OpsMgr security account rights mapping – what accounts need what privileges?


 


Do you ever wish you had a list of the rights needed to install OpsMgr on each server role?  Or what each service account needs for steady state?  Or how about ongoing support… for your Admin group – to have enough rights in SQL to support OpsMgr?


I have created a spreadsheet of the typical security accounts, and what rights they need on each server role, or database. 


 


Attachment is below:


 


 

OpsMgr 2007 SP1 Security account Matrix v1.0.xls

Comments (23)

  1. Kevin Holman says:

    @ Adhokd –

    Q:  Does the SCOM action account need to be in Enterprise Admin group if AD monitoring is being done?

    A:  No – never.  Read the ADMP guide.  You only need elevated rights for an account if the action account is low priv.

    Q:  How do we overcome the security issue if Domain controllers are to be monitored using the same SCOM infrastructure which monitors member servers.

    A:  There is no issue.  Use Local System as the default agent action account.

  2. Kevin Holman says:

    Hi Tom –

    Yes – these should all be published and configured during install – and should not require ANY manual intervention.

    My document is published for three reasons:  

    1.  To clarify the user account and rights required to perform an install/upgrade/hotfix

    2.  To document the security for customers – so their SQL DBA teams can better understand our requirements go beyond "just give my service account DBO to the database"

    3.  To document the default configuration for support professionals, so they have a reference to compare against when something isnt working and they suspect permissions have been modified.

  3. Kevin Holman says:

    @Guido –

    Nothing changed in this regard to R2.

  4. Kevin Holman says:

    Yes – as far as I know – no security schema changes were made.

  5. Anonymous says:

    There has always been a bit of confusion on when to run the DBCreateWizard.exe tool, or when to just

  6. Anonymous says:

    Great stuff Kevin!

    I do have a couple of questions however:

    Q1 – Microsoft KB article 936220, entitled "How to change the credentials for the OpsMgr SDK Service and for the OpsMgr Config Service in Microsoft System Center Operations Manager 2007", makes no mention of adding either of the following accounts in the RMS & MS local Administrators group:

    – OpsMgr SDK Service account

    – OpsMgr Config Service

    The "Operations Manager 2007 R2 Quick Start Guide" clearly states the following however:

    "SDK and Config Service accounts. They can use the same account. It must have administrative privileges on the management server and system administrator privileges on the instance of SQL Server that will host the Operations Manager 2007 R2 database."

    I’m leaning towards putting them in the local Administrators group, as our current installation is generating a plethora of error logs (Event ID:26319; Source: OpsMgr SDK Service – The user <Domain>SVC-MOMSDK does not have sufficient permission to perform the operation.) on our RMS.

    What are your thoughts on this?

    Q2 – In my sandbox environment*:

    – the ‘public’ database role for the OperationsManager database is empty, whereas the spreadsheet indicates that the following should appear:

    – SDK and Config account

    – MS Action account

    – Report Data Writer account

    – Domain Global Group associated with the Operations Manager Administrators user role

    – the ‘db_datareader’ database role for the OperationsManager database does not include the Domain Global Group associated with the Operations Manager Administrators user role.

    – the ‘db_datareader’ database role for the OperationsManagerDW database does not include the Domain Global Group associated with the Operations Manager Administrators user role.

    – the ‘OpsMgrReader’ database role for the OperationsManagerDW database does not include the Domain Global Group associated with the Operations Manager Administrators user role.

    – the ‘public’ database role for the OperationsManager database is empty, whereas the spreadsheet indicates that the following should appear:

    – SDK and Config account

    – Report Data Reader account

    – Report Data Writer account

    – Domain Global Group associated with the Operations Manager Administrators user role

    Should I make these additions manually and, if so, why didn’t the installer take care of this?

    Thanks,

    Larry

    * sandbox is 3 VM servers:

    – 1 AD Server

    – 1 RMS Server (OpsMgr 2007 R2)

    – 1 SQL Server (2005)

  7. Anonymous says:

    Excellent, thank you very much, highly appreciated!

    Is it possible to include Pavel’s recommendations in version 2.0 of your Matrix?

  8. S.Carrilho says:

    Hi Joe,

    I've posted an updated version for SCOM2012 SP1.

    Hope it helps!

    blogs.technet.com/…/scom-2012-sp1-security-accounts-matrix.aspx

  9. Anonymous says:

    This is exactly what DBA’s have been asking for.  Thanks man!

    -Jess

  10. Pavel says:

    Thanks for the effort of putting the permissions account document together, I mentioned before to C.Fox that his doc is lacking these details.

    I just wanted to add my 2 cents here:

    You should probably include in the doc account’s system permissions.

    For example:

    Data reader account on the reporting server needs:

    Logon as a Batch Job and Logon as a Service privileges.

    SDK account requires the same priveleges on the RMS server.

