Menu Close

SCOM 2022 Security Account Matrix

Below you will find a security account matrix for SCOM 2022, that includes all the common service and security accounts in SCOM, and their default or recommended permissions.  This includes the management servers, the database servers, SQL Role permissions, and database mappings.  You can use this to correct deployments where permissions got modified incorrectly, or to verify that a least privileged model is being used.

Download:  https://kevinholman.com/files/SCOM2022_Security_Matrix.xls

Example:

image

 

This matrix is for SCOM 2022. 

For SCOM 2019, please see:  https://kevinholman.com/2020/07/23/scom-2019-security-account-matrix/

For SCOM 2016, please see:  https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/

11 Comments

    • Kevin Holman

      For the agent – that should be Local System (as the Default Agent Action Account)
      For the Management Server – that is the Management Server Action Account as documented.

  1. Wayne

    Hey Kevin,

    Did you notice or get an error that if the data reader account is not part of local admin then the http:\server\\reportserver site errors out at http 500 code?

    We realized this from the ssrs logfiles location SSRS\LogFiles that it was getting access denied to the SSRS\ReportServer\RSTempFiles.

    We had to grant permission to data reader account to the ReportServer\RSTempFiles folders to resolve the issue.

    Not sure if we missed a step somewhere else.

  2. Chris Keown

    Hi Kevin, So management is insisting that they use the SCOM_Admin account for the data reader and data writer account. I told them this is a security risk but they said that is what they want and will not discuss it further. When install SCOM Reporting it continues to fail with a corrupt SSRS encryption key. I verified the key was good and able to be backed up prior to SCOM Reporting installation. Is this due to using the SCOM admin account possibly?

    • Kevin Holman

      It is fine to use a single account for all SCOM roles. It isn’t really a security risk. It was considered a “best practice” for least priv per role, but there is so much crossover in SCOM roles, that this practice really just overcomplicated things. I have many customers who use a single domain account for everything.

      If you are using SCOM 2022 and SQL 2022 – make sure you re-download the SSRS media – there was a bug in a recent version that was fixed in the latest version.

    • Kevin Holman

      No, not at all, and nowhere in our documentation does it say that!

      That would be a worst practice. No SCOM service accounts should have any high privilege level.

Leave a Reply

Your email address will not be published.