Accounts for working with the DBMS

To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:

Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.

The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.

Microsoft SQL Server with Windows authentication

If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).

DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication

 

Automatic database creation (by the installer)

Manual database creation (by the Administrator)

Account under which the installer is running

  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS: a local administrator account or a domain account.
  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS: a local administrator account or a domain account.

Rights of the account under which the installer is running

  • System rights: local administrator rights.
  • SQL Server rights:
    • Server-level role: sysadmin.
  • System rights: local administrator rights.
  • SQL Server rights:
    • Server-level role: public.
    • Database role membership for the Server database: db_owner, public.
    • Default schema for the Server database: dbo.

Administration Server service account

  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS:
    • A Windows account chosen by the administrator.
    • An account in the KL-AK-* format that the installer automatically creates.
  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS:

Rights of the Administration Server service account

  • System rights: the required rights assigned by the installer.
  • SQL Server rights: the required rights assigned by the installer.
  • System rights: the required rights assigned by the installer.
  • SQL Server rights:
    • Server-level role: public.
    • Database role membership for the Server database: db_owner, public.
    • Default schema for the Server database: dbo.

Microsoft SQL Server with SQL Server authentication

If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).

DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication

 

Automatic database creation (by the installer)

Manual database creation (by the Administrator)

Account under which the installer is running

  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS: a local administrator account or a domain account.
  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS: a local administrator account or a domain account.

Rights of the account under which the installer is running

System rights: local administrator rights.

System rights: local administrator rights.

Administration Server service account

  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS:
    • A Windows account chosen by the administrator.
    • An account in the KL-AK-* format that the installer automatically creates.
  • Remote DBMS: only a domain account of the remote device on which the DBMS is installed.
  • Local DBMS:
    • A Windows user account chosen by the administrator.
    • An account in the KL-AK-* format that the installer automatically creates.

Rights of the Administration Server service account

System rights: the required rights assigned by the installer.

System rights: the required rights assigned by the installer.

Rights of the login used for SQL Server authentication

SQL Server rights required to create a database and install Administration Server:

  • Server-level role: public.
  • Database role membership for the master database: db_owner.
  • Default schema for the master database: dbo.
  • Permissions:
    • CONNECT ANY DATABASE
    • CONNECT SQL
    • CREATE ANY DATABASE
    • VIEW ANY DATABASE
    • VIEW SERVER STATE (if the Always On option is enabled)

    SQL Server rights required to work with Administration Server:

  • Server-level role: public.
  • Database role membership for the Server database: db_owner.
  • Default schema for the Server database: dbo.
  • Permissions:
    • CONNECT SQL
    • VIEW ANY DATABASE
    • VIEW SERVER STATE (if the Always On option is enabled)

SQL Server rights:

  • Server-level role: public.
  • Database role membership for the Server database: db_owner.
  • Default schema for the Server database: dbo.
  • Permissions:
    • CONNECT SQL
    • VIEW ANY DATABASE

Configuring SQL Server rights for Administration Server data recovery

To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the sysadmin server-level role to the SQL Server login associated with this Windows account.

MySQL and MariaDB

If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.

DBMS: MySQL and MariaDB

 

Automatic or manual database creation

Account under which the installer is running

  • Remote DBMS: only a domain account of the remote device with the installed DBMS.
  • Local DBMS: a local administrator account or a domain account.

Rights of the account under which the installer is running

System rights: local administrator rights.

Administration Server service account

  • Remote DBMS: Only a domain account of the remote device with the installed DBMS.
  • Local DBMS:
    • A Windows account chosen by the administrator.
    • An account in the KL-AK-* format that the installer creates automatically.

Rights of the Administration Server service account

System rights: The required rights assigned by the installer.

Rights of the DBMS internal account

Schema privileges:

  • Administration Server database: ALL (excluding GRANT OPTION).
  • System schemes (mysql and sys): SELECT, SHOW VIEW.
  • The sys.table_exists stored procedure: EXECUTE (if you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege).

Global privileges for all schemes: PROCESS, SUPER.

Configuring privileges for Administration Server data recovery

Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.

See also:

Main installation scenario

Page top