Managed Database Requirements
To manage a database through Privileged Identity, you must install the appropriate database provider on the host system that will perform the management tasks. Database providers may be downloaded from the database manufacturer.
Privileged Identity requires 32-bit database providers. 64-bit providers are not supported.
The following databases require specific providers to allow you to manage their identities from the Privileged Identity host system.
Windows comes with a Microsoft SQL Server provider. However, the SQL Server Native Client may be required for some specific configurations, requiring you to download the SQL Server Native Client provider. We recommend using the most current version of SQL Server Native Client. Using SQL Server Native Client 10 can result in undesirable behavior.
- IBM DB2: Install ENU\x86\DB2OLEDBV5_x86.msi from www.microsoft.com/en-us/download/details.aspx?id=52676
- Microsoft SQL Server: Install ENU\x86\sqlncli.msi from www.microsoft.com/en-us/download/details.aspx?id=50402
- MySQL: Install mysql-connector-odbc-8.0.12-win32.msi from dev.mysql.com/downloads/connector/odbc/
- Oracle: Install Oracle Provider for OLE DB from www.oracle.com/technetwork/database/windows/downloads/utilsoft-087491.html
- PostgreSQL: Install the latest x86 provider from www.postgresql.org/ftp/odbc/versions/msi/
The links above offer guidelines for installing the required providers. Please note that some vendors may require a login, a license agreement, or other prerequisites to download the provider. BeyondTrust is not responsible for third-party installations. You are responsible for all licensing and use restrictions surrounding these providers.
After you've installed the proper 32-bit OLE DB provider, it is available to Privileged Identity and is visible in the Add Target dialog when you add a new database target.
The rights required to change a target account's password vary from database to database; they also vary depending on the target account being changed. You may need other information, such as instance, service name, or port. Refer to your database provider's documentation for the most up-to-date description of rights required to change various identities. The sections below comprise a partial list of possible rights required for various databases.
IBM DB2 Requirements
For accounts associated with an IBM DB2 instance, the rights required depend on whether the database is hosted on Windows or Linux/Unix. DB2 has no local account store but instead references accounts from the host or related directories. If DB2 is hosted on Windows, follow the process for a typical Windows password change job. If DB2 is hosted on Linux/Unix, follow the process for a typical Linux/Unix password change job.
To enumerate accounts in a DB2 database instance (account store view), the login account requires:
- CONNECT TO DB
- GRANT SELECT on SYSIBM.SYSDBAUTH
Privileged Identity can enumerate the local accounts associated with a DB2 instance. This process requires you to install the Microsoft-supplied OLE DB provider for DB2.
However, changing DB2 account passwords does not require a specialized provider, because DB2 uses the database host system's local account store rather than providing its own internal account store.
Microsoft SQL Requirements
Microsoft SQL can leverage explicit SQL accounts or integrated authentication accounts. Accounts using integrated authentication are local computer accounts or accounts from a trusted domain. For either of these account types to manage account passwords within SQL, the following rights must be granted to the desired account or group:
- GRANT VIEW ANY DEFINITION
- GRANT CONTROL SERVER
The interactive login account and the deferred processing account require these rights to change passwords and enumerate accounts within the SQL database. Rights must be granted to a Windows user or group for Integrated Windows Authentication. The database instance name and port (if different from the default) are required.
If the SYSADMIN right is granted, no other rights are required on the Microsoft SQL Server.
A login account is required to configure a MySQL password change job. This login account must have sufficient rights to change the target account's password. Assuming the login account can connect to the specified MySQL service and target database, the following global privilege must be granted to the login account:
To enumerate the user accounts in a MySQL instance (account store view), the following global privilege must be granted to the login account for the appropriate database:
A login account is required to configure an Oracle password change job. This login account must have sufficient rights to change the target account's password. Assuming the login account can connect to the specified Oracle service (and instance, if applicable), the following right must be granted to the login account:
- ALTER USER
To enumerate the user accounts in an Oracle instance (account store view), the following right must be granted to the login account:
- SELECT ANY DICTIONARY
A login account is required to configure a PostgreSQL password change job. This login account must have sufficient rights to change the target account's password. Assuming the login account can connect to the specified PostgreSQL service (and instance, if applicable), the following right must be granted to the login account:
- ALTER ROLE
To enumerate the user accounts in a PostgreSQL instance (account store view), the following right must be granted to the login account: