RVY200539: Off-box SQL Server requirements for RayVentory Server automated installation

Purpose

This article describes the currently known requirements that need to be met in order to allow the RayVentory Server (RVS) automated installation process to work in a scenario where the SQL database engine and SQL Server Reporting Services (SSRS) will not be on the same server as RVS. 

 

Active Directory

  • A domain service account should be created
    • Needs to be a member of the RVS servers local Administrators group
  • Two domain groups should be created that represent the following: 
    • RVS Administrators
      • Add the domain service account as a member
      • Ad the RVS servers computer object as a member
    • RVS Report Users

 

SQL Server

Highest privilege approach

  • Add the RVS Administrators domain group to the SQL Server's local Administrators group
  • Create a SQL database login for the RVS Administrators domain group and then add it to the sysadmin server role, if the local Administrators group doesn't have this role
  • Add the RVS Administrators domain group to SSRS's System Administrator system role and Content Manager item role, if the local Administrators group doesn't have these roles

 

Least privilege approach

Create a SQL database login for the RVS Administrators domain group and then add it to the following server roles: 

  • dbcreator
  • public
  • securityadmin

 

If the dbcreator server role is not allowed, then the following is required for the RVS Administrators database login after creating a new database called RayVentory: 

  • Database user mapping (default schema = dbo)
    • Master
    • MSDB
    • RayVentory

 

  • Database role membership
Role Master MSDB RayVentory
db_accessadmin X X  
db_datareader X X  
db_owner     X
db_securityadmin   X  
public X X X
RSExecRole X X  
SQLAgentOperatorRole   X  
SQLAgentReaderRole   X  
SQLAgentUserRole   X  

 

  • The following commands should be run after replacing <login name> with the required login: 
Command Run from
GRANT Create Role TO <login name> Master
GRANT Create Schema TO <login name>
GRANT EXECUTE ON xp_sqlagent_notify TO <login name> WITH GRANT Option
GRANT EXECUTE ON xp_sqlagent_enum_jobs TO <login name> WITH GRANT Option
GRANT EXECUTE ON xp_sqlagent_is_starting TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_grantlogin TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_help_category TO <login name> WITH GRANT Option MSDB
GRANT EXECUTE ON sp_help_job TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_help_jobschedule TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_add_category TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_add_job TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_add_jobschedule TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_add_jobserver TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_add_jobstep TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_delete_job TO <login name> WITH GRANT Option
GRANT EXECUTE ON sp_verify_job_identifiers TO <login name> WITH GRANT Option
GRANT SELECT ON syscategories TO <login name> WITH GRANT Option
GRANT SELECT ON sysjobs TO <login name> WITH GRANT Option

 

  • Add the RVS Administrators domain group to SSRS's System Administrator system role and Content Manager item role

 

Post installation

  • Create a SQL database login for the RVS Report Users domain group
  • The following RVS related logins should be added to the following RayVentory databse roles: 
Login type Database role
RVS Administrators mgs_reader
  mgs_writer
RVS Report Users mgs_reader
  • Add the RVS Report Users domain group to SSRS's System User system role and Browser item role

 

Miscellaneous

  • In certain situations, group assignment may not work, in which case the service account will need to be explicitly configured with the least privilege approach
  • The database engine's collation will need to be obtained before performing the installation if the installation is allowed to create its own database
  • If the SQL Server database provider is not allowed to be used to connect to the database engine, this will need to be permitted for the installation, as RVS's database connection string can be modified with an allowed provider once the installation has completed (this can be tested by attepting to create an ODBC connection using that provider)
  • If RVS 11.4.9800 will be installed, then ensure that https://raynetgmbh.zendesk.com/hc/en-us/articles/360036191152 is implemented BEFORE performing the installtion

Comments

Powered by Zendesk