Using a non-Local Administrator account for the SQL diagnostic manager Web Console services
The Idera Dashboard consists of two services:
- SQLdm Rest Service
- SQLdmWebUI Service
The service accounts for these services require certain privileges in order for the services to run. The easiest thing to do is pick service accounts that are part of the local Administrators group on the machine on which these services are running.
For some users, their company’s security policy restricts the use of local Administrators. This document outlines the steps necessary if you wish to use a service account that is not a member of the local Administrators group.
This work consists of two steps:
- Grant the service account for each of the two services the rights to write to the service install folders. This is used to write configuration and diagnostic logs.
- Grantthe SQLdm Rest Service the right to provide a web service listening on an HTTP namespace.
Grant the right to write to the SQL DM install folder
Each of the two services used to provide the SQL DM Web Console write information to the install folder. This could be changes to configuration files or diagnostic logging. By default, Windows restricts the access to write to folders under the program Files folder. You will need to grant explicit access to the service accounts to provide them the ability to write to the install folder. This can be done at the root folder for the SQL DM web console services (Default: C:\Program Files\Idera\Idera SQL diagnostic manager).
Steps to grant access to the service account:
- In Explorer navigate to the folder C:\Program Files\Idera
- Right-Click on the Idera SQL diagnostic managerfolder
- Select Properties
- Select the Security Tab
- Click the “Edit…” button
- This will launch the permissions dialog to allow you to edit the permissions on the Idera SQL diagnostic managerfolder
- Click the “Add…” button to add the service account
- Add the service account
- Grant them Modify permissions over the folder.
Note: If you use different service accounts for the two services, you will need to repeat these steps for the second service account.
Grant the rights to create the SQLdm Rest Service
The SQLdm Rest Service hosts a web service that provides data to the SQL DM web console user interface via a REST interface. Hosting a web service requires permissions over the HTTP namespace used to host the REST services. Members of the local Administrators group automatically are granted this ability. To grant access to accounts that are not members of the local Administrators group, you will need to execute the following steps:
- Open a command prompt
- Use the netsh command line tool to grant rights to the service account
netsh http add urlaclurl=serviceaccount
- Service Account = the account under which you are running the SQLdm Rest Service. Specify the service account in the form domainName\accountName.
- This command assumes that you are using the default port for the SQLdm Rest ServiceServices of 9278. If you need to change this port, you will need to re-execute this command specifying the new port.
if you need to change the service account to a different user, you will first need to remove the existing user’s permission and then re-run the above command with the new user.
To remove the existing user:
netsh http deleteurlaclurl=