Create the Required Database User Accounts
You can either use a system administration account for the registered servers required for BeyondTrust Privilege Management Reporting or you can use the default user accounts that are configured as part of the Privilege Management database installation. This section describes using the least privilege default user accounts that are configured by the Privilege Management database installer.
If you plan to use a system administration account for the BeyondTrust reporting registered servers, you do not need to complete the steps in this section.
We recommend that you use the accounts that the Privilege Management database installer configures. These are:
- ReportReader user
- EventParser user
- DataAdmin user
In addition to the users that the Privilege Management database installer configures, you need to choose the user that you'll use to install the Privilege Management database. This is known as the DatabaseCreator user.
This account must be able to execute installers on the machine with administrative privileges. Alternatively, you can use a SQL account for the DatabaseCreator user. This can be configured in the installer when you run it.
The DatabaseCreator user also needs SQL sysadmin permissions.
To grant the sysadmin permission for the DatabaseCreator user:
- Open SQL Server Management Studio and connect to the SQL instance that you're going to use for the BeyondTrust Privilege Management Reporting installation.
- Navigate to the Security > Logins folder.
- You must add your user to this folder if it hasn't previously been used to authenticate with SQL Server. To do this:
- Right-click on the Logins folder and click New Login.
- Click Search to the right of the Login name option. If you know the domain and user name you need to add you can type it here, and then click Check Name. If you're not sure about the user's details you can click Advanced to browse to the user you want to use. Click OK and OK again to finish adding the user.
- In the Logins folder, right-click on the user to use as the DatabaseCreator and select Properties.
- Click Server Roles from the left menu and check the sysadmin box.
- Click OK to add the sysadmin privilege to the user.
If Windows Authentication is specified for the SQL connection, and you're not using an admin account, the user must have Alter Any Login and Create Any Database permissions on the SQL server instance, in order for the Reporting Services Instance User to be created. If you receive error 15247, verify these permissions have been granted.
ReportReader User
The ReportReader user is a Windows or SQL account that is used by the Privilege Management ePO Extension to read report events from the Privilege Management database. The registered server BeyondTrust Privilege Management Reporting uses this account, so you should make a note of it.
If this is a Windows account, you need to grant the following permission:
- Requires the Allow Log on Locally permission to the server hosting SSRS. This is granted automatically if the account is in the Administrators user group.
Some domain groups have this permission set. It's up to you how you configure this account as long as it has the Allow log on Locally permission granted through group membership or as an exception.
EventParser User
The EventParser user is used by the Privilege Management ePO Extension to read data from the ePO database and write it to the Privilege Management Reporting database. The registered server BeyondTrust Staging uses this account, so you should make a note of it.
This account needs to be able to authenticate on the database machine. If the two databases are on different machines, then this account needs to be on a shared domain.
DataAdmin User
The DataAdmin user is a Windows or SQL account that is used by the Privilege Management ePO Extension to write to the Privilege Management
If this is a Windows account, you need to grant the following permission:
- Requires the Allow Log on Locally permission to the server hosting SSRS. This is granted automatically if the account is in the Administrators group.
Some domain groups have this permission set. It's up to you how you configure this account as long as it has the Allow log on Locally permission granted through group membership or as an exception.
