Purpose
This article describes the currently known requirements that need to be met in order to allow the RayVentory Server (RVS) automated installation process to work in a scenario where the SQL database engine and SQL Server Reporting Services (SSRS) will not be on the same server as RVS.
Active Directory
- A domain service account should be created
- Needs to be a member of the RVS servers local Administrators group
- Two domain groups should be created that represent the following:
- RVS Administrators
- Add the domain service account as a member
- Ad the RVS servers computer object as a member
- RVS Report Users
- RVS Administrators
SQL Server
Highest privilege approach
- Add the RVS Administrators domain group to the SQL Server's local Administrators group
- Create a SQL database login for the RVS Administrators domain group and then add it to the sysadmin server role, if the local Administrators group doesn't have this role
- Add the RVS Administrators domain group to SSRS's System Administrator system role and Content Manager item role, if the local Administrators group doesn't have these roles
Least privilege approach
Create a SQL database login for the RVS Administrators domain group and then add it to the following server roles:
- dbcreator
- public
- securityadmin
If the dbcreator server role is not allowed, then the following is required for the RVS Administrators database login after creating a new database called RayVentory:
- Database user mapping (default schema = dbo)
- Master
- MSDB
- RayVentory
- Database role membership
Role | Master | MSDB | RayVentory |
db_accessadmin | X | X | |
db_datareader | X | X | |
db_owner | X | ||
db_securityadmin | X | ||
public | X | X | X |
RSExecRole | X | X | |
SQLAgentOperatorRole | X | ||
SQLAgentReaderRole | X | ||
SQLAgentUserRole | X |
- The following commands should be run after replacing <login name> with the required login:
Command | Run from |
GRANT Create Role TO <login name> | Master |
GRANT Create Schema TO <login name> | |
GRANT EXECUTE ON xp_sqlagent_notify TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON xp_sqlagent_enum_jobs TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON xp_sqlagent_is_starting TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_grantlogin TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_help_category TO <login name> WITH GRANT Option | MSDB |
GRANT EXECUTE ON sp_help_job TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_help_jobschedule TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_add_category TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_add_job TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_add_jobschedule TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_add_jobserver TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_add_jobstep TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_delete_job TO <login name> WITH GRANT Option | |
GRANT EXECUTE ON sp_verify_job_identifiers TO <login name> WITH GRANT Option | |
GRANT SELECT ON syscategories TO <login name> WITH GRANT Option | |
GRANT SELECT ON sysjobs TO <login name> WITH GRANT Option |
- Add the RVS Administrators domain group to SSRS's System Administrator system role and Content Manager item role
Post installation
- Create a SQL database login for the RVS Report Users domain group
- The following RVS related logins should be added to the following RayVentory databse roles:
Login type | Database role |
RVS Administrators | mgs_reader |
mgs_writer | |
RVS Report Users | mgs_reader |
- Add the RVS Report Users domain group to SSRS's System User system role and Browser item role
Miscellaneous
- In certain situations, group assignment may not work, in which case the service account will need to be explicitly configured with the least privilege approach
- The database engine's collation will need to be obtained before performing the installation if the installation is allowed to create its own database
- If the SQL Server database provider is not allowed to be used to connect to the database engine, this will need to be permitted for the installation, as RVS's database connection string can be modified with an allowed provider once the installation has completed (this can be tested by attepting to create an ODBC connection using that provider)
- If RVS 11.4.9800 will be installed, then ensure that https://raynetgmbh.zendesk.com/hc/en-us/articles/360036191152 is implemented BEFORE performing the installtion
Comments