What are the minimum SQL permissions to perform Add Repository User on the GPO_REPOSITORY database? (NETIQKB40580)

  • 7740580
  • 02-Feb-2007
  • 19-May-2009

Environment

NetIQ Group Policy Administrator 5.0
NetIQ Group Policy Administrator 4.x

Microsoft SQL Server

Situation

What are the minimum permissions in SQL to perform Add Repository User on the GPO_REPOSITORY database?

How do I grant the necessary SQL permissions to add a repository user?

How do I add a repository user?

How do I add a user account in SQL Enterprise Manager under the Security node?

How do I assign the db_owner SQL permission?
The Add button in the Add Repository User wizard grayed out even though the user has full control access in the Repository.

Resolution

At minimum, a user must have the SQL role db_owner in the GPO_REPOSITORY database in order to perform the Add Repository User function.

To manually add the user account in SQL Enterprise Manager under the Security node, perform the following steps:

  1. Launch the SQL Enterprise Manager MMC snap-in locally on the repository server (usually found by choosing Start Menu > Programs > Microsoft SQL Server > Enterprise Manager.)
  2. Navigate to the following node: Console Root > Microsoft SQL Servers > SQL Server Group > (local) (Windows NT) > Security > Logins.
  3. Double-click the account you want to modify, and then click Database Access.
  4. Select the GPO_REPOSITORY database in the top pane.
  5. In the bottom pane, place a check mark in the column next to the db_owner role to grant access. The Add button in the Add Repository User dialog box is now available.


Cause

The user account must have the db_owner role in the GP_REPOSITORY database to add repository users.

Performing an "Add Repository User" action in GPA creates an SQL login in SQL and grants the account access to the GPO_Repository database.  Even though a user is delegated GPR security to give another user the ability to perform an "Add Repository User," GPA checks to ensure the account has the ability to create an SQL login. 

GPA checks whether the account has the Security Admin Role in SQL.  This role is required for the account to create an SQL login.  Next, GPA also checks to ensure the account has the db_owner role on the GPO_Repository database, which enables it to grant the account rights to the Repository database.

Additional Information

Formerly known as NETIQKB40580

Use the following procedure to grant the user account full control access in the GPR security tab:

  1. Select the Repository Server node under GP Repository.
  2. Click View > Manage GPR Security
  3. Right-click the Repository Server node and click Properties.
  4. Click the GPR Security tab at the top.
  5. Click the Add button and type the name of the user.
  6. Ensure a check mark is present in the column next to Full Control.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.