Solved

Required permissions for Indicium in databases

  • 20 May 2019
  • 3 replies
  • 195 views

Badge +7
I'm working on the automated deployment of Indicium via Octopus Deploy.

I understand that for the use of Indicium and logging in, it is necessary that the application pool user of indicium has 'all rights' to the IAM and the ActoProject database.

Preferably I want to make as little db_owner as possible, so now my question is: what is all the permissions?

On IAM I see 16 roles in the SQL database. Can I indicate to which role the Application Pool User of Indicium should be linked?

For ActoProject we have a role 'all_rights', I assume that these are the right rights for the Application Pool User. Is that right?

Is it also possible to give a short description of the purpose of each role? (But it's probably better to publish it on your website)

Greetings,

Eric Bosman

icon

Best answer by Anne Buit 22 May 2019, 14:49

View original

3 replies

Userlevel 6
Badge +11
Hi @ericbosman

In our community only English is spoken because the community must be accessible to all our relations. I will adjust it for this time. Please communicate in English in the future.
Badge +7
Okay, I didn't know. Thanx
Userlevel 7
Badge +5
Hi Eric,

The Indicium pool user is used to query the database whenever the users need data or perform an action. Subsequently, the pool user requires permissions to perform any action a user or API caller can do. This counts for both IAM and the product database.

Generally, this means that the Indicium user should be assigned every role. A role with all rights also covers this.

There are a some exceptions:
  • If your application uses database mailing, the pool user will need the DatabaseMailUser role in the msdb database.
  • If your application performs identity inserts somewhere, the pool user will need alter rights on these tables.
  • If your application queries another database, the pool user will need rights on this database.
There are more exceptions, so be sure to test the environment properly.

It would indeed be easiest just to give Indicium db_owner rights on the database, but I would recommend sticking to the minimum set of rights.

The default roles provided with IAM correspond with the various administrative levels. You can find more about this in our documentation. These roles are a bit different from regular roles as they are not assigned by user group membership but instead assigned by IAM when a user is configured to be an administrator.

Reply