Info: Why does Trust Protection Platform Require DBO Access to the TPP Database?

Applies To:

Trust Protection Platform 20.1 and higher


Beginning with Trust Protection Platform 20.1 the SQL Service account was separated into 2 different roles. An operational role for the day-to-day operations of Trust Protection platform and DBO account for actions that require elevated privileges on the database. 

Additional Details:

  • What is the DBO role on Microsoft SQL?
    • In Microsoft SQL Server, the DBO or Database Owner is a server-level principal that has full access to the owned database. The account created for use by TPP with DBO permissions will only require access the to single database used by TPP and no other database that may be co-located on the SQL server.
  • What does Venafi Trust Protection Platform use the DBO role for currently?
    • When using Venafi Configuration Console (VCC), tables, stored procedures, and other database structures are created on the fly.
    • During install and upgrade operations, structural changes in the database may be required which will necessitate DBO permission.
    • On service initialization a permissions check is performed on the operational account to ensure it always has the permissions it needs to do every day operations. If there are problems with the permissions they are corrected automatically by the DBO account.
    • Also on service initialization, a check is made to ensure that the SQL Service Broker is running. If the broker is not running, the DBO account automatically starts it.
  • Why is there a required DBO account and a recommended separate operational account?
    • Venafi recommends using two separate database service accounts for Trust Protection Platform to communicate with and manage the database. Having separate accounts is in line with the "Least Permissions" security principle, and is a more secure way to configure your system.
  • Can I run Trust Protection Platform with no DBO account? How about only during upgrades?
    • No, the DBO permission is a persistent requirement for Trust Protection Platform. If it is not granted to the appropriate account, services will fail to start.


Was this article helpful?
0 out of 0 found this helpful