Configuring SQL Server Permissions for an Instance of Notification Services
The Notification Services engine must be able to connect to the instance of the SQL Server Database Engine that contains the instance's databases; in order to do so, it must have the necessary permissions on those databases.
Authentication Modes
The Notification Services engine can use either Microsoft Windows Authentication or SQL Server Authentication to connect to its databases.
- If you use Windows Authentication, the engine uses its Windows account to connect to the database server. Before starting the instance, you must make sure the Windows account has permission to log in to the database server and has the appropriate permissions on each database used by the instance of Notification Services.
- If you cannot use Windows Authentication, you can use SQL Server Authentication by specifying a SQL Server login and password when you register the instance of Notification Services. Before starting the instance, you must make sure that the SQL Server login exists on the database server and has the appropriate permissions on each database used by the instance of Notification Services.
Important
When possible, use Windows Authentication.
Database Permissions
The account used by the engine to connect to the databases must have the proper permissions on those databases. You grant permissions through database roles that Notification Services creates when you create the instance.
If an instance of Notification Services runs on one computer, add the database account used by the engine to the NSRunService role in each of the instance's databases.
If hosted event providers, the generator, and distributors are scaled out across multiple computers, each computer has its own engine. You can minimize the permissions granted to each engine by using more restrictive database roles:
- Database accounts for event providers must belong to the NSEventProvider database role.
- Database accounts for generators must belong to the NSGenerator database role.
- Database accounts for distributors must belong to the NSDistributor database role.
The NSRunService database role is a superset of the above roles.
You must grant database permissions on each of the instance's databases. An instance can use one database for all instance and application data, or can use multiple databases. Custom database names are specified in the instance configuration and the application definitions. If database names are not specified, the default instance database name is instanceNameNSMain and the default application database name is instanceName + applicationName.
How to Manage SQL Server and Database Security
For more information about creating SQL Server login accounts, creating user accounts in databases, and adding users to database roles, see:
- How to: Grant Database Permissions to an Instance of Notification Services
- CREATE LOGIN (Transact-SQL)
- CREATE USER (Transact-SQL)
- sp_addrolemember (Transact-SQL)
See Also
Concepts
Hosting the Notification Services Engine
Configuring Windows Accounts for an Instance of Notification Services
Notification Services Database Roles