Grant Permissions in SQL

If you opt to use Windows authentication for the Keyfactor Command connection to SQL during the installation, the user who installs Keyfactor Command must have permissions to administer the SQL server and add databases and users (logins). To grant this, add the user who will install Keyfactor Command to the SQL server login list:

  1. On the SQL server open the SQL Server Management Studio, connect to the database, and open Security.
  2. Right-click on Logins and choose New Login.
  3. Enter the domain name and user name of the administrative user who will be installing Keyfactor Command.
  4. On the Login Properties page for this user, open Server Roles and check either the sysadmin role or the dbcreator, public and securityadmin roles. The full sysadmin permissions are needed if you’re upgrading from a previous version of Keyfactor Command and the user running the install is not the same user who installed the previous version of Keyfactor Command.
  5. Accept the remainder of the defaults and click OK.

If you opt to use SQL authentication, these permissions need to be granted to the SQL user.

Once Keyfactor Command has been deployed, the Windows user or SQL user used for the install can be removed from the Logins under Security in the SQL Server Management Studio. Ongoing connectivity to the database is maintained using accounts created specifically for the purpose during the installation.

Note:  From Keyfactor Command version 9.0, service accounts will not be created with the db_owner role. Instead, a new keyfactor_db_role will be created and granted to the service accounts. This role has permission on each of the schemas (dbo, ssl, ssh, cms_agents, etc.) and permission on the encryption certificate.