"LinkServer: User does not have permission to perform this action." error when configuring Symantec Endpoint Protection

Article:TECH39982

Created: 2008-05-14

Updated: 2011-11-08

Article URL http://www.symantec.com/docs/TECH39982

Article Type
Technical Solution

Product(s)

Show all

Languages

Show all

Problem

When trying to configure the Symantec Endpoint Protection Integration Component (SEP/IC), an error is presented that says: "Unable to Apply Configuration! See the Altiris Log for Details. Exception in LinkServerFactory.LinkServer: User does not have permission to perform this action."

Error

The following is often presented in the logs as well:

severity='1' hostName='GenericHostName' source='BasicImportConfigure.ControlButtonsApply_Click' module='AltirisNativeHelper.dll' process='w3wp.exe' pid='404' thread='7536' tickCount='690446671' >
<![CDATA[Unable to Apply Configuration! See the Altiris Log for Details. Exception in LinkServerFactory.LinkServer: User does not have permission to perform this action.

Environment

Symantec Endpoint Protection Integration Component 6.0

Cause

When setting up an integration, the Symantec Endpoint Protection Integration Component is using a SQL object called "Link Server" and "Linked Server login" in order to perform the integration. To set up the object, the User that is used for Notification Server (NS) to log into SQL must have the System Admin Role. Without it, this error will occur.

Solution

Notification Server's Application Identity (or configured SQL account if used) needs to be granted SQL's System Admin Role on the SQL server that Notification Server connects to. This permission is needed so that Notification Server can create the linked server in its own SQL server to connect to the SQL server that the Symantec Endpoint Protection Manager (SEPM) uses. This will allow the SEP integration component to create a linked server to the SEPM server. Once the integration component has successfully configured a link to the SEPM database and is running successfully, then the System Admin Role can be removed from the Notification Server's Application Identity (or configured SQL account if used).

Note: Although the System Admin Role is no longer needed after successful configuration, full dbo role access to the Altiris database is still required with a default schema of DBO (In SQL 2000 ownership of the Altiris database is required because in SQL 2000 a default schema could not be set).

Legacy ID

41716