Create the Required Database User Accounts

You can either use a system administration account for the registered servers required for BeyondTrust Endpoint Privilege Management Reporting or you can use the default user accounts that are configured as part of the Endpoint Privilege Management database installation. This section describes using the least privilege default user accounts that are configured by the Endpoint Privilege Management database installer.

If you plan to use a system administration account for the BeyondTrust reporting registered servers, you do not need to complete the steps in this section.

We recommend that you use the accounts that the Endpoint Privilege Management database installer configures. These are:

  • ReportReader user: Permissions include Read and Execute on the appropriate database objects.
  • EventParser user: Permissions include Write access to certain database tables. Membership of local Event Log Readers group.
  • DataAdmin user: Permissions include Read and Execute on the appropriate database objects

In addition to the users that the Endpoint Privilege Management database installer configures, you need to choose the user that you'll use to install the Endpoint Privilege Management database. This is known as the DatabaseCreator user.

This account must be able to execute installers on the machine with administrative privileges. Alternatively, you can use a SQL account for the DatabaseCreator user. This can be configured in the installer when you run it.

The DatabaseCreator user also needs SQL sysadmin permissions.

To grant the sysadmin permission for the DatabaseCreator user:

  1. Open SQL Server Management Studio and connect to the SQL instance that you're going to use for the BeyondTrust Endpoint Privilege Management Reporting installation.
  2. Navigate to the Security > Logins folder.
  3. You must add your user to this folder if it hasn't previously been used to authenticate with SQL Server. To do this:
    • Right-click on the Logins folder and click New Login.
    • Click Search to the right of the Login name option. If you know the domain and user name you need to add you can type it here, and then click Check Name. If you're not sure about the user's details you can click Advanced to browse to the user you want to use. Click OK and OK again to finish adding the user.
  4. In the Logins folder, right-click on the user to use as the DatabaseCreator and select Properties.
  5. Click Server Roles from the left menu and check the sysadmin box.
  6. Click OK to add the sysadmin privilege to the user.

If Windows Authentication is specified for the SQL connection, and you're not using an admin account, the user must have Alter Any Login and Create Any Database permissions on the SQL server instance, in order for the Reporting Services Instance User to be created. If you receive error 15247, verify these permissions have been granted.

ReportReader User

The ReportReader user is a Windows or SQL account that is used by the Endpoint Privilege Management ePO Extension to read report events from the Endpoint Privilege Management database. The registered server BeyondTrust Endpoint Privilege Management Reporting uses this account, so you should make a note of it.

If this is a Windows account, you need to grant the following permission:

  • Requires the Allow Log on Locally permission to the server hosting SSRS. This is granted automatically if the account is in the Administrators user group.

Some domain groups have this permission set. It's up to you how you configure this account as long as it has the Allow log on Locally permission granted through group membership or as an exception.

EventParser User

The EventParser user is used by the Endpoint Privilege Management ePO Extension to read data from the ePO database and write it to the Endpoint Privilege Management Reporting database. The registered server BeyondTrust Staging uses this account, so you should make a note of it.

This account needs to be able to authenticate on the database machine. If the two databases are on different machines, then this account needs to be on a shared domain.

DataAdmin User

The DataAdmin user is a Windows or SQL account that is used by the Endpoint Privilege Management ePO Extension to write to the Endpoint Privilege Management for Windows database. The registered server BeyondTrust Purge uses this account by default.

If this is a Windows account, you need to grant the following permission:

  • Requires the Allow Log on Locally permission to the server hosting SSRS. This is granted automatically if the account is in the Administrators group.

Some domain groups have this permission set. It's up to you how you configure this account as long as it has the Allow log on Locally permission granted through group membership or as an exception.