Active Directory Groups and SQL Server Roles
The following tables provide general guidelines on securing reporting components. Create the following Active Directory groups.
Active Directory Group | Description |
---|---|
ADB_DB_Administrators | Contains accounts that are required to configure and maintain the reporting database. We recommend that a minimum number of AD Bridge Enterprise administrators tasked with maintaining the reporting infrastructure are included here. |
ADB_Collectors | Contains the service accounts used to run the Collector services. |
ADB_DB_Archive_ Administrators | Contains the service accounts used for automated archiving. |
ADB_Report_Viewers | Contains accounts that need to run reports only. |
ADB_LDBUpdate | Contains the service accounts that need to run the LDBUpdate tool to import Active Directory information into the database. |
Create the following roles with the minimum permissions on the SQL Server database and assign to the corresponding Active Directory groups.
Role | Access |
---|---|
ADB_DB_Administrators |
dbo |
ADB_Collectors |
Collectors : insert, select, update CollectorsStat : insert, select, update, delete Events : insert CollectorsView : select |
ADB_DB_Archive_Administrators |
Archives: insert, select, update, delete Events: select, delete |
ADB_Report_Viewers |
All Tables: select |
ADB_LDBUpdate |
dbo |
These suggestions are based on using Windows authentication. Windows Authentication simplifies the implementation of database security. To use SQL Server authentication, you must embed user names and passwords in the collector servers and in the BeyondTrust Management Console. This practice is not recommended.