000034600 - How to configure permissions when SQL and NWE are on the same server in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Feb 20, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034600
Applies ToRSA Product Set: Netwitness Endpoint (ECAT)
RSA Version/Condition: 4.1.x.x, 4.2.x.x
Platform: Windows
Platform (Other): SQL 2014 Standard/Enterprise, SQL 2012 Standard/Enterprise, SQL 2008 Standard/Enterprise
IssueIt is recommended that Netwitness Endpoint and Microsoft SQL Server be installed on the same server.
The following details the permissions requirements for Windows/Active Directory and Microsoft SQL Server when both are installed on the same server.
TasksThere are 4 service accounts that must have appropriate permissions, 3 folders that require configuration and SQL privileges that must be correct if Netwitness Endpoint is to function correctly.  Additionally, the Files folder must be shared if you have users running the UI remotely.
SERVICE ACCOUNTS
  • RSA ECAT API Server
  • RSA ECAT Console Server
  • SQL Server
  • SQL Server Agent
DATABASE PERMISSIONS
  • API Server and ConsoleServer service accounts require sysadmin
  • SQL Server and SQL Agent service accounts require sysadmin
  • User accounts do NOT require sysadmin
FOLDER PERMISSIONS
  • QueuedData folder: ConsoleServer service account needs Full control, SQL Server & SQL Agent service accounts require read access.  
  • Files folder:  ConsoleServer service account must have Full Control, user accounts need read access
  • Root folder (C:\ProgramFiles\RSA\ECAT\Server by default in 4.2, C:\ECAT\Server in 4.1): API Server and ConsoleServer service accounts need full control
 SHARING QueuedData folder
  • QueuedData folder does not need to be shared
  • SQL Agent and SQL server service accounts need read access
  • ConsoleServer service account needs full control
SHARING Files folder                
  • Files folder must be shared (can be on a network share if desired)
  • Console Server service account must have FULL control
  • User accounts must have READ access
In most cases, the SQL and SQL Agent services are run under the same service account.  It is also common for the Console Server and API Server services to be run under the same account (not the same account as SQL and SQL Agent services).  This is not a requirement but does simplify initial configuration.  
ResolutionExample of limiting ‘sysadmin’ privileges:
For the purpose of installing, the user will need to be sysadmin. Let’s call him Adam. Adam will then be able to login to Netwitness Endpoint UI because he is sysadmin on the DB.  Adam should create another user within “Users and Roles” in the Netwitness Endpoint UI - let’s call him Bob, and add the role of ECAT Admin to him. Then we can drop the sysadmin rights from Adam. Bob can create a new user from within the ECAT UI for Adam and give him the role of ECAT Admin.  These two users will then be able to add users and change roles at will.  Not a single human will have sysadmin.

Attachments

    Outcomes