KB-3390: DirectAudit SQL database setup rights and needed groups for installation.
Applies to: Centrify DirectAudit version 3.x on an SQL database setup
What specific SQL rights are needed to create a database during a DirectAudit install?
Why are BUILTIN\Users and NT AUTHORITY\SYSTEM created/needed?
In order to create databases associated with the DA installation, the logged-in user (who is running the setup / DA admin console / individual SQL scripts) needs to be a sysadmin on the database server/instance.
The sysadmin permissions can be revoked once the databases are generated. If it’s not possible to assign sysadmin rights to the logged-in user, there is an option to generate the DB scripts (in the form of .txt files) which can be handed over to the DBA to run manually.
Centrify assigns the BUILTIN\Users group the connect permission so that additional auditors/audit managers can talk to the database.
If this is deemed a security hole, then it is recommended to remove these special permissions; DA can handle an individual account’s permissions. For security purposes, the login can be disabled for this account. Permission to connect to DB engine can be granted. This account can be a member of sysadmin role on the DB server/instance.
The NT AUTHORITY\SYSTEM account (not created by Centrify) is the system account of the database server and is the most important account as far as the DA product is concerned. All of the backend logic/stored procedures of DA (that takes care of reading and writing data to and from the DA databases) run under the LOCAL SYSTEM account so that the high privilege operations can be done without giving individual users (Auditors/audit managers) any power over the SQL server. This design is an integral part of the DA architecture and cannot be changed. Because of this design, it is required for the NT AUTHORITY/SYSTEM account to be a member of sysadmin server role; this is also the default setting of Microsoft SQL Servers.