Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why does the App Broker service account require Execute permissons on the SCCM database?

We are preparing to do an AppBroker installation. The client has asked for details about why the App Portal service account needs EXECUTE permission on the SCCM site database.

Would someone provide detail of what functions and store procedures are executed, what happens and why?


(1) Reply

There is one function in particular that I know is used to get the list of available applications when creating catalog items (though I don't recall the exact name of it).  However, my understanding is that there are other functions and stored procedures used as well.  The reason we require more general EXECUTE permission is that we don't have a definitive list of the functions and stored procedures that App Broker uses.  Also, Microsoft could potentially add others in the future that Flexera may want to leverage for new functionality.

What I do know is that the functions/stored procedures that are used are only "selecting" data.  We do not perform any "writes" through SQL.  All write-related activity is done through ConfigMgr's WMI SDK calls, which is the reason for the console permissions.  On that note, I'm sure I've said this in other conversation threads, but within Flexera Services, we almost never give the account Full Admin in the ConfigMgr console.  We generally use Application Administrator and Operating System Deployment Manager roles.  I've yet to hit a use case that didn't work with those two roles.

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".