Permissions Required to Perform Administrative and Auditing Tasks
This section describes the permissions required to perform various auditing-related activities.
Setting and Synchronizing Audit-related Permissions
As a Master Auditor, you can set the permissions that control what all other administrators and auditors can do. In most cases, you set these permissions by making selections in Audit Manager. Your selections are saved in the management database for each installation, then published in Active Directory whenever you synchronize the management database with the service connection point for the installation.
The permissions you can set consist of a specific action that can be taken, a scope to which the action applies, and the specific Active Directory user or group to which you are granting the permission.
For example, a permission might specify an action, such as ability to modify a name or detach a database with a scope such as a specific installation or audit store database. For each action and scope, you select the Active Directory user or group to be granted that permission. After users or groups are granted a permission, they are called a trustee for that action and scope.
To view the existing permissions, right-click an installation or an audit store and select Properties, then click the Security tab.
Component by Component Permissions
The table below lists the permissions needed to create or add to an installation one component at a time.
| To do this | Required permissions and roles (scope) |
|---|---|
| Create an audit installation | |
| Create an audit console | |
| Create a SQL Server instance | |
| Check a SQL Server service account | |
| Add a service connection point | |
| Add a publication location | Audit server administrator or Manage Publication Locations (Installation) |
| Add a UNIX agent to an audited machine | |
| Add a Windows agent to an audited machine | |
| Enable trusted audited machine list for an audit store | Audit server administrator or Manage Collectors (Installation) |
| Add an audited machine to the trusted list for an audit store | Audit server administrator or Manage Collectors (Installation) |
| Add a collector | [does not require any special permissions to install] |
| Enable trusted collector list for an audit store | Audit server administrator or Manage Collectors (Installation) |
| Add a collector to the trusted list for an audit store | Audit server administrator or Manage Collectors (Installation) |
| Add an audit store | Audit server administrator or Manage Audit Store List (Installation) |
| Add an audit store database | SQL: Database owner (dbo) or a delegated member of the db_owner role or Audit store administrator (Installation) or Audit server administrator (Installation) or Manage Databases (Installation) |
| Attach an audit store database Change which DB is active Attach DA version 1 database | Audit Store administrator (Installation) or Audit server administrator (Installation) or Manage Databases (Installation) |
| Change which DB is active | Audit Store administrator or Audit server administrator or Manage Databases |
| Add a subnet or AD site to the audit store | Audit Store administrator or Audit server administrator or Manage Sites (Audit store) |
| Add an audit server | Manage Audit Server List (Installation) |
| Add an audit role; change its definition, membership or permissions | Creator of installation (Installation) or Audit server administrator (Installation) or Manage Audit Roles (Installation) |
Installation Permissions
Installation permissions allow users or groups to modify different aspects of an installation’s properties. By default, the Master Auditor and the management database administrator have Full Control over the installation and can assign the following permissions to other users and groups:
| This permission | Enables trustees to do this |
|---|---|
| Full Control | Perform all administrative tasks on the selected installation and assign permissions to other users and groups. |
| Change Permissions | Add, modify, or remove Active Directory users and groups that have specific permissions. A user or group granted this permission can display the properties for the installation, then click the Security tab to select permissions for other users and groups. |
| Modify Name | Modify the name of the selected installation. A user or group granted this permission can display the properties for the installation, then click the General tab to change the installation name. |
| Manage Management Database List | Add or remove a management database for the selected installation. A user or group granted this permission can right-click the installation name in Audit Manager and select Management Databases to add or remove a management database. Deleting the management database from Microsoft SQL Server requires additional SQL Server permissions. |
| Manage Audit Store List | Add, modify, or remove audit stores and audit store databases for the selected installation. A user or group granted this permission can use the Add Audit Store wizard or right-click the installation name in Audit Manager, select Management Databases, then click Properties to add or remove sites or subnets associated with the installation. |
| Manage Collectors | Add, modify, or remove collectors for the selected installation. |
| Manage Audited Systems | Add, modify, or remove audited computers for the selected installation. |
| Manage Audit Roles | Add, modify, or remove audit roles for the selected installation. |
| Manage Queries | Add, modify, or remove queries for the selected installation. |
| Manage Publications | Add, modify, or remove publication locations in Active Directory for the service connection point associated with the selected installation. A user or group granted this permission can display the properties for the installation, then click the Publication tab to change the publication location in Active Directory for the installation. A user or group granted this permission can also update the information stored in Active Directory to keep the information in Active Directory synchronized with the information stored in the management database. However, users or groups with this permission must have sufficient Windows rights to be able to update objects in Active Directory. |
| Manage License | Add or remove license keys for an installation. A user or group granted this permission can display the properties for the installation, click the General tab, then click Details to manage licenses for the installation. |
| Modify Notification | Enable or disable the audit notification message for the selected installation. A user or group granted this permission can display the properties for the installation, then click the Notification tab to manage the notification message and image for the installation. |
| Modify Audit Options | Enable or disable video capture auditing for the selected installation. Control whether users are allowed to update the review status of their own sessions. Control whether users are allowed to delete their own sessions. A user or group granted this permission can display the properties for the installation, then click the Audit Optionstab to manage installation-wide auditing options. |
| View | Enable read-only permission for the selected installation. If a user has only View permission, they can see all the auditing components in the Audit Manager console, but they do not have access to audited sessions nor can they change any installation details. |
Setting Installation Permissions
You can set installation permissions for a specific installation, by selecting the installation name in Audit Manager.
To set permissions on an installation:
-
Open Audit Manager and select the installation name.
-
Right-click, then click Properties.
-
Click the Security tab.
-
Click Add to open Select Users and Groups.
