Security requirements

Comments are closed
How can we help?
< All Topics
Print

Security requirements

The following components are required as a part of implementing Performance Store.

Servers

  • A SQL Server to host the Performance Store database.
  • A Windows server to host Grafana and the Performance Store helper services.
  • (Optional) A Windows server to host the Performance Store service.

It is advised to use a separate Windows server solely for the Performance Store service. This is to separate networks where clients connect and the network where the Performance Store service operates to communicate with production (and non-production) SQL Servers.

Architecture overview

Security groups

  • An AD group to contain users (usually the DBA group) that will have full access to the Performance Store database.

Service account users

  • A Performance Store service account. The Performance Store service will run under this context, and this will be the service account used to communicate with the various SQL Servers to be monitored.

Requirements to existing infrastructure

  • It must be possible to execute WMI calls on remote servers (not a requirement for SQL Server on Linux).
  • Performance Store Graphs are available through a web browser on port 80 (or any other port that is chosen when installing Performance Store).
  • Administrators should have port 9400 open in the firewall for access to the Performance Store helper web service. Each individual team is communicating with the Performance Store web application on different ports, e.g. 9401, 9402 etc. Each team should have its own port open in the firewall.

The Performance Store service account user must be a member of the local administrators group on the SQL Servers due to usage of WMI calls to get information about the local disks and processors. Note, Performance Store will function even if the Performance Store service account user is not a member of the local administrators group. In such case, Performance Store will function as if it was monitoring a SQL Server on Linux with certain limitations.

The Performance Store service account will automatically be granted the following permissions on each monitored SQL Server:

  • Connect SQL
  • Connect any database
  • View server state
  • View any definition
  • Alter any database (used if auto-offline databases is enabled in the Settings menu):
  • In SQL Server 2008, 2008 R2 and 2012, the Performance Store service account will be granted CONTROL SERVER permission
  • In SQL Server 2022, the Performance Store service account will be granted VIEW SERVER PERFORMANCE STATE permission
  • In the msdb database the user will have GRANT SELECT on: syscategories, sysjobhistory, sysjobs
  • In the msdb database the user will have GRANT EXECUTE on sp_get_sqlagent_properties
Table of Contents