SQL Server permissions required for configuring databases in the SCP / SCU

Version 2

    Verified Product Versions

    Environment Manager 10.0Management Center 10.0Environment Manager 8.6Environment Manager 8.5Environment Manager 8.3Management Center 8.6Management Center 8.5Management Center 8.4Management Center 8.3Management Center 8.7


    Ivanti Support are often asked what the required account permissions are when running the Server Configuration Portal/Utility  for setting up Personalization Server or Management Center. The permissions required are described below.


    Both the config and service accounts can be either SQL or Windows accounts.


    Config account

    The account which is setting up the database must have the following server-level permissions, this is all that is required the first time the database is created:

    • dbcreator
    • securityadmin

    During setup, the account will be given db_owner on the database. It will also be added to the ManagementServerAdministrator (for Management Server) or ProfileServerAdministrator (for Personalization Server) database role.


    Service account

    The account which will be used to run the service only needs the following permission:

    • public

    Note: the service account does not need to exist within SQL Server before the database is set up for the first time. During setup, the account will be added and given the ManagementServerService (for Management Server) or ProfileServerService (for Personalization Server) database role.


    General notes

    • If the database already exists because it has been previously set up, and is being set up again or upgraded, then db_owner privileges are also required for the Config account
    • If the database already exists because it has been previously set up, and is being set up again or upgraded, the Config account must also be a member of the ManagementServerAdministrator database role
    • The Config account does not need to be a Domain Admin account
    • The Config and Service accounts are not related to accessing the EM or Management consoles, only setting up the databases
    • Once the database has been fully set up, the Config account can be disabled or deleted if necessary. However it will need to be re-enabled or recreated with the above permissions next time the database needs to be set up
    • The Config account should be separate to the Service account or problems can occur
    • If the Service account is disabled, deleted or locked out, Personalization Server or Management Center will fail to work as the database will not be accessible
    • Any additional permissions provided other than listed here can cause problems setting the database up
    • If you are having problems setting the database up, if all else fails try temporarily giving the Config account the Sysadmin role