Granting SQL Access through Server Roles

EmpowerID utilizes multiple Windows Services to host job functions as well as WCF web services. The EmpowerID services each require a user identity with the necessary privileges to perform their designated tasks. We recommend the creation of a custom database role named "EmpowerIDService" that you can use to give the service account user the minimum database rights needed for each service. To access the EmpowerID database, the following rights are required by all Windows Services and can be granted directly to the service account user or by a custom SQL Role having these rights:

Required Windows Service Rights
Connect
Authenticate
Execute
Delete
Insert
Select
Update

Alter — Needed on the following tables only to allow for truncation:

  • PersonOrgRoleOrgZoneReEvalTempAccountData
  • PersonOrgRoleOrgZoneReEvalTempPersonData
  • PersonManadatoryAttributesTemp
  • PersonMandatoryAttributesTempPreview
  • PersonMandatoryAttributesOverwritePreview
  • AccountObjectAttributeOutboxPreview

To grant rights to the EmpowerID Service Role

  1. Open SQL Server Management Studio.
  2. In Object Explorer, expand the Security node, right-click Logins and select New Login from the context menu.

  3. In the Login-New window that appears, select the General page and then enter the service account into the Login name field.

  4. In the Server Roles page, select public as the server role.

  5. In the User Mapping page, select the EmpowerID database and grant membership to the public and EmpowerIDService roles.
    6. EmpowerID recommends selecting the db_owner role in addition to the two above-mentioned roles.

  6. Click OK.