Purpose

This document covers the minimum account privilege requirements for using Protect's SQL database.

Description

Below are the privileges (roles) required within SQL for a user in possible scenarios:

Database Creation:
New installations of the Protect database require an account that has at least the DB_Creator role. 

If the account has nothing else but DB_Creator it will give the account the proper rights when it creates the database.  So for situations where you have a DBA involved you can have them add a windows user to SQL with DB_Creator, Protect can create the database, then after completion the DBA can remove DB_Creator from that user.

Protect User:
Any protect user must have the following roles assigned for the Protect database to use the product: 

STExec

DB_DataReader

DB_DataWriter 

This must be configured for each user who will authenticate with the Protect database.    

Upgrade Rights:
When we upgrade the product there are typically schema changes to the DB.  These changes require additional rights that are not required for day to day usage of the product.  Ensure the customer knows that for any upgrades they have to use an account with this level of rights otherwise the DB upgrade will fail.

To successfully perform an upgrade of the Protect database the following roles will be required:

db_securityadmin

db_ddladmin 

Example of how you would see this in SQL Server Management Studio:

Additional Information

More information from the Shavlik Protect product documentation:

SQL Server Pre-Installation Notes

SQL Server Post-Installation Notes

The ability to check these privileges will require a DBA or the use of SQL Server Management Studio.

Affected Product(s)

Shavlik Protect, All Versions