Menu Close

SCOM 2016 Security Account Matrix

Below you will find a security account matrix for SCOM 2016, that includes all the common security accounts in SCOM, and their default or recommended permissions.  This includes the management servers, the database servers, SQL Role permissions, and database mappings.  You can use this to correct deployments where permissions got modified incorrectly, or to verify that a least privileged model is being used.

Download:  https://kevinholman.com/files/SCOM2016_Security_Matrix.xls

Example:

image

 

This download is for SCOM 2016.  For SCOM 2019 please see:  https://kevinholman.com/2020/07/23/scom-2019-security-account-matrix/

16 Comments

  1. Karthikeyan

    Hi ,Can you clarify why SCOM accounts needs DBO & SQL Agents roles on MSDB. Does the product create jobs and manage it. Is this access mandatory since those are manage by DBA’s and access not granted to application account. Please help.

    • Kevin Holman

      DBO is no longer required. See the latest at: https://kevinholman.com/2020/04/04/ur9-for-scom-2016-step-by-step/

      Yes – SCOM does create jobs, then delete them, as we use the SQL agent to adjust schedules for maintenance mode. This access is likely not mandatory, since it will only break schedule maintenance mode. For scheduled maintenance mode feature to work, it is mandatory. Note – in SCOM 2019, this access is configured during setup by default.

  2. Pingback:Implementing gMSA in SCOM 2019 UR1 - The Monitoring Guys

  3. andyinsdca

    Can you use Local System as the action account on a gateway server? We don’t use the action account for agent deployment, so we don’t need it for that.

    • Kevin Holman

      Absolutely. I ONLY use Local System for gateways, unless the customer has a VERY good reason to use a service account. We need to get away from service accounts.

Leave a Reply

Your email address will not be published.