Below you will find a security account matrix for SCOM 2022, that includes all the common service and security accounts in SCOM, and their default or recommended permissions. This includes the management servers, the database servers, SQL Role permissions, and database mappings. You can use this to correct deployments where permissions got modified incorrectly, or to verify that a least privileged model is being used.
Download: https://kevinholman.com/files/SCOM2022_Security_Matrix.xls
Example:
This matrix is for SCOM 2022.
For SCOM 2019, please see: https://kevinholman.com/2020/07/23/scom-2019-security-account-matrix/
For SCOM 2016, please see: https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/
Hi Kevin, shouldn’t there also be SCOM_Service account ?
For what purpose?
Service account under which all all rules run by default on the agent. Or that would be SCOM Action account in your Matrix?
For the agent – that should be Local System (as the Default Agent Action Account)
For the Management Server – that is the Management Server Action Account as documented.
Understood. Thank you, Sir!
Hey Kevin,
Did you notice or get an error that if the data reader account is not part of local admin then the http:\server\\reportserver site errors out at http 500 code?
We realized this from the ssrs logfiles location SSRS\LogFiles that it was getting access denied to the SSRS\ReportServer\RSTempFiles.
We had to grant permission to data reader account to the ReportServer\RSTempFiles folders to resolve the issue.
Not sure if we missed a step somewhere else.
Hi Kevin, So management is insisting that they use the SCOM_Admin account for the data reader and data writer account. I told them this is a security risk but they said that is what they want and will not discuss it further. When install SCOM Reporting it continues to fail with a corrupt SSRS encryption key. I verified the key was good and able to be backed up prior to SCOM Reporting installation. Is this due to using the SCOM admin account possibly?
It is fine to use a single account for all SCOM roles. It isn’t really a security risk. It was considered a “best practice” for least priv per role, but there is so much crossover in SCOM roles, that this practice really just overcomplicated things. I have many customers who use a single domain account for everything.
If you are using SCOM 2022 and SQL 2022 – make sure you re-download the SSRS media – there was a bug in a recent version that was fixed in the latest version.
Hi Kelvin – Is it Mandatory to have Domain Admin privilege for SCOM Management server Action account. Please confirm..
No, not at all, and nowhere in our documentation does it say that!
That would be a worst practice. No SCOM service accounts should have any high privilege level.
Thanks Kelvin..
Hi Kevin.. what are the least privileges given to the action account on agent server for the effective monitoring. Thanks in advance.
Local System.
Good luck using a domain account that does not have administrative rights. You’d have to research every MP and workflow for low priv model. Never seen a customer use that with success.