"LinkServer: User does not have permission to perform this action." error when configuring Symantec Endpoint Protection

Article:TECH39982  |  Created: 2008-05-14  |  Updated: 2011-11-08  |  Article URL http://www.symantec.com/docs/TECH39982
Article Type
Technical Solution


Issue



When trying to configure the Symantec Endpoint Protection Integration Component (SEP/IC), an error is presented that says: "Unable to Apply Configuration! See the Altiris Log for Details. Exception in LinkServerFactory.LinkServer: User does not have permission to perform this action."

 


Error



 The following is often presented in the logs as well:

severity='1' hostName='GenericHostName' source='BasicImportConfigure.ControlButtonsApply_Click' module='AltirisNativeHelper.dll' process='w3wp.exe' pid='404' thread='7536' tickCount='690446671' >
  <![CDATA[Unable to Apply Configuration! See the Altiris Log for Details. Exception in LinkServerFactory.LinkServer: User does not have permission to perform this action.


Environment



Symantec Endpoint Protection Integration Component 6.0


Cause



When setting up an integration, the Symantec Endpoint Protection Integration Component is using a SQL object called "Link Server" and "Linked Server login" in order to perform the integration. To set up the object, the User that is used for Notification Server (NS) to log into SQL must have the System Admin Role. Without it, this error will occur.


Solution



Notification Server's Application Identity (or configured SQL account if used) needs to be granted SQL's System Admin Role on the SQL server that Notification Server connects to. This permission is needed so that Notification Server can create the linked server in its own SQL server to connect to the SQL server that the Symantec Endpoint Protection Manager (SEPM) uses. This will allow the SEP integration component to create a linked server to the SEPM server. Once the integration component has successfully configured a link to the SEPM database and is running successfully, then the System Admin Role can be removed from the Notification Server's  Application Identity (or configured SQL account if used).  

Note: Although the System Admin Role is no longer needed after successful configuration, full dbo role access to the Altiris database is still required with a default schema of DBO (In SQL 2000 ownership of the Altiris database is required because in SQL 2000 a default schema could not be set).



Legacy ID



41716


Article URL http://www.symantec.com/docs/TECH39982


Terms of use for this information are found in Legal Notices