Accounts for work with the DBMS
To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:
- DBMS type:
- Microsoft SQL Server (with Windows authentication or SQL Server authentication)
- MySQL or MariaDB
- PostgreSQL or Postgres Pro
- DBMS location:
- Local DBMS. A local DBMS is a DBMS installed on the same device as Administration Server.
- Remote DBMS. A remote DBMS is a DBMS installed on a different device.
- Method of the Administration Server database creation:
- Automatic. During the Administration Server installation, you can automatically create an Administration Server database (hereinafter also referred to as a Server database) by using the installer.
- Manual. You can use a third-party application (for example, SQL Server Management Studio) or a script to create an empty database. After that, you can specify this database as the Server database during the Administration Server installation.
Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.
The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.
Microsoft SQL Server with Windows authentication
If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).
DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication
| Automatic database creation (by the installer) | Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running |
|
|
Administration Server service account |
|
|
Rights of the Administration Server service account |
|
|
Microsoft SQL Server with SQL Server authentication
If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).
DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication
| Automatic database creation (by the installer) | Manual database creation (by the Administrator) |
---|---|---|
Account under which the installer is running |
|
|
Rights of the account under which the installer is running | System rights: local administrator rights. | System rights: local administrator rights. |
Administration Server service account |
|
|
Rights of the Administration Server service account | System rights: the required rights assigned by the installer. | System rights: the required rights assigned by the installer. |
Rights of the login used for SQL Server authentication | SQL Server rights required to create a database and install Administration Server:
| SQL Server rights:
|
Configuring SQL Server rights for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the rights to the SQL Server login associated with this Windows account. The SQL Server rights are different depending on the Administration Server version. For the Administration Server version 14.2 or later, you can grant the sysadmin server-level role or the dbcreator server-level role.
SQL Server rights for the Administration Server database recovery
Administration Server version 14.2 or later | Other Administration Server versions |
---|---|
|
|
|
|
MySQL and MariaDB
If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.
DBMS: MySQL and MariaDB
| Automatic or manual database creation |
Account under which the installer is running |
|
Rights of the account under which the installer is running | System rights: local administrator rights. |
Administration Server service account |
|
Rights of the Administration Server service account | System rights: The required rights assigned by the installer. |
Rights of the DBMS internal account | Schema privileges:
Global privileges for all schemes: PROCESS, SUPER. |
Configuring privileges for Administration Server data recovery
Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.
PostgreSQL or Postgres Pro
If you choose PostgreSQL or Postgres Pro as a DBMS, you can use the Postgres user (the default Postgres role) or create a new Postgres role (hereinafter also referred to as a role) to access the DBMS. Depending on the creation method of the Server database, grant the required rights to the role as described in the table below. For more information on how to configure rights of the role, see Configuring accounts for work with PostgreSQL or Postgres Pro.
DBMS: PostgreSQL or Postgres Pro
| Automatic database creation | Manual database creation | |
Account under which the installer is running |
|
| |
Rights of the account under which the installer is running | System rights: local administrator rights. | System rights: local administrator rights. | |
Administration Server service account |
|
| |
Rights of the Administration Server service account | System rights: The required rights assigned by the installer. | System rights: The required rights assigned by the installer. | |
Rights of the Postgres role | The Postgres user does not require additional rights. | Privileges for a new role: | For a new role:
|
Configuring privileges for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used to install Administration Server. Note that the Postgres role used to access to the DBMS must have the owner rights on the Administration Server database.