Kaspersky Security Center

Configuring accounts for work with MySQL and MariaDB

December 19, 2024

ID 240816

Prerequisites

Before you assign rights to the accounts, perform the following actions:

  1. Make sure that you log in to the system under the local administrator account.
  2. Install an environment for working with MySQL or MariaDB.
  3. Make sure that you have a Windows account under which you will install Administration Server.
  4. Make sure that you have a Windows account under which you will start the Administration Server service.

Configuring the accounts to install Administration Server

To configure the accounts for the Administration Server installation:

  1. Run an environment for working with MySQL or MariaDB under the root account that you created when you installed the DBMS.
  2. Create an internal DBMS account with a password. The Administration Server installer (hereinafter also referred to as the installer) and the Administration Server service will use this internal DBMS account to access DBMS. Grant the following privileges to this account:
    • Schema privileges:
      • Administration Server database: ALL (excluding GRANT OPTION)
      • System schemes (mysql and sys): SELECT, SHOW VIEW
      • The sys.table_exists stored procedure: EXECUTE
    • Global privileges for all schemes: PROCESS, SUPER

    To create an internal DBMS account and grant the required privileges to this account, run the script below (in this script, the DBMS login is KSCAdmin, and the Administration Server database name is kav):

    /* Create a user named KSCAdmin */

    CREATE USER 'KSCAdmin'

    /* Specify a password for KSCAdmin */

    IDENTIFIED BY '<password>';

    If you use MySQL 8.0 or earlier as a DBMS, note that for these versions the "Caching SHA2 password" authentication is not supported. Change the default authentication from "Caching SHA2 password" to "MySQL native password":

    • To create a DBMS account that uses the "MySQL native password" authentication, execute the following command:

      CREATE USER 'KSCAdmin'@'%' IDENTIFIED WITH mysql_native_password BY '<password>';

    • To change the authentication for an existing DBMS account, execute the following command:

      ALTER USER 'KSCAdmin'@'%' IDENTIFIED WITH mysql_native_password BY '<password>';

    /* Grant privileges to KSCAdmin */

    GRANT USAGE ON *.* TO 'KSCAdmin';

    GRANT ALL ON kav.* TO 'KSCAdmin';

    GRANT SELECT, SHOW VIEW ON mysql.* TO 'KSCAdmin';

    GRANT SELECT, SHOW VIEW ON sys.* TO 'KSCAdmin';

    GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin';

    GRANT PROCESS ON *.* TO 'KSCAdmin';

    GRANT SUPER ON *.* TO 'KSCAdmin';

    If you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege. In this case, exclude the following command from the script: GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin'.

  3. To view the list of privileges granted to the DBMS account, run the following script:

    SHOW grants for 'KSCAdmin';

  4. To create an Administration Server database manually, run the following script (in this script, the Administration Server database name is kav):

    CREATE DATABASE kav

    DEFAULT CHARACTER SET ascii

    DEFAULT COLLATE ascii_general_ci;

    Use the same database name that you specify in the script that creates the DBMS account.

  5. Log in to the system under the Windows account used to run the installer.
  6. Run the installer.

    The Administration Server Setup wizard starts. Follow the instructions of the wizard.

  7. Select the custom installation of Administration Server option.
  8. Select the MySQL or MariaDB as a DBMS that stores the Administration Server database.
  9. Specify the Administration Server database name. Use the same database name that you specify in the script.
  10. Specify the credentials of the DBMS account that you created by the script.
  11. Specify the Windows account used to start the Administration Server service.

    You can select an existing Windows user account or automatically create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.

After the installation finishes, the Administration Server database is created and Administration Server is ready to use.

See also:

Using Application Control to manage executable files

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.