Least Privileges Requirement for Archer Database Objects
The principle of least privileges grants the minimum permissions required for day-to-day operations of Archer. To operate on a day-to-day basis using least privileges, the database user account connecting to both the Instance and Configuration databases requires the following privileges:
- Data Reader Rights (member of the db_datareader).
- Data Writer Rights (member of the db_datawriter).
- Run permissions on all stored procedures and scalar functions.
- Select permissions on all views, table-valued functions, and in-line functions.
- Run permissions on the system stored procedure sp_procedure_params_100_managed of the parent database.
- Run permissions on the user-defined table type content_date_Table_Type of the Platform Instance database.
- Reference permissions on the user-defined table type content_date_Table_Type of the Platform Instance database.
- Run permissions on the _BulkType user-defined table types of the Platform Instance database, if provisioned for Offline Access.
- Reference permissions on the _BulkType user-defined table types of the Platform Instance database, if provisioned for Offline Access.
- Run GRANT EXECUTE permission to run stored procedures.
Within the Instance and Configuration databases, the user must have access to objects belonging to both the dbo and mswf4 schemas.
When installing or upgrading Archer, use an account with a membership to the db_ddladmin, db_datareader, and db_datawriter roles.
Archer does not recommend you do this for the installer and that for simplicity’s sake you stick with dbo.
Note: In the event of a failed install, the install needs to be resumed from a backup.