Account and Permissions Checklist

When setting up the product and data collection, Cygna Entitlement and Security will prompt you to enter account credentials for specific services and applications the product requires access to. For your reference, below is a complete list of accounts with required rights and permissions.

ACCOUNT	WHAT IS IT USED FOR?	REQUIRED PERMISSIONS
Domain account	Active Directory credentials used to connect to a domain and collect entitlement data. Note that collection is a read-only operation and doesn't make any changes in your Active Directory environment.	The use of Domain administrator account is recommended. Alternatively, ensure the account running entitlement collection has "read all properties" and "read DACL" enabled for every object in the monitored domains, including child domains and trusted domains. Contact Cygna Support if you cannot use the Domain administrator account and need help setting up an account with less privileges.
IIS identity account	The account running the IIS can be either LocalSystem or a custom domain account.	A custom domain user account must be a member of the local Administrators group and granted the Log on as a batch job and Log on as a service permissions.
Database account	Account with Windows or SQL Server authentication used to connect to the SQL Server instance. During the collection setup, Cygna Entitlement and Security will create a database on a SQL Server instance you specify. This database will be used to store entitlement data.	SQL Authentication: The SQL Server account must have dbowner role on the created Entitlement database in order to create the schema. Windows Authentication: The account that runs the Entitlement service (by default, LOCAL SYSTEM of the server is it running on), must have dbreader and dbwriter roles assigned. The account selected to create the database and schema must have rights to create the schema.

ACCOUNT

WHAT IS IT USED FOR?

REQUIRED PERMISSIONS

Domain account

Active Directory credentials used to connect to a domain and collect entitlement data. Note that collection is a read-only operation and doesn't make any changes in your Active Directory environment.

The use of Domain administrator account is recommended.

Alternatively, ensure the account running entitlement collection has "read all properties" and "read DACL" enabled for every object in the monitored domains, including child domains and trusted domains.

Contact Cygna Support if you cannot use the Domain administrator account and need help setting up an account with less privileges.

IIS identity account

The account running the IIS can be either LocalSystem or a custom domain account.

A custom domain user account must be a member of the local Administrators group and granted the Log on as a batch job and Log on as a service permissions.

Database account

Account with Windows or SQL Server authentication used to connect to the SQL Server instance.

During the collection setup, Cygna Entitlement and Security will create a database on a SQL Server instance you specify. This database will be used to store entitlement data.

SQL Authentication:

The SQL Server account must have dbowner role on the created Entitlement database in order to create the schema.

Windows Authentication:

The account that runs the Entitlement service (by default, LOCAL SYSTEM of the server is it running on), must have dbreader and dbwriter roles assigned. The account selected to create the database and schema must have rights to create the schema.