Overview

Some clients may not want our service account to have permanent "sysadmin" permissions in MSSQL.  This permission can be revoked using the following procedure.

Note: that the service account will still need "sysadmin" permissions during any installations and upgrades.

 

Procedure

After installation/upgrade and successful BAT test, do the following:

  1. Add the service account as an owner of the ADG database by running the following SQL query, replacing ServiceAccountName with your service account login:
    USE [ADG]
    GO
    EXEC sp_addrolemember 'db_owner',[ServiceAccountName]		
    GO
  2. (7.5.2 and older)Confirm the service account is the owner of the eDiscovery and Infrastructure databases
  3. Change the SQL permissions for the service account to only "Public", "ProcessAdmin", and "SecurityAdmin"

 

Notes

  • No further changes to SQL permissions should be made apart from those defined in this guide.
  • Forensic Tools will create new SQL users as it is used, and their permissions should not be altered.  This is done for the following reasons:
    - To ensure that each database and case has the proper parameters and permissions to allow Forensic Tools to functions correctly.
    - To preserve security and forensic integrity by ensuring that each case is only accessible by its own SQL user.
  • The service account's SQL permissions must be granted the "sysadmin" role during upgrades.
  • The information above describes the roles / permissions granted to the service account. However, please note that the following SQL logins are automatically created during database initialization and are granted the corresponding permissions as listed:

 

PermissionGranted ToLogin TypePurpose
ALTER ANY DATABASEADG7X1SPLoginCERTIFICATE_MAPPED_LOGINAllow FTK to create/delete tables etc.
ALTER ANY LOGINADG7X1SPLoginCERTIFICATE_MAPPED_LOGINAllow FTK to create/delete case app logins
ALTER SETTINGSADG7X1SPLoginCERTIFICATE_MAPPED_LOGINAllow FTK to manage settings for ADG and case databases
CONTROL SERVERADG7X1SPLoginCERTIFICATE_MAPPED_LOGINAllow FTK to link secondary servers to primary server
CREATE ANY DATABASEADG7X1SPLoginCERTIFICATE_MAPPED_LOGINAllow FTK to create case databases
VIEW SERVER STATEADG_user
ADG7x1
SQL_LOGIN

Allow FTK to:

-look for sessions belonging to a particular case user.

-change 'tempdb' size

-query the amount of physical memory on the server machine for memory mgt.