To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:
Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.
The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.
Microsoft SQL Server with Windows authentication
If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).
DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
|
|
Administration Server service account |
|
|
Rights of the Administration Server service account |
|
|
Microsoft SQL Server with SQL Server authentication
If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).
DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
System rights: local administrator rights. |
Administration Server service account |
|
|
Rights of the Administration Server service account |
System rights: the required rights assigned by the installer. |
System rights: the required rights assigned by the installer. |
Rights of the login used for SQL Server authentication |
SQL Server rights required to create a database and install Administration Server:
SQL Server rights required to work with Administration Server:
|
SQL Server rights:
|
Configuring SQL Server rights for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the sysadmin server-level role to the SQL Server login associated with this Windows account.
MySQL and MariaDB
If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.
DBMS: MySQL and MariaDB
|
Automatic or manual database creation |
Account under which the installer is running |
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
Administration Server service account |
|
Rights of the Administration Server service account |
System rights: The required rights assigned by the installer. |
Rights of the DBMS internal account |
Schema privileges:
Global privileges for all schemes: PROCESS, SUPER. |
Configuring privileges for Administration Server data recovery
Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.