Chat now with support
Chat with Support

Enterprise Reporter 3.2.2 - Installation and Deployment Guide

Product Overview Installation Considerations for Enterprise Reporter Installing and Configuring Enterprise Reporter Managing Your Enterprise Reporter Deployment Troubleshooting Issues with Enterprise Reporter Appendix: Database Content Wizard Appendix: Encryption Key Manager Appendix: Log Viewer

Plan Credential Use

There is granular control over the credentials that are used to perform various functions in Enterprise Reporter. For more information, see Role Based Security in Enterprise Reporter and Technical Documentation.

 

Topics:  
Logged In User Details
Understanding Credentials Using Scenarios

Logged In User Details

You can use as many or as few credentials as you need. Many of the credentials used in Enterprise Reporter are stored in the Credential Manager, which makes it easy to replace or update credentials across your environment.

Credentials for the Configuration Manager are stored in a single Credential Manager, shared by all Configuration Manager users. If only certain employees know the passwords or are responsible for certain credentials, such as service credentials, one of those employees can add the credentials to the Credential Manager, and then all Enterprise Reporter administrators can use them.

Credentials in the Credential Manager are used in the following ways in the Configuration Manager:
Running the node service.
Accessing the Enterprise Reporter server and database from the node. You can use either a Windows® or a SQL account.
Accessing the targets of a discovery to collect data.
Accessing the shared data location of a cluster, if used.

Each Report Manager user has their own Credential Manager. Credentials in the Credential Manager are used in the following ways in the Report Manager:
Delivering scheduled reports to a share.
Configuring an SMTP server for email delivery.
Publishing reports to Knowledge Portal.

The logged in user is used for:
Logging into both consoles.
Connecting to the Enterprise Reporter server (Configuration Manager and Report Manager).
Connecting to the Enterprise Reporter database (Configuration Manager and Report Manager).
Browsing the targets of a discovery.

Understanding Credentials Using Scenarios

The following scenarios outline how credentials can be used in different environments:
Minimizing the Number of Credentials Used by Enterprise Reporter
Minimizing the Permissions Required for Credentials Used by Enterprise Reporter
Minimizing the Number of Credentials Used by Enterprise Reporter

If you have a simple deployment, you can permission two sets of credentials to perform all functions. In this scenario, you have a single Enterprise Reporter administrator, who manages installation, discoveries, and reporting. The following table outlines the required permissions:

Table 25. Required Permissions
Account
Use
Permissions

Administrator’s user account

Use these credentials to log in to the computer, and to schedule reports.

Launch consoles

Be a member of Reporter_Discovery_Admins and Reporter_Reporting_Admins groups

Enumerate scopes

Read access to all discovery targets

Deliver reports by email

Access to the SMTP server

Enumerate report delivery shares and deliver reports

Read and write access to the delivery share

 

 

Service credentials

Use these credentials for the Enterprise Reporter server and all nodes.

Use the shared data location, if configured for a cluster

Read and write access to the share

Writing to the database

Be a member of Reporter_Discovery_Nodes group

Collect data

Be a local administrator on all computer targets, and have read access to targeted domains, SQL servers, NTFS objects

Minimizing the Permissions Required for Credentials Used by Enterprise Reporter

A complex deployment may require some thought to determine what credentials you want to use in different situations. With effort, you can minimize the permissions you must add to accounts to use Enterprise Reporter. Keep in mind that some of the data collected is available only to privileged accounts. In most cases, accounts with inadequate privileges can collect partial data.

For this scenario:
You have several large domains, each with its own Enterprise Reporter administrator. Trusts exist between all domains.
There is one report administrator for the whole deployment.
Each domain has a dedicated cluster with a shared data location.
Each domain has a set of service credentials for use by the nodes.
Discoveries use alternate credentials specific to the targets.
SQL credentials are used to access the Enterprise Reporter database.

For each domain you need:

Table 26. Permissions Required
Account
Use
Permissions

Service credential

Use these credentials for the Enterprise Reporter server and all nodes.

Enterprise Reporter server service

 
Local administrator access to the server host. Use the credentials from the domain in which the server is hosted

Node service

Local administrator access to the node host

Shared Data Location for each cluster

Read and write access to the share

Administrator’s user account

Use these credentials to log in to the computer running the Configuration Manager.

Launch console
Be a member of Reporter_Discovery_Admins group

You also need:

Table 27. Additional Permissions Required
Account
Use
Permissions

SQL Account

When creating the database or modify using the Database Wizard

Communication between the server and database

Logging in to the Report Manager

Communication between the node and the database

Read and write access to the database

Report Administrator account

Log in to the Report Manager

Must be a member of the Reporter_Reporting_Admins group

Deliver reports by email

Access to the SMTP server

Enumerate report delivery shares and deliver reports

Read and write access to the delivery share

 

 

For browsing to your discovery targets and collecting the data you can choose the credentials that make sense for your environment. Set these credentials at the discovery level. For example:
For Active Directory® discoveries, you could use a domain admin account that has access to the targeted domain.
For computer accounts, you could either use existing accounts with local administrator access, or set up specific accounts for groups of similar computers.
* 
NOTE: The Credential Manager allows the owner of the credentials to enter the password. Other administrators can then use the credentials as appropriate.
For more information about credentials required to collect data with Enterprise Reporter discoveries, see Detailed Permissions for Enterprise Reporter Discoveries .
For more information about credentials required to collect data from Azure, Azure Active Directory, Azure Resource, Exchange Online, Microsoft Teams, and OneDrive, see Permissions for Enterprise Reporter Tenant Applications .

Effectively Deploy Remote Nodes

You can deploy nodes from the Configuration Manager or manually. When you are deploying a node to a remote computer, factors such as firewall configuration and network latency can cause problems. In this case, you can deploy a node manually on the host computer. For more information, see Node Deployment Issues .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating