Database Requirements

Before installing the console, log in as a domain or local administrator and install the SQL Server database.

Supported Versions

On Premises
- SQL Server 2016
- SQL Server 2017
- SQL Server 2019
- SQL Server 2022

Microsoft SQL Server Express is not supported and will cause installation errors if attempted.

Cloud
- Microsoft Azure SQL Database (a minimum of 200 DTUs is recommended.)
Increases in size of Azure SQL database might be required in the future as usage grows.
- Amazon RDS for SQL Server

While cloud database services listed above can be used for the console SQL Server database, if the Analytics & Reporting features of the product is desired, those still need to be hosted on premises.

Components to Install

Database Engine Services

While Full Text Search is enabled by default, additional steps are required to create a full-text index and catalog in order to run a keyword search for Password Safe Session Recordings. For more information, please see Get Started with Full-Text Search .

Analysis Services
Reporting and Integration Services
SQL Server Management Studio

Service Accounts

Accept the default service accounts. An individual account is automatically created for each service.
Set the SQL Server Agent start mode as Automatic (the default is Manual).
Select Windows authentication mode.

You can select Mixed mode authentication, if desired, and provide the sa account password. However, this is not necessary when SQL Server resides on the same machine as the console.

Select Add Current User when setting the SQL Server Administrator and Analysis Services Administrator.

Database Permissions Matrix

Permission	SQL Server
SQL Authentication (SQL Local or SQL Remote)	Assign the SQL Server account the role of sysadmin.
Windows Authentication (SQL Local)	Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not previously assigned. Add NT AUTHORITY\NETWORK SERVICE as a Login account in SQL Server, if not previously added. On the BeyondInsight database, assign NT AUTHORITY\NETWORK SERVICE the roles of db_owner and REM3Admins. REM3Admins is a custom role created by the installer.
Windows Authentication (SQL Remote, where SQL Server and BeyondInsight are on the same domain or in trusted domains of a forest)	In SQL Server, create a local Windows group and add the group to the SQL Server instance. On the BeyondInsight database, assign the account the roles of db_owner and REM3Admins. Add each BeyondInsight machine to this local group, including any Event Collector machines or Password Safe worker node machines, in the format: 'Domain\MachineName1$', 'Domain\MachineName2$' Windows Authentication is not supported on remote standalone systems. U-Series Appliances and software must be on the domain or a trusted domain in a forest.

Permission

SQL Server

SQL Authentication (SQL Local or SQL Remote)

Assign the SQL Server account the role of sysadmin.

Windows Authentication (SQL Local)

Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not previously assigned.

Add NT AUTHORITY\NETWORK SERVICE as a Login account in SQL Server, if not previously added.

On the BeyondInsight database, assign NT AUTHORITY\NETWORK SERVICE the roles of db_owner and REM3Admins.

REM3Admins is a custom role created by the installer.

Windows Authentication (SQL Remote, where SQL Server and BeyondInsight are on the same domain or in trusted domains of a forest)

In SQL Server, create a local Windows group and add the group to the SQL Server instance.

On the BeyondInsight database, assign the account the roles of db_owner and REM3Admins.

Add each BeyondInsight machine to this local group, including any Event Collector machines or Password Safe worker node machines, in the format:

'Domain\MachineName1$',

'Domain\MachineName2$'

Windows Authentication is not supported on remote standalone systems. U-Series Appliances and software must be on the domain or a trusted domain in a forest.

Set the Server Role on NT AUTHORITY\SYSTEM

In SQL Server Management Studio, go to Security > Logins.
Right-click NT AUTHORITY\SYSTEM and select Properties.
Select Server Roles > sysadmin, and then click OK.

ADOMD.net Requirement

The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.

Least Privilege Database User Account Setup

The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.

The Least Privilege Database User Account is granted the following permissions by default:

General
- Enforce password policy
- Enforce password expiration
Server Roles
- Public
User Mapping
- Mapped to the RetinaCSDatabase created in previous screens
Securables
- Connect SQL: Grant
- View any database: Deny
Status
- Settings
  - Permissions to connect to database engine: Grant
  - Login: Enabled