    Data Writer Logon as a Service on the reporting.

    Don’t quote me on these. Just verify the roles exactly, I am not sure regarding whether data wareshouse account provileges needed on the reporting db server or on the server where SSRS installed if separate. (in my environment these  roles isntalled on the same server, so I can’ t really clarify)…

    PaVel

  11. Blake Mengotto says:

    Kevin,

    It’s about time.. Jesus.  Can you be any slower? 😉

    Hugs and kisses,

    Blakey poo

  12. pete says:

    Outstanding work on the spreadsheet – its a shame that its so difficult to implement good practices like separating databases from applications.  I’ve been fighting this for a few weeks and I really appreciate why they suggest to take the shortcut and just install it all on one box.  Good on ya Kevin!

  13. Or Tsemah says:

    Great 10x,

    A good addition to the document would be to add the Permissions required for popular MPs like the ADMP and the Exchange ones…

  14. stephen says:

    What about R2? I was reading the "SDK and config" account is now called the Data Access Service account. Can I safely replace "SDK and config" with Data Access Service account on the spreadsheet to be complient with R2?

    Thanks,

    Stephen

  15. martit01 says:

    Thanks Kevin,

    Shouldn't all these permissions be expected to populate during the installation?  For example, all the needed permissions for the SDK account on the OpsMgrDB and the OpsMgrDW, shouldn't these auto populate during the installation?

    Thanks,

    Tom

  16. Adhokd says:

    Does the SCOM action account need to be in Enterprise Admin group if AD monitoring is being done? How do we overcome the security issue if Domain controllers are to be monitored using the same SCOM infrastructure which monitors member servers.

  17. Guido5 says:

    Is there also an R2 version of this sheet?

  18. KellyK says:

    @ kevin -What does * and ** indicate in the document??

  19. Joe says:

    Any chance we can get a 2012 version of this document? I know most of the roles are the same, but still would be nice.

  20. Ghasem Shams says:

    Can you describe what is “Context Description” column? (the second column)
    SCOM Install Account SQL Server hosting OperationsManagerDW database SQL MSDB database
    SCOM Install Account SQL Server hosting SSRS DB SQL MSDB database

  21. Paul Sommerfield says:

    Kevin,

    Have you ever done an equivalent spreadsheet for OM2012 R2 and SQL permissions needed in SQL 2008…SQL 2012?

    Thanks!

  22. Paul Sommerfield says:

    Never mind. Saw Sergio’s post on page 2 of the blog…my bad.

  23. Natarajan says:

    Hi Kelvin Could you please help me to identify list permission public permission required by SCOM 2012 in SQL db(2008 R2). As we are in Secured environment, we cannot enable all permission in SQL.Hence we need to identify list of permission to be enabled
    in SQL apartment from permission which we enable it for service account.Sample permission which will get removed from SQL db are as below:
    USE [master]
    GO

    — Audit of successful and failed logins
    EXEC xp_instance_regwrite N’HKEY_LOCAL_MACHINE’, N’SoftwareMicrosoftMSSQLServerMSSQLServer’, N’AuditLevel’, REG_DWORD, 3
    — Error logs can be overwritten
    EXEC xp_instance_regwrite N’HKEY_LOCAL_MACHINE’, N’SoftwareMicrosoftMSSQLServerMSSQLServer’, N’NumErrorLogs’, REG_DWORD, 25000
    — Remove remote access.
    EXEC sys.sp_configure N’remote access’, N’0′
    GO
    RECONFIGURE WITH OVERRIDE
    GO
    USE master
    GO
    — 09/01/2012 – Additional REVOKES Start
    REVOKE EXECUTE on sys.ORMask TO public
    REVOKE EXECUTE on sys.sp_getVolumeFreeSpace TO public
    REVOKE EXECUTE on sys.sp_getProcessorUsage TO public
    REVOKE EXECUTE on sys.sp_change_tracking_waitforchanges TO public
    — 09/01/2012 – Additional REVOKES End

    revoke Execute on sp_patrol_monitor from public
    revoke Execute on sp_patrol_user from public
    revoke Execute on sp_MSalreadyhavegeneration from public
    revoke Execute on sp_MSwritemergeperfcounter from public
    revoke Execute on sp_replsetsyncstatus from public
    revoke Execute on sp_replshowcmds from public
    revoke Execute on sp_publishdb from public
    revoke Execute on sp_addqueued_artinfo from public
    revoke Execute on sp_replcounters from public
    revoke Execute on sp_MSget_subscription_dts_info from public
    revoke Execute on sp_password from public
    revoke Execute on sp_MSstopdistribution_agent from public
    revoke Execute on sp_replmonitorrefreshjob from public
    revoke Execute on sp_MSenumpartialchangesdirect from public

    Will remove all this kind of system database permission to harden the server. Now we need list of permission which need to be revoked to enable system database to allow the scom application to work properly.