Can Centrify DA use a contained SQL database user or does it require a SQL login?
A contained database is a database that is isolated from other databases and from the instance of SQL Server that
hosts the database.
SQL Server 2012 helps user to isolate their database from the instance in 4 ways.
1) Much of the metadata that describes a database is maintained in the database. (In addition to, or instead of, maintaining
metadata in the master database.)
2) All metadata are defined using the same collation.
3) User authentication can be performed by the database, reducing the databases dependency on the logins of the
instance of SQL Server.
4) The SQL Server environment (DMV's, XEvents, etc.) reports and can act upon containment information.
More information on contained database can be found on the Internet. The below links were provided as a courtesy.
Containment requires that the user entity stays within the database boundary which is not the case in DA. Centrify uses an outgoing account
(SQL or Windows authentication) so that Management database can talk to Audit Store database(s).
DA has a distributed architecture where not only different components talk to the database (e.g. collector, consoles, audit management service etc.)
but the database themselves talk to each other (e.g. management database talks to audit store databases to collect data). Because DA does not
understand contained databases, every time a user is added to the DA system, the DA console will simply create a server-level login for the user.
Although creating a server-level login is still supported by contained databases, it defeats the whole purpose of making the database
contained (in contained databases, users are local to the database).
Centrify's recommendation regarding contained databases is to first setup DA using regular databases, configure
everything (including collectors, auditors, administrators etc.) and then migrate the databases to use containment. Microsoft has provided a very
simple document on how to migrate a normal database to a partially contained database. The article can be found at,
Note: There will still be some limitation after the migration. e.g.
#1 - The outgoing account (which is used for communication between management database and audit store databases) must be re-configured
after the migration to use SQL login.
#2 - Every time you add a new user or collector to the system, we'll create a server-level login for that user or collector machine account. This login
must be deleted from the SQL to comply with best practices of containment.