Submit a ticketCall us

ebook60.pngHow to be a Cisco® ASA ace

Our eBook, Thou Shalt Not Pass…I Think?! can help you overcome the challenges of monitoring and managing Cisco ASA firewalls. This eBook is a great read if you’ve been frustrated with monitoring firewalls, managing ACL configs, and troubleshooting VPN connections.

Get your free eBook.

Home > Success Center > Patch Manager > Patch Manager SQL account permissions

Patch Manager SQL account permissions


This article lists the requirements for the Microsoft® SQL Server® accounts and account permissions used in Patch Manager.


All Patch Manager versions


When you install the Patch Manager, database you can install the database on a local server running SQL Server or a remote server. In both configurations, Patch Manager requires service and reporting accounts.

Service account

The Service account creates the Patch Manager database on the SQL database server and maintains communications between the Patch Manager server and the database. If you install the Patch Manager database on an SQL database server, you can select a specific service account or accept the default local service account. These accounts are created during the Patch Manager installation procedure.

Reporting account

The Reporting account is created when Patch Manager creates the database. During this process, Patch Manager also creates the ewreportuser account on the Patch Manager server. Patch Manager uses this account to run reports. You cannot change this account or define an alternative account. 

Service account requirements

If you decide to install the Patch Manager database on a remote SQL database server, the service account must be a domain account with access to a remote SQL database server.

Account membership

The service account must be a member of the SysAdmin group in SQL Server during the installation and upgrade procedures. This requirement allows the service account to create and modify the Patch Manager database. 


The service account does not require ongoing SysAdmin permissions in SQL Server. After the service account creates the Patch Manager database, the account becomes the database owner (DBO), which waives any requirements for elevated SQL permissions. This allows the service account to maintain a connection to the remote SQL server.

The service account may require SysAdmin permissions for upgrade activities. For example, the service account requires SysAdmin permissions if the upgrade requires changes to the database instance that stores the Patch Manager database. These requirements are documented for each version in the Patch Manager release notes.

(Optional) Mixed-mode Authentication

Patch Manager does not require mixed mode authentication on the remote SQL database server. The reporting account is a least-privilege account that only requires permission to connect and execute SELECT statements. Since it does not require SysAdmin permissions, mixed mode authentication is not required. 

Last modified