Operation or Account | Permissions or Database Roles | Notes |
---|---|---|
Run InTrust suite setup |
Setup must be launched under the account that:
|
When installing the second (and subsequent) InTrust servers into your InTrust organization, make sure the the setup account is listed as an InTrust organization administrator. To view and edit the list of organization administrators, do one of the following:
|
InTrust Server account |
|
|
Install an agent |
Membership in the local Administrators group on the agent computer |
The Admin$ share must exist on the target computer if you are installing the agent using InTrust. |
Agent account |
One of the following:
|
|
Run InTrust services under a group managed service account (gMSA) |
Before you use a gMSA for running InTrust services, take the following steps:
After this, you can reconfigure the Quest InTrust Server and Quest InTrust Real-Time Monitoring Server services to run under your gMSA. If you decide to use a gMSA, use it on all InTrust servers. Otherwise, InTrust tasks containing jobs running on different servers will not work. |
|
Operation or Account | Permissions or Database Roles | Notes |
---|---|---|
Install reports from the Knowledge Packs you select |
|
|
Provide automatic creation of Service Connection Point (SCP) by InTrust means |
Do the following before the setup: Create a container "CN=Quest InTrust, CN=System..." and assign the following permissions on this container for the account under which you will run the setup:
-OR- Specify the following permissions on the "CN=System..." in Active Directory for the account under which you will run the setup:
These permissions must be applied onto This object and all child objects scope. |
Operation | Permissions | Notes |
---|---|---|
Create custom search folders and scheduled reports in Repository Viewer | The account must be listed as an InTrust organization administrator. | To view and edit the list of organization administrators, do one of the following:
|
Open a production repository in Repository Viewer |
|
|
Open an idle repository in Repository Viewer | Both on the repository folder and on the index folder, for the account used to open Repository Viewer:
|
Operation | Permissions or Database Roles | Notes |
---|---|---|
Use the InTrust Manager snap-in | Membership in the AMS Readers computer local group on the InTrust Server | To view InTrust configuration objects in InTrust Manager, a user must be a member of the AMS Readers local group on the InTrust Server, or an InTrust organization administrator (included in the list in the properties of the root node in InTrust Manager). |
Access the configuration database | ADCCfgUser role for the configuration database | This role is created by setup or by the configdb.sql script and is granted the following permissions:
If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Gather events from site computers without agents |
|
To gather events from an event log with event log security through a GPO or registry settings, Read access permission must be given in the ACE of appropriate log(s) to the account used to run a job. For details refer to Microsoft KB article How to set event log security locally or by using Group Policy. |
Gather events from site computers with agents | Full control permission on the InTrust Server installation folder. |
|
Store events in a repository | Modify share permission on the network share that the repository uses. | If a repository is accessed under the account specified explicitly (for repository, job or task account), membership in AMS Readers computer local group on the InTrust Server and Log on as a batch job right on the InTrust Server is required for that account. |
Consolidate repositories |
| |
Import data from a repository |
| |
Clean up a repository | Modify permission to the repository | |
Store events in an audit database (gathering or import) | InTrust Gathering role for the Audit Database |
This role is created by setup or by the auditdb.sql script. If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Clean up an audit database | To clean up all events db_owner role for the audit database |
|
To clean up part of the events (for specific time periods) InTrust AuditDB Cleanup role for the audit database |
This role is created by setup or by the auditdb.sql script. If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. | |
Run reporting job or work with reports in Knowledge Portal (without using Report Builder) |
|
Note that this account must belong to the same domain where SSRS (hosting Knowledge Portal) is installed, otherwise membership in the Authenticated Users group (for SRS' domain) is required. |
Add reports to a reporting job |
|
|
Run reporting job using Import objects from the repository option | Rights and permissions required for both import and reporting jobs, sufficient rights for connection to the audit database. | For detailed list of rights and permissions required and security settings their usage depends on, refer to the Reporting Job topic. |
Create reports interactively using Report Builder | System User or System Administrator role for the web site where the Knowledge Portal application runs. | This role can be assigned using SQL Reporting Services Report Manager (site-level security settings). |
Store alerts in an alert database | InTrust Real-Time Monitoring role for the alert database |
This role is created by setup or by the alertdb.sql script. If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Clean up an alert database | InTrust AlertDB Cleanup role for the Alert Database |
This role is created by setup or by the alertdb.sql script. If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Manage alerts from InTrust Monitoring Console | InTrust Monitoring Console role for the alert database |
This role is created by setup or by the alertdb.sql script. If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Create and edit a profile in Monitoring Console | On the computer where Monitoring Console runs:
|
To check if you have the Administrator role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. |
Connect to an alert database or audit database using SQL Server authentication | For a profile to use SQL Server authentication when connecting to the alert database, the Run As account should be included into local Administrators group on the computer where the Monitoring Console is installed. |
If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server. |
Perform indexing of idle repository with standalone IndexingTool.exe | Both on the repository folder and on the index folder, for the account that perform indexing:
|
|
Perform indexing of a production repository |
|
For information on specifying the accounts, permissions and database roles, see the Deployment Guide. For details about configuration scripts, see the Upgrade Guide.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center