below:

 

 

Published Tuesday, April 15, 2008 11:14 PM by kevinhol
Filed under:

Attachment(s): OpsMgr 2007 SP1 Security account Matrix v1.0.xls

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, April 16, 2008 11:47 AM by Pavel

Thanks for the effort of putting the permissions account document together, I mentioned before to C.Fox that his doc is lacking these details.

I just wanted to add my 2 cents here:

You should probably include in the doc account's system permissions.

For example:

Data reader account on the reporting server needs:

Logon as a Batch Job and Logon as a Service privileges.

SDK account requires the same priveleges on the RMS server.

Data Writer Logon as a Service on the reporting.

Don't quote me on these. Just verify the roles exactly, I am not sure regarding whether data wareshouse account provileges needed on the reporting db server or on the server where SSRS installed if separate. (in my environment these  roles isntalled on the same server, so I can' t really clarify)...

PaVel

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, April 16, 2008 11:48 AM by JesseH

This is exactly what DBA's have been asking for.  Thanks man!

-Jess

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Friday, April 18, 2008 3:02 AM by Roel Janssens

Excellent, thank you very much, highly appreciated!

Is it possible to include Pavel's recommendations in version 2.0 of your Matrix?

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Monday, April 21, 2008 11:25 PM by Blake Mengotto

Kevin,

It's about time.. Jesus.  Can you be any slower? ;-)

Hugs and kisses,

Blakey poo

# DBcreatewizard or just run good old SetupOM.exe - which should I use to install the Database component of OpsMgr?

Saturday, May 03, 2008 7:04 AM by Kevin Holman's OpsMgr Blog

There has always been a bit of confusion on when to run the DBCreateWizard.exe tool, or when to just

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, May 28, 2008 7:24 AM by Pete

Outstanding work on the spreadsheet - its a shame that its so difficult to implement good practices like separating databases from applications.  I've been fighting this for a few weeks and I really appreciate why they suggest to take the shortcut and just install it all on one box.  Good on ya Kevin!

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, November 26, 2008 3:03 AM by Or Tsemah

Great 10x,

A good addition to the document would be to add the Permissions required for popular MPs like the ADMP and the Exchange ones...

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, October 14, 2009 12:19 PM by Stephen

What about R2? I was reading the "SDK and config" account is now called the Data Access Service account. Can I safely replace "SDK and config" with Data Access Service account on the spreadsheet to be complient with R2?

Thanks,

Stephen

# re: OpsMgr security account rights mapping - what accounts need what privileges?

Wednesday, October 14, 2009 12:28 PM by kevinhol

Yes - as far as I know - no security schema changes were made.

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker