Callisto as a Service Database Permissions
To use Callisto, we need to be able to access the SCCM database. This article is for Callisto as a Service. If you are using Callisto on Premise, please see this article
The user account running the Callisto Controller will either be the local user (if using the user controller) or the Callisto server (if running the central controller).
If you are installing the Callisto Central Controller on your SCCM server, you almost certainly don't need to do anything else (this is our recommendation). You can read more about choosing a controller here.
If using the Callisto user controller and your users do not yet have read access to the SQL database, the easiest way to fix this is to run a quick SQL script to grant rights for an AD group. Note that this does not set the rights the user will have in Callisto or in ConfigMgr, Callisto obeys ConfigMgr's RBAC model. This simply allows users the rights to view data via the Callisto portal, what they see and the rights they have over those objects is set in ConfigMgr itself and in the Callisto portal.
USE MASTER CREATE login [domain\groupname] FROM WINDOWS USE CM_DB1; CREATE user [domain\groupname]; CREATE ROLE db_executor GRANT EXECUTE TO db_executor ALTER ROLE db_executor ADD MEMBER [domain\groupname] ALTER ROLE db_datareader; ADD MEMBER [domain\groupname]
USE MASTER; CREATE login [PERIJOVE\sg-CallistoAcces] FROM WINDOWS; USE CM_DB1; CREATE user [PERIJOVE\sg-CallistoAcces]; CREATE ROLE db_executor; GRANT EXECUTE TO db_executor; ALTER ROLE db_executor; ADD MEMBER [PERIJOVE\sg-CallistoAcces]; ALTER ROLE db_datareader; ADD MEMBER [PERIJOVE\sg-CallistoAcces];
You can also use the SQL Management Studio GUI to add the relevant group by navigating to Databases - CM_XXX - Security - Users. Here you can right click, select new and then browse for your group. On the Membership tab you can select db_datareader and db_execute.