Database User and Permission Options


This article applies to:

  • Trustwave MailMarshal (SEG) 6.8 and above
  • Trustwave ECM/MailMarshal Exchange 7.X

Question:

  • What are the options and required permissions to create or use a SQL database with SEG or ECM?

Information:

This article describes the available functionality for database creation, permissions, and security in current versions of the named products, and provides recommendations for use. These options are present in the installation wizard and the Server Tool.

Security Features:

  • Windows Authentication: All product components can use either Windows or SQL authentication to connect to the database. "Mixed Mode" is not required.
  • System Service Account option: By default the Array Manager service runs under the Local System account. If the database is located on the Array Manager server, MailMarshal can access the database using this account. For the MailMarshal (SEG) 10.X Configuration Service database, the IIS Application Pool account is used in a similar way.
  • Operational User option: In earlier versions, the SQL SA account was the only credential that could realistically be used to access the database.

    In the current versions,
    SEG or ECM can assign limited rights to a Windows or SQL account, and use this account for daily operations such as configuration and logging storage.
    • To upgrade, or to create a completely new database, you must use another account with sysadmin rights.
    • If you are logged in to a server as an administrator, the installer may be able to use your Windows credential when upgrading.
    • The installer and server tool will prompt for an elevated account credential when required. The product does not store this credential.
  • Existing database option: The installer or tool can create or re-create all required tables and other items within an existing database. With this option, the product requires database owner rights but not database creation rights. In this scenario:
    1. The SQL Server administrator creates an empty database for SEG or ECM to use. The administrator can control other options such as the disk location of the database.
    2. The SQL Server administrator creates a login with Database Owner rights on the new database, to be used for all other purposes. 

Upgrading:

The installer upgrades the existing databases. These could also include the Syslog database and the MailMarshal (SEG) 10.X Configuration Service database

  • When upgrading from SEG 8.2 to MailMarshal (SEG) 10.X you must specify the location and credentials for the new Configuration Service database. Use a credential with permission to create the database. If the SQL server is on the Array Manager computer, you can choose to use the Application Pool identity account.

The installer could report that the "operational user" has administrative rights. This message is for information only. You can safely click OK to continue.

  • If you want to continue using the same credential, you do not need to take any further action.
  • To set up an operational user with lower rights, after upgrading you can run the Server Tool.

The installer will attempt to use the configured credentials, or the credentials of the logged in user. If necessary, the installer will prompt you for an account with sufficient rights to upgrade. The permission required for this purpose is sysadmin.

New installations:

The product installer offers you the choice of Basic or Custom install.

Basic Install

The Basic Install assumes that a SQL Server or SQL Express instance is available on the same server, either as the default (unnamed) instance, or as localhost\SQLEXPRESS

  • The Installer attempts to connect to this instance using the system service account. The installer attempts to use the database TrustwaveSEG or MailMarshalExchange.
    • The default database is MailMarshal in versions of SEG/MailMarshal SMTP prior to 7.5.
  • If this database does not exist the installer creates it. If the database exists, you can choose to use it or re-create it.
  • For MailMarshal (SEG) 10.X the installer also creates the Configuration Service database using the IIS application pool account.
  • If the Basic Install process encounters problems with database access or permissions, the installation reverts to a Custom Install.

Custom Install

The Custom Install allows the full range of database and security options, including remote server name and instance. For MailMarshal (SEG) 10.X, you can enter separate locations and credentials for the Configuration Service database and the main product database.

SQL Server name
Specify the SQL Server as servername[\instance][,port]
Specify either the instance or the port, but not both. For named instances, use the instance parameter. Named instances require SQL Server Browser to be running on the server.
Database Name
Specify the name of the database on the SQL server. If you enter the name of an existing database, the installer will check permissions and database contents and ask for confirmation.
  • To use an empty database that has been created by the SQL administrator, select the option Use this database but delete all the data in it
System Service Account
Specifies that the product will use the Local System account. This option is only available if the main product database is local to the (standalone or Array Manager) server. For this option to work correctly, the Array Manager service MUST run under the Local System account.
Application Pool Account
Specifies that the product will use the IIS Application Pool account of the Configuration Service website. This option is only available if the Configuration Service database is local to the (standalone or Array Manager) server.
User Name
Specifies that the product will use a named Windows or SQL account (enter a Windows account as domain\user). Before entering an account, ensure that the account exists.
  • You can create a SQL account, if necessary, using SQL Server management tools.
  • To use a Windows account, ensure that the account has permission to connect to the SQL Server computer.
The installer will assign the required database permissions to the account if necessary.
  • If the account has full administrative access, it will recommend that you use an Operational User account instead.
  • If the account does not have permission to connect and configure the database, the installer will ask you to provide a credential with higher permissions. This credential will only be used to configure the operational account, and will not be saved. The credential must have sysadmin rights.

Server Tool:

The Database window of the Server Tool (on the Array Manager computer) provides the same options as the Custom Install. For more information about this tool, see Help.


Last Modified 5/26/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle12939.aspx