To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:
Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.
The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.
Microsoft SQL Server with Windows authentication
If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).
DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
|
|
Administration Server service account |
|
|
Rights of the Administration Server service account |
|
|
Microsoft SQL Server with SQL Server authentication
If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).
DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication
|
Automatic database creation (by the installer) |
Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
System rights: local administrator rights. |
Administration Server service account |
|
|
Rights of the Administration Server service account |
System rights: the required rights assigned by the installer. |
System rights: the required rights assigned by the installer. |
Rights of the login used for SQL Server authentication |
SQL Server rights required to create a database and install Administration Server:
SQL Server rights required to work with Administration Server:
|
SQL Server rights:
|
Configuring SQL Server rights for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the rights to the SQL Server login associated with this Windows account. The SQL Server rights are different depending on the Administration Server version. For the Administration Server version 14.2 or later, you can grant the sysadmin server-level role or the dbcreator server-level role.
SQL Server rights for the Administration Server database recovery
Administration Server version 14.2 or later |
Other Administration Server versions |
---|---|
|
|
Before you start the klbackup utility, specify the KLSRV_SKIP_ADJUSTING_DBMS_ACCESS server flag. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. After that, execute the following command in the command line:
|
|
MySQL and MariaDB
If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.
DBMS: MySQL and MariaDB
|
Automatic or manual database creation |
Account under which the installer is running |
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
Administration Server service account |
|
Rights of the Administration Server service account |
System rights: The required rights assigned by the installer. |
Rights of the DBMS internal account |
Schema privileges:
Global privileges for all schemes: PROCESS, SUPER. |
Configuring privileges for Administration Server data recovery
Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.
PostgreSQL or Postgres Pro
If you choose PostgreSQL or Postgres Pro as a DBMS, you can use the Postgres user (the default Postgres role) or create a new Postgres role (hereinafter also referred to as a role) to access the DBMS. Depending on the creation method of the Server database, grant the required rights to the role as described in the table below. For more information on how to configure rights of the role, see Configuring accounts for work with PostgreSQL or Postgres Pro.
DBMS: PostgreSQL or Postgres Pro
|
Automatic database creation |
Manual database creation |
|
Account under which the installer is running |
|
|
|
Rights of the account under which the installer is running |
System rights: local administrator rights. |
System rights: local administrator rights. |
|
Administration Server service account |
|
|
|
Rights of the Administration Server service account |
System rights: The required rights assigned by the installer. |
System rights: The required rights assigned by the installer. |
|
Rights of the Postgres role |
The Postgres user does not require additional rights. |
Privileges for a new role: |
For a new role:
|
Configuring privileges for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Note that the Postgres role used to access to the DBMS must have the owner rights on the Administration Server database.