Accounts for work with the DBMS

To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:

DBMS type:
- Microsoft SQL Server (with Windows authentication or SQL Server authentication)
- MySQL or MariaDB
- PostgreSQL or Postgres Pro
DBMS location:
- Local DBMS. A local DBMS is a DBMS installed on the same device as Administration Server.
- Remote DBMS. A remote DBMS is a DBMS installed on a different device.
Method of the Administration Server database creation:
- Automatic. During the Administration Server installation, you can automatically create an Administration Server database (hereinafter also referred to as a Server database) by using the installer.
- Manual. You can use a third-party application (for example, SQL Server Management Studio) or a script to create an empty database. After that, you can specify this database as the Server database during the Administration Server installation.

Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.

The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.

Microsoft SQL Server with Windows authentication

If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).

DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication

	Automatic database creation (by the installer)	Manual database creation (by the Administrator)
Account under which the installer is running	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: a local administrator account or a domain account.	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: a local administrator account or a domain account.
Rights of the account under which the installer is running	System rights: local administrator rights. SQL Server rights: Server-level role: sysadmin.	System rights: local administrator rights. SQL Server rights: Server-level role: public. Database role membership for the Server database: db_owner, public. Default schema for the Server database: dbo.
Administration Server service account	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer automatically creates.	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer automatically creates (in this case, we do not recommend that you generate a KL-AK-* account).
Rights of the Administration Server service account	System rights: the required rights assigned by the installer. SQL Server rights: the required rights assigned by the installer.	System rights: the required rights assigned by the installer. SQL Server rights: Server-level role: public. Database role membership for the Server database: db_owner, public. Default schema for the Server database: dbo.

Microsoft SQL Server with SQL Server authentication

If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).

DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication

	Automatic database creation (by the installer)	Manual database creation (by the Administrator)
Account under which the installer is running	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: a local administrator account or a domain account.	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: a local administrator account or a domain account.
Rights of the account under which the installer is running	System rights: local administrator rights.	System rights: local administrator rights.
Administration Server service account	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer automatically creates.	Remote DBMS: only a domain account of the remote device on which the DBMS is installed. Local DBMS: A Windows user account chosen by the administrator. An account in the KL-AK-* format that the installer automatically creates.
Rights of the Administration Server service account	System rights: the required rights assigned by the installer.	System rights: the required rights assigned by the installer.
Rights of the login used for SQL Server authentication	SQL Server rights required to create a database and install Administration Server: Server-level role: public. Database role membership for the master database: db_owner. Default schema for the master database: dbo. Permissions: CONNECT ANY DATABASE CONNECT SQL CREATE ANY DATABASE VIEW ANY DATABASE VIEW SERVER STATE (if the Always On option is enabled) SQL Server rights required to work with Administration Server: Server-level role: public. Database role membership for the Server database: db_owner. Default schema for the Server database: dbo. Permissions: CONNECT SQL VIEW ANY DATABASE VIEW SERVER STATE (if the Always On option is enabled) VIEW ANY DEFINITION	SQL Server rights: Server-level role: public. Database role membership for the Server database: db_owner. Default schema for the Server database: dbo. Permissions: CONNECT SQL VIEW ANY DATABASE VIEW ANY DEFINITION

Configuring SQL Server rights for Administration Server data recovery

To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the rights to the SQL Server login associated with this Windows account. The SQL Server rights are different depending on the Administration Server version. For the Administration Server version 14.2 or later, you can grant the sysadmin server-level role or the dbcreator server-level role.

SQL Server rights for the Administration Server database recovery

Administration Server version 14.2 or later	Other Administration Server versions
SQL Server rights: Server-level role: sysadmin.	SQL Server rights: Server-level role: sysadmin.
SQL Server rights: Server-level role: dbcreator. Permissions: VIEW ANY DEFINITION Before you start the klbackup utility, specify the KLSRV_SKIP_ADJUSTING_DBMS_ACCESS server flag. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. After that, execute the following command in the command line: `klscflag.exe -fset -pv klserver -n KLSRV_SKIP_ADJUSTING_DBMS_ACCESS -t d -v 1`

Administration Server version 14.2 or later

Other Administration Server versions

SQL Server rights:
- Server-level role: sysadmin.

SQL Server rights:
- Server-level role: sysadmin.

SQL Server rights:
- Server-level role: dbcreator.
Permissions:
- VIEW ANY DEFINITION
Before you start the klbackup utility, specify the KLSRV_SKIP_ADJUSTING_DBMS_ACCESS server flag. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. After that, execute the following command in the command line:

klscflag.exe -fset -pv klserver -n KLSRV_SKIP_ADJUSTING_DBMS_ACCESS -t d -v 1

MySQL and MariaDB

If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.

DBMS: MySQL and MariaDB

	Automatic or manual database creation
Account under which the installer is running	Remote DBMS: only a domain account of the remote device with the installed DBMS. Local DBMS: a local administrator account or a domain account.
Rights of the account under which the installer is running	System rights: local administrator rights.
Administration Server service account	Remote DBMS: Only a domain account of the remote device with the installed DBMS. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer creates automatically.
Rights of the Administration Server service account	System rights: The required rights assigned by the installer.
Rights of the DBMS internal account	Schema privileges: Administration Server database: ALL (excluding GRANT OPTION). System schemes (mysql and sys): SELECT, SHOW VIEW. The sys.table_exists stored procedure: EXECUTE (if you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege). Global privileges for all schemes: PROCESS, SUPER.

Configuring privileges for Administration Server data recovery

Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.

PostgreSQL or Postgres Pro

If you choose PostgreSQL or Postgres Pro as a DBMS, you can use the Postgres user (the default Postgres role) or create a new Postgres role (hereinafter also referred to as a role) to access the DBMS. Depending on the creation method of the Server database, grant the required rights to the role as described in the table below. For more information on how to configure rights of the role, see Configuring accounts for work with PostgreSQL or Postgres Pro.

DBMS: PostgreSQL or Postgres Pro


	Automatic database creation		Manual database creation
Account under which the installer is running	Remote DBMS: only a domain account of the remote device with the installed DBMS. Local DBMS: a local administrator account or a domain account.		Remote DBMS: only a domain account of the remote device with the installed DBMS. Local DBMS: a local administrator account or a domain account.
Rights of the account under which the installer is running	System rights: local administrator rights.		System rights: local administrator rights.
Administration Server service account	Remote DBMS: Only a domain account of the remote device with the installed DBMS. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer creates automatically.		Remote DBMS: Only a domain account of the remote device with the installed DBMS. Local DBMS: A Windows account chosen by the administrator. An account in the KL-AK-* format that the installer creates automatically.
Rights of the Administration Server service account	System rights: The required rights assigned by the installer.		System rights: The required rights assigned by the installer.
Rights of the Postgres role	The Postgres user does not require additional rights.	Privileges for a new role: `CREATEDB`.	For a new role: Privileges on Administration Server database: `ALL`. Privileges on all tables in the public schema: `ALL`. Privileges on all sequences in the public schema: `ALL`.

Configuring privileges for Administration Server data recovery

To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Note that the Postgres role used to access to the DBMS must have the owner rights on the Administration Server database.