-
Type the user or group name who should be granted installation permissions, then click OK.
You can add multiple users or groups from the Select Users or Groups dialog box. You can also type part of the name, then click Check Names to look up user and group names.
-
Select the specific permissions you want to grant to the selected user or group.
Management Database Permissions
Management database permissions allow users or groups to modify different aspects of an installation’s management database. By default, the Master Auditor and the management database administrator have Full Control over the management database and can assign the following permissions to other users and groups:
| This permission | Enables trustees to do this |
|---|---|
| Full Control | Perform all administrative tasks on the selected management database and assign permissions to other users and groups. |
| Change Permissions | Add, modify, or remove Active Directory users and groups that have specific permissions. A user or group granted this permission can display the properties for the management database, then click the Security tab to select permissions for other users and groups. |
| Modify Name | Modify the name displayed for the selected management database. A user or group granted this permission can display the properties for the management database, then click the General tab to change the management database name. |
| Manage Scopes | Add, modify, or remove sites or subnets for a management database. A user or group granted this permission can display the properties for the management database, then click the Scope tab to add or remove sites and subnets. |
| Remove Database | Remove a management database from an installation. Deleting the management database from Microsoft SQL Server requires additional SQL Server permissions. |
| Manage SQL Logins | Add or remove the Allowed incoming users for the selected management database. A user or group granted this permission can display properties for the management database, then click the Advanced tab to add or remove allowed accounts, or to change the outgoing account or authentication type. |
| Manage Database Trace | Enable, disable, or export database traces for the selected management database. |
Setting Management Database Permissions
You can set management database permissions for a specific installation, by selecting the installation name in Audit Manager.
To set permissions on an management database:
- Open Audit Manager and select the installation name.
- Right-click, then click Management Databases.
- Select the management database, click Properties, then click the Security tab.
- Click Add, type the user or group name who should be granted permissions, then click OK.
- Select the specific permissions you want to grant to the selected user or group.
Audit Store and Audit Store Database Permissions
Audit store permissions allow users or groups to modify different aspects of an audit store or audit store database. By default, the Master Auditor and the audit store database administrator have Full Control over the audit store and its database and can assign the following permissions to other users and groups:
| This permission | Enables trustees to do this |
|---|---|
| Full Control | Perform all administrative tasks on the selected audit store database and assign permissions to other users and groups. |
| Change Permissions | Add, modify, or remove Active Directory users and groups that have specific permissions. A user or group granted this permission can display the properties for the audit store, then click the Security tab to select permissions for other users and groups. |
| Modify Name | Modify the name displayed for the selected audit store. A user or group granted this permission can display the properties for the audit store, then click the General tab to change the audit store name. |
| Manage Scopes | Add, modify, or remove sites or subnets for the audit store. A user or group granted this permission can display the properties for the audit store, then click the Scope tab to add or remove sites and subnets. |
| Manage SQL Logins | Add or remove the allowed incoming collectors and management database logins for the selected audit store database. A user or group granted this permission can display properties for the audit store database, then click the Advanced tab to add or remove accounts for collectors and management databases. |
| Manage Collectors | Add, modify, or remove trusted collectors for the audit store. A user or group granted this permission can display properties for the audit store, then click the Advanced tab to add or remove accounts trusted collectors. |
| Manage Audited Systems | Add, modify, or remove trusted audited computers for the audit store. A user or group granted this permission can display properties for the audit store, then click the Advanced tab to add or remove accounts trusted audited computers. |
| Manage Databases | Add, attach, detach, or delete audit store databases for the selected audit store. |
| Manage Database Trace | Enable, disable, or export database traces for the selected audit store. |
Audit Role Permissions
Audit role permissions allow users or groups to modify different aspects of an audit role. By default, the Master Auditor has Full Control over the audit roles and can assign the following permissions to other users and groups:
| This permission | Enables trustees to do this |
|---|---|
| Full Control | Perform all administrative tasks on the selected audit role and assign permissions to other users and groups. |
| Change Permissions | Add, modify, or remove Active Directory users and groups that have specific permissions. A user or group granted this permission can display the properties for the audit role, then click the Security tab to select permissions for other users and groups. |
| Change Role Membership | Add, modify, or remove Active Directory users and groups that are assigned to the selected role. A user or group granted this permission can use the Add Audit Role wizard to assign users and groups to an audit role or select an audit role name, right-click, then select Assign Users and Groups to modify the role membership. |
| Change Role Definition | Modify the name, description, access, or privileges for the selected audit role. A user or group granted this permission can display the properties for the audit role, then: Click the General tab to modify the role name or description. Click the Access tab to modify the type of session and other criteria. Click the Privileges tab to modify hat users and groups assigned to the role can do. |
Auditor Permissions
Auditor permissions allow users or groups to view, create, share, and delete queries. For an installation, the Master Auditor can control access to Audit Analyzer and queries using the Manage Queries permission and the assignment of audit roles. The privileges associated with an audit role also control whether auditor can update the review status or replay sessions. By default, the Master Auditor has Full Control over the auditor permissions and audit roles and can assign the following permissions to other users and groups:
| This permission | Enables trustees to do this |
|---|---|
| Full Control | Perform all administrative tasks on the selected query and assign permissions to other users and groups. |
| Change Permissions | Add, modify, or remove Active Directory users and groups that have specific permissions. A user or group granted this permission can display the properties for the query, then click the Security tab to select permissions for other users and groups. |
| Read | Read the selected query definition, session results, and indexed commands. |
| Delete | Delete the selected query definition, session results, and indexed commands. |
| Modify | Modify the selected query definition, session results, and indexed commands. |
