Setting up your Microsoft SQL database server

You should have a database administrator complete the following steps to set up the Trust Protection Foundation database on a Microsoft SQL Server.

BEST PRACTICE  CyberArk recommends using two separate database service accounts for Trust Protection Foundation to communicate and manage the database. The database owner accountClosed (Also DBO account) This is a service account that Trust Protection Foundation uses for installations, upgrades, and administrative maintenance of the database. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions on all Trust Protection Foundation servers. See also operational database account. is used for installing, upgrading, and administrative maintenance. The operational database accountClosed (Also limited database account) This is a service account that Trust Protection Foundation uses for everyday operations. It can be a domain service account when used with Windows integrated authentication, or a MSSQL account when used with MSSQL authentication. This account requires "Log On as a Service" permissions, and also needs to be part of the Local Administrators group, on all Trust Protection Foundation servers. Database grants for this account are automatically managed by the system. See also database owner account. is used for everyday operations. Having separate accounts is in line with the "Least Permissions" security principle, and is a more secure way to configure your system. The database owner account manages the necessary database grants for the operational database account.

You can connect to your database via any of the following:

  • Windows integrated authentication using standard service accounts.

  • Windows integrated authentication using Group Managed Service Accounts (gMSAs).

  • Microsoft SQL native authentication.

Windows integrated authentication is the preferred method for security purposes as it allows for central management of accounts and passwords in Active Directory.

Since Windows integrated authentication is not always possible in some network segments such as DMZs, we support dual authentication, where some Trust Protection Foundation servers use Windows integrated authentication, while others connecting to the same database use MSSQL native authentication. In this scenario, you will need double the number of MSSQL service accounts.

To create the Trust Protection Foundation database on a Microsoft SQL Server

  1. Verify the database server meets the system requirements of your targeted deployment size of Trust Protection Foundation.Locally Hosted MSSQL Requirements

  2. Create the Trust Protection Foundation database. For information on creating a database see Microsoft's documentation on database creation.

    The database name cannot contain any of the following characters:

    [ ] ( ) { } \ " ' , $ % * ?

  3. If you are connecting via Windows integrated authentication (including gMSAs):

    1. Create a database owner service account and the operational database account in Active Directory.

    2. Grant both database service accounts "Log On As a Service" permissions on all Trust Protection Foundation servers. For more information, see the Microsoft TechNet article Log on as a service.

      Grant the operational database account "Log On As a Batch Job" permissions on all Trust Protection Foundation servers.

      Add the operational database account to the local administrators group on all Trust Protection Foundation servers. For more information, see Windows permissions for database service accounts.

    3. Create a login for both accounts on the database server. For more information, see Microsoft's documentation on creating logins.
    4. Grant the database owner account the DBO role to the database. For more information, see Microsoft's documentation on granting database permissions to users and groups.
  4. If you are connecting to the database with MSSQL native authentication:

    1. Create the database owner account and the operational database account on the MSSQL server. For more information, see Microsoft's documentation on creating a database user.

    2. Grant the database owner account the DBO role to the database. For more information, see Microsoft's documentation on granting database permissions to users and groups.
  5. If you are not the person installing Trust Protection Foundation, provide the credential information to the person who will do the installation.

TIP  If you would like information on managing and rotating your database credentials in Trust Protection Foundation, see Automatic credential rotation options.

Permissions for enhanced performance and scalability monitoring

In large deployments where you need to closely monitor performance and scalability, you can give the operational database account additional permissions in MSSQL Server. These permissions are optional, and are only recommended if you have a dedicated SQL server for CyberArk Trust Protection Foundation - Self-Hosted, because these permissions could give CyberArk Trust Protection Foundation - Self-Hosted the ability to query some limited details about other databases on the server.

IMPORTANT  CyberArk Trust Protection Foundation - Self-Hosted does not collect any information about other databases on the server. However, because it is possible, we don't recommend you make these changes on shared database servers.

Granting Database Owner (DBO) permissions in Trust Protection Foundation is safe because Trust Protection Foundation is a single-user environment. In multi-user environments, DBO permissions can be risky as they allow one user to modify others’ data. However, in Trust Protection Foundation, only Trust Protection Foundation services access the database, so DBO permissions don’t pose a risk to other users or databases on the same SQL server.

Giving the operational database account these permissions will allow CyberArk Trust Protection Foundation - Self-Hosted administrators to have readily available performance data on the CyberArk Trust Protection Foundation - Self-Hosted database, viewable in the Statistics MMC snap-in.

Giving enhanced reporting permissions in MSSQL

  1. Log in to the database server with the database owner account.
  2. In the Object Explorer, right-click on the database server container, then click Properties.
  3. In the Page panel, click Permissions.
  4. In the Logins or roles panel, click the name of the operational database account.

  5. In the Explicit tab, click the Grant checkbox for the following permissions:

    • View any definition
    • View server state
  6. Click OK.