Active Directory Groups and SQL Server Roles

The following tables provide general guidelines on securing reporting components. Create the following Active Directory groups.

Active Directory Group Description
ADB_DB_Administrators Contains accounts that are required to configure and maintain the reporting database. We recommend that a minimum number of AD Bridge Enterprise administrators tasked with maintaining the reporting infrastructure are included here.
ADB_Collectors Contains the service accounts used to run the Collector services.
ADB_DB_Archive_ Administrators Contains the service accounts used for automated archiving.
ADB_Report_Viewers Contains accounts that need to run reports only.
ADB_LDBUpdate Contains the service accounts that need to run the LDBUpdate tool to import Active Directory information into the database.

Create the following roles with the minimum permissions on the SQL Server database and assign to the corresponding Active Directory groups.

Role Access
ADB_DB_Administrators

dbo

ADB_Collectors

Collectors : insert, select, update

CollectorsStat : insert, select, update, delete

Events : insert

CollectorsView : select

ADB_DB_Archive_Administrators

Archives: insert, select, update, delete

Events: select, delete

ADB_Report_Viewers

All Tables: select

ADB_LDBUpdate

dbo

These suggestions are based on using Windows authentication. Windows Authentication simplifies the implementation of database security. To use SQL Server authentication, you must embed user names and passwords in the collector servers and in the BeyondTrust Management Console. This practice is not recommended.