Documentation forServer Configuration Monitor

Permissions required to monitor in SCM

To monitor configurations and compliance using Server Configuration Monitor (SCM), your credentials must have the correct permissions for any object or metric you wish to monitor. In general, SCM will be able to monitor objects and metrics that match the permission level of your credential.

See the tables below for minimum permissions required for SCM's built-in profiles, built-in policies, and Asset Inventory environments.

SCM built-in profiles

Name Description Permissions to monitor

IIS

Profile to monitor IIS server configuration.

All directly monitored files are accessible when agent service runs with a LocalSystem account (its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects).

Config files of websites parsed from applicationHost.config. May require some special permissions.

SW inventory

Profile detects software inventory changes on a node. It requires Asset Inventory to be switched on.

See Asset inventory section for details.

HW inventory Profile detects hardware inventory changes on a node. It requires Asset Inventory to be switched on. See Asset inventory section for details.
Linux Essentials Monitors the essentials of your Linux system, including file system configuration, hardware, network settings, OS and application software, and startup configuration.

If all necessary commands are available, the default swiagent user can poll all profile elements. For more details, see Permissions required to monitor built-in Linux profiles in SCM.

Linux Security and Permissions Monitors security, groups, and user permissions.

If all necessary commands are available, the default swiagent user can poll all profile elements. For more details, see Permissions required to monitor built-in Linux profiles in SCM.

MS SQL Server Essentials Monitors the essentials of your MS SQL server database. Most of the elements in the MS SQL Server Essentials built-in profile can be monitored using the default public login. Some SQL elements require additional permissions. For more details, see Permissions required to monitor MS SQL Server Essentials in SCM.
PostgreSQL Essentials Monitors the essentials of your PostgreSQL database. Most of the elements in the PostgreSQL Server Essentials built-in profile can be monitored using the default public login. Some SQL elements require additional permissions. For more details, see Permissions required to monitor PostgreSQL Server Essentials.
MySQL Essentials Monitors the essentials of your MySQL database.

Some elements use SHOW VARIABLES. This statement does not require any permissions. Most information is gathered using SELECT from information_schema views. Each MySQL user has the right to access them, but can see only the rows in the tables that correspond to objects for which the user has the proper access permissions. Two tables have different permissions requirements:

  • information_schema.schemata —User sees only databases for which they have some kind of permissions, unless they have the global SHOW DATABASES permission. Because a global permission is considered a permission for all databases, any global permission enables a user to see all database names by examining the INFORMATION_SCHEMA SCHEMATA table.

  • information_schema.routines — To see information about a routine, the user must be named in the routine DEFINER clause or have SELECT access to the mysql.proc table. If the user doesn't have permissions for the routine itself, the value displayed for the ROUTINE_DEFINITION column is NULL.

Oracle Essentials Monitors the essentials of your Oracle database.

The user must have the following permissions selected on system views:

  • v$osstat

  • v$system_parameter

  • v$spparameter

  • v$system_fix_control

  • v$instance

  • v$option

  • v$datafile

  • v$tempfile

  • v$version

  • v$timezone_names

  • v$active_services

  • v$backup_files

  • v$database

  • database_properties

  • dba_users

  • dba_profiles

  • dba_role_privs

  • dba_users_with_defpwd

  • dba_encrypted_columns

  • dba_views

  • dba_procedures

  • dba_triggers

  • dba_indexes

  • dba_tables

Users with explicit object permissions or those who connect with administrative permissions (SYSDBA) can access objects in the SYS schema.

Another means of allowing access to objects in the SYS schema is to grant users either of the following roles:

  • SELECT_CATALOG_ROLE — This role can be granted to users to allow SELECT permissions on data dictionary views.

  • SELECT_ANY_DICTIONARY — This system permission allows query access to any object in the SYS schema, including tables created in that schema. It must be granted individually to each user who requires the permission. It is not included in GRANT_ALL_PRIVILEGES, but it can be granted through a role.

SCM built-in policies

Name Description Permissions to monitor

IIS 8.5 Server STIG (version 1, rel. 10)

This policy compares the configuration for a IIS 8.5 Server to the criteria defined in the IIS 8.5 Server STIG and advises you of the results for each rule, this server, and for the policy.

LOCAL_SYSTEM (default account for agent service) is the only requirement.

SQL Server 2016 Instance STIG (version 1, rel. 9)

This policy compares the configuration for a SQL Server 2016 to the criteria defined in the SQL Server 2016 Instance STIG and advises you of the results for each rule, this server, and for the policy.

Most of the datasources in 'SQL Server 2016 Instance STIG' built-in policy are possible to monitor using default public login. Some of SQL datasources requires [sysadmin] role. For more details see Permissions required to monitor the SQL Server 2016 Instance STIG policy

Windows Server 2016 STIG (version 1, rel. 10) This policy compares the configuration for a Windows 2016 Server to the criteria defined in the Windows Server 2016 STIG and advises you of the results for each rule, this server, and for the policy. LOCAL_SYSTEM is the only requirement. If the user assigns specific credentials other than domain controller administrator, some of the rules (that use secedit or auditpol) remain in Unknown status. For more details, see Permissions required to monitor the Windows Server 2016 STIG policy (version 1, rel. 10)

Asset inventory

Node type Permissions to monitor

Microsoft Windows node WMI

Access to DCOM and WMI components is required. The local/domain administrator grants access to the WMI and DCOM components. For more information, see WMI requirements for SolarWinds accounts

Microsoft node SNMP
Linux node SNMP

SW inventory — access to a subtree of OID .1.3.6.1.2.1.25.6.3.1.2
HW inventory — access to a subtree of OID .1.3.6.1.
Microsoft Windows node Orion-agent (WMI) LOCAL_SYSTEM (default account for agent service)
Linux node Orion-agent (SNMP) If SNMP v3 is installed on the target, SNMP Credentials with access to OID subtree mentioned for classic SNMP nodes are required. SNMP v2 agent uses autoconfiguration of SNMP daemon config. See Configure SNMP for Orion agents on Linux/Unix and IX systems in SAM for details.
ESX host directly polled (CIM)

The administrator role is required.

There is a limitation on VMware that is explained in detail at ESXi server polling with SolarWinds Orion NPM

CIM data is available only to the administrator role or vCenter.

ESX host polled via vCenter (VIM extension)

The read only built-in role is all that is required.

The custom role with Host CIM interaction permissions is sufficient to poll all Asset Inventory data.

Host privileges