BBC and NAV

Provisioning Business Central Account

Provisioning Business Central Account
Provisioning Business Central Account
0
Shares
0
0

You can easily set up the Business Central service account using a script. This is called provisioning the Business Central service account.

Business Central clients use the Business Central service account to connect to an instance of the Business Central Server. The server then uses this account to access the Business Central database. During the installation of Business Central Server, an Active Directory account is specified to establish the server credentials. By default, the Business Central Server runs under the Network Service account. This is a predefined local account with minimal rights on the local machine. It acts as the identity of the computer within the network.

It is recommended instead to create a dedicated domain user account to run the Business Central Server. The Network Service account is considered less secure because it can be shared with other network services. Users with rights on this account automatically have access to all services running under it. By setting up a specific domain user account, the same account can also be used for SQL Server, regardless of whether SQL Server is running on the same machine. In this blog post, we assume the domain user account for provisioning the Business Central service account.

If you choose to continue using the Network Service account, no specific configuration is required. However, it is important to verify that this account has the proper database permissions in SQL Server, as described in the documentation about required database permissions for the service account.

Enabling the account to log on as a service

Depending on various factors, the account may already have the ability to log on as a service. For example, if you have previously installed SQL Server and configured it to run under the same account, SQL Server may have already modified the account to log on as a service. When this permission is missing, Business Central Server instances may not be able to start.

You can enable log on as a service using the Local Security Policy console on the computer running SQL Server.

To open the Local Security Policy console, do one of the following:

  • Type secpol.msc in the search box on the Start screen and press Enter.
  • From Server Manager or Control Panel, open Administrative Tools.
  • Expand Local Policy and select User Rights Assignment.

Right-click on Log on as a service and select Properties.

Select Add User or Group, find the user account that you are using as the Business Central service account, and add it.

For more information, see Configure security policy settings.

TSQL script for provisioning the Business Central service account

-- Declare variables
DECLARE @DomainAccount NVARCHAR(100) = 'domain\accountname'
DECLARE @DatabaseName NVARCHAR(128) = 'Business Central Database'

-- Server-level (master database)
DECLARE @SQL NVARCHAR(MAX)

SET @SQL = '
USE [master];

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = ''' + @DomainAccount + ''')
    CREATE LOGIN [' + @DomainAccount + '] FROM WINDOWS;

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = ''' + @DomainAccount + ''')
    CREATE USER [' + @DomainAccount + '] FOR LOGIN [' + @DomainAccount + '];

GRANT SELECT ON [master].[dbo].[$ndo$srvproperty] TO [' + @DomainAccount + '];

IF NOT EXISTS (
    SELECT * 
    FROM sys.server_role_members rm
    JOIN sys.server_principals r ON rm.role_principal_id = r.principal_id
    JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id
    WHERE r.name = ''dbcreator'' AND m.name = ''' + @DomainAccount + '''
)
    ALTER SERVER ROLE [dbcreator] ADD MEMBER [' + @DomainAccount + '];
'
EXEC sp_executesql @SQL

-- Database-level (Business Central database)
SET @SQL = '
USE [' + @DatabaseName + '];

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = ''bc_server_runtime'')
    CREATE ROLE bc_server_runtime;

IF NOT EXISTS (
    SELECT dp.name, rm.member_principal_id
    FROM sys.database_principals dp
    LEFT JOIN sys.database_role_members rm ON dp.principal_id = rm.role_principal_id
    WHERE dp.name = ''db_datareader'' AND rm.member_principal_id IS NULL
)
    ALTER ROLE db_datareader ADD MEMBER bc_server_runtime;

IF NOT EXISTS (
    SELECT dp.name, rm.member_principal_id
    FROM sys.database_principals dp
    LEFT JOIN sys.database_role_members rm ON dp.principal_id = rm.role_principal_id
    WHERE dp.name = ''db_datawriter'' AND rm.member_principal_id IS NULL
)
    ALTER ROLE db_datawriter ADD MEMBER bc_server_runtime;

IF NOT EXISTS (
    SELECT dp.name, rm.member_principal_id
    FROM sys.database_principals dp
    LEFT JOIN sys.database_role_members rm ON dp.principal_id = rm.role_principal_id
    WHERE dp.name = ''db_ddladmin'' AND rm.member_principal_id IS NULL
)
    ALTER ROLE db_ddladmin ADD MEMBER bc_server_runtime;

GRANT VIEW CHANGE TRACKING ON SCHEMA::[dbo] TO bc_server_runtime;
GRANT VIEW DATABASE STATE TO bc_server_runtime;
GRANT ALTER ON DATABASE::[' + @DatabaseName + '] TO bc_server_runtime;

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = ''' + @DomainAccount + ''')
    CREATE USER [' + @DomainAccount + '] FOR LOGIN [' + @DomainAccount + '];

ALTER ROLE bc_server_runtime ADD MEMBER [' + @DomainAccount + '];
'
EXEC sp_executesql @SQL

You can find the original article here.

You can contact me via this contact form.

0
0
Share 0
Share 0
0 Shares:
Share 0
Share 0

— Previous article

Privacy policy Digitale Mels

Next article —

PowerShell and credentials

You May Also Like