Configure BeyondInsight Analytics & Reporting

Before you can use Analytics & Reporting, make sure that SQL Analysis Services, SQL Reporting and Integration Services, and SQL Report Server are installed and working.

 

Analytics & Reporting is not supported on an external SQL Server, because the replication of the credentials of the BeyondTrust Admin account presents a security threat to the host. Analytics & Reporting is supported only on the main console node.

Assign Permissions for Analytics & Reporting

In many cases, an account with local admin or domain admin privileges will suffice. However, in some more advanced deployments, you may desire to assign more specific permissions to installation and user accounts.

Installation User Permissions

When installing Analytics & Reporting, the user account requires SQL Server database access. Ideally, assign the account the sysadmin server role. Otherwise, make sure at least the following SQL Server permissions are assigned to the account.

ALTER database BULKINSERT
CREATE Role CREATE Application Role
CREATE Schema CREATE Type
CREATE Table ALTER Table
UPDATE Table CREATE UNIQUE NONCLUSTERED INDEX
CREATE NONCLUSTERED INDEX CREATE PROCEDURE
ALTER PROCEDURE EXECUTE PROCEDURE
CREATE VIEW ALTER VIEW
GRANT EXEC, SELECT, INSERT, UPDATE, DELETE  

Configuration User Permissions

The configuration user is the account entered on the Installation Credentials page of the configuration wizard. This account requires:

  • Local administrator rights to SQL Analysis Services so they can deploy the Analysis Services cube
  • Permission to create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\EEYE
  • The Log on as Batch Job security policy on the SQL Server
BeyondInsight Configuration Database Roles
Member in Role Database
sysadmin

BeyondInsight Reporting

Required to:

  • Install the SQL job and the SSIS packages
  • Create the BeyondInsight Reporting database
  • View SQL job statuses and details

Alternatively, add the configuration user to the SQLAgentRole of the MSDB database on the BeyondInsight server for lower privileges.
db_owner BeyondInsight

Required to install the stored procedures for BeyondInsight Reporting to synchronize data from the BeyondInsight management console.
System User This role is at the root of the SQL Reporting Services management website and is required to read information from SSRS.
Browser This role is on the root folder settings for the SQL Report Services management website and is required to read and run reports deployed to SSRS.
Content Manager This role is on the root folder settings for the SQL Report Services management website and is required to deploy reports to SSRS.

Web Proxy User Permissions

The web proxy user is the account entered on the Web Service Credentials page of the Configuration Wizard.

These permissions are automatically set up during installation if the installing user has sufficient rights.

Web Proxy User Roles
Member in Role Database
BeyondInsightReader BeyondInsight Reporting.
BeyondInsightUser BeyondInsight management console.
BeyondInsightReader BeyondInsight Reporting cube in SQL Analysis Services.
System User This role is at the root of the SQL Reporting Services management website and is required to read information from SSRS.
Browser This role is on the root folder settings for the SQL Report Services management website and is required to read and run reports deployed to SSRS.

SSRS Proxy User Permissions

The SSRS proxy user is the account entered on the SQL Reporting Services (SSRS) page of the Configuration Wizard.

These permissions are automatically set up during installation if the installing user has sufficient rights.

SSRS Proxy User Roles
Member in Role Database
BeyondInsightReader BeyondInsight Reporting
BeyondInsightUser BeyondInsight management console
BeyondInsightReader BeyondInsight Reporting cube in SQL Analysis Services

SQL Agent Service Permissions

This account runs the daily sync job and requires permission to process the BeyondInsight SSAS database.

SSAS Proxy User Roles
Member in Role Database
BeyondInsightSSIS BeyondInsight
BeyondInsightUser BeyondInsight management console

Verify SQL Report Server Functionality

  1. To verify that SQL Report Server works properly:
    • In Windows 2016 or later, click Start > Apps > Microsoft SQL Server 20xx > SQL Server 20xx Reporting Services Configuration Manager.

Reporting Services Configuration Manager :: Web Service URL

  1. After connecting, select Web Service URL.
  2. Under Report Server Web Service URL, click the link and verify the confirmation web page.

 

Reporting Services Configuration Manager :: Report Manager URL

  1. Select Report Manager URL.
  2. Under Remote Manager Site Identification, click the link and verify the confirmation web page.

 

Configure Analytics & Reporting

Be careful not to refresh the browser during this process, because doing so reloads the page, requiring you to log in again.

  1. Log in to the BeyondInsight management console, and then click Configuration in the left menu.
  2. In the Analytics & Reporting tile, click Configuration.
  3. Re-enter the administrative credentials used to log in to the console.
  4. Click Configure Now.

Screenshot of the Analytics and Reportin Installation Credentials screen

  1. On the Installation Credentials page, enter the local or domain administrator credentials.

 

Screenshot of the SQL Server Analysis Services screen

  1. On the SQL Server and SQL Server Analysis Services page, enter the database name.

 

Screenshot of the SQL Server Reporting Services screen

  1. On the SQL Server Reporting Services page, enter the web service URL in the format:

    http://<machine name>:80/ReportServer.

 

Screenshot of the SQL Server Agent screen

  1. On the SQL Server Agent page, set a job run time, and then enter an administrative username and password to use as a proxy.

You cannot leave this field blank, as the default SQL Server Agent service account created during SQL Server installation does not have the necessary write permissions to the BeyondInsight Reporting database.

 

Screenshot of the Web Services Credentials screen

  1. On the Web Services Credentials page, the username and password automatically populate. Click Deploy.
  2. Deployment progress is shown while the BeyondInsight Reporting database is created. When database creation is complete, click Finish.
  3. Once the deployment completes, select the option to synchronize data. This critical process reads the database created during management console configuration. It finds the scan results and synchronizes them with the newly created Reporting database.

    By default, synchronization occurs every day at 12:00 AM unless otherwise specified in the SQL Server Agent settings. You can also run the synchronization manually. Synchronization takes several minutes to complete.

 

Screenshot of the SQL Server Agent Jobs screen

  1. Verify successful synchronization by clicking the SQL Server Agent Jobs tab and then clicking Refresh.

 

For more information on the permissions needed to install and use Analytics & Reporting, please see the BeyondInsightAnalytics & Reporting Guide.