Summary
The App Portal Installation Guide states that DBO (db_owner) permissions are required by the App Portal Service Account. In more restrictive environments, db_owner permissions may not be acceptable. This article provides the minimum SQL Server requirements for the App Portal Service Account.
Synopsis
The App Portal Installation Guide states that DBO (db_owner) permissions are required by the App Portal Service Account. In more restrictive environments, db_owner permissions may not be permissible. This article provides the minimum SQL Server requirements for the App Portal Service Account.
Discussion
The db_owner role is not strictly necessary for App Portal to function. The db_owner role can do anything within the database. App Portal does not require the db_securityadmin or db_accessadmin, db_backupoperator, all of which are part of db_owner role; App Portal, however, will require more than the db_datareader and db_datawriter roles, as App Portal dynamically updates the schema in the App Portal database. This includes dropping and creating tables, columns, views, types, etc. As such, the service account requires both drop and create permissions to various objects in the DB. The db_ddladmin role will cover these requirements. At a minimum, the following roles are necessary in order for App Portal to function: App Portal DB:db_ddladmin (needed for various create/drop operations performed by App Portal)db_datawriterdb_datareaderdb_executor (for execute permissions. See below) SCCM DB:db_datareaderdb_executor NOTE: Use the following to create the db_executor role:-- Create a db_executor roleCREATE ROLE db_executor-- Grant execute rights to the new roleGRANT EXECUTE TO db_executor It is not strictly necessary to create the new db_executor role, but it is a convenient way to EXECUTE permissions to an account.
Related KB Articles
Please see the
App Portal/App Broker 2016 Installation Guide for a full set of requirements.