Orchestration Database Security


Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

The following sections provide information about securing the orchestration database in Orchestrator:

  • Database roles

  • Securing SQL server connections

  • Encryption keys

Database roles

Security to the orchestration database is implemented through database roles in the supported versions of Microsoft SQL Server. The table below lists the roles that are created in the orchestration database and the permissions granted to each. These roles are configured and populated with the required members during the installation process, so there is typically no requirement to work directly with them. The information provided here is to help the administrator better understand the security behind the configuration and prepare for possible custom scenarios.

Account Database role
Management Service Account Microsoft.SystemCenter.Orchestrator.Admins
Member of Orchestrator Admins Group Microsoft.SystemCenter.Orchestrator.Admins
Orchestrator Runbook Service Account Microsoft.SystemCenter. Orchestrator.Runtime
Orchestrator Runbook Server Monitor Service Account Microsoft.SystemCenter. Orchestrator.Runtime
Orchestrator Web Service User Account Microsoft.SystemCenter. Orchestrator.Operators
Role Permission Object
Microsoft.SystemCenter. Orchestrator.Operators SELECT [Microsoft.SystemCenter.Orchestrator.Runtime].[Jobs],







Microsoft.SystemCenter. Orchestrator.Operators EXECUTE [Microsoft.SystemCenter.Orchestrator].[GetSecurityToken],





Microsoft.SystemCenter. Orchestrator.Runtime SELECT All tables,


Microsoft.SystemCenter. Orchestrator.Runtime INSERT dbo.[OBJECT_AUDIT]
Microsoft.SystemCenter. Orchestrator.Runtime INSERT, UPDATE dbo.[OBJECTS],




Microsoft.SystemCenter. Orchestrator.Runtime INSERT, DELETE dbo.[COUNTERINSTANCES],

Microsoft.SystemCenter. Orchestrator.Runtime UPDATE dbo.[POLICY_PUBLISH_QUEUE]
Microsoft.SystemCenter. Orchestrator.Runtime CONTROL [ORCHESTRATOR_ASYM_KEY],

Microsoft.SystemCenter. Orchestrator.Runtime EXECUTE dbo.sp_insertevent,










Microsoft.SystemCenter. Orchestrator.Admins SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE TABLE SCHEMA::dbo
Microsoft.SystemCenter. Orchestrator.Admins REFERENCES dbo.[OBJECTS]
Microsoft.SystemCenter. Orchestrator.Admins SELECT dbo.[POLICIES_VIEW], GRANT SELECT ON dbo.[POLICY_REQUEST_HISTORY]
Microsoft.SystemCenter. Orchestrator.Admins CONTROL [ORCHESTRATOR_ASYM_KEY],

Microsoft.SystemCenter. Orchestrator.Admins EXECUTE [Microsoft.SystemCenter.Orchestrator.Cryptography].[CreateOrchestratorKeys],




















The Database Configuration Utility (DBSetup.exe) requires permissions as a user on the computer where the management server is installed and is a member of either the Administrators or Orchestrator Users Group to access the settings.dat file. Custom tools that connect to the database directly through DBDataStore.dll require the same permissions.


When installing Orchestrator, ensure that the account used to connect to SQL server has minimum privileges on the SQL server to avoid a potential elevation of privileges.

Securing SQL server connections

The SQL server connections in a default deployment of Orchestrator are not secure. The exception to this is when Orchestrator stores or retrieves sensitive data. In this case, Orchestrator creates a secure connection to SQL server with a self-signed certificate. This certificate does not provide strong security and is susceptible to man-in-the-middle attacks.

For information about encrypting connections to SQL Server, go to Encrypting Connections to SQL Server (configuring SSL). For information on how to enable connections to the database engine, go to How to: Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

Encryption keys

As part of your security planning, you should plan for rotating your encryption keys at a regular interval. The National Institute of Standards and Technology(NSIT) recommends that keys be rotated at least once every two years. For more information about NSIT security standards, go to NSIT Computer Security Division Computer Security Resource Center.

To rotate encryption keys

  1. From the Runbook Designer, export all of your runbooks, global settings, variables, schedules, and so on.

    You should provide a password for the export.

    During export, all encrypted data is decrypted and re-encrypted with a new key created by the password.

  2. If you want, change the SQL Server Master Database key.

    Orchestrator encrypts data using both the SQL Server Master Database key and the master database key for the orchestration database.

    For information on how to change the SQL Server Master Database key, go to SQL Server and Database Encryption Keys (Database Engine).

  3. Re-install the management server and create a new database.

    For information on how to install the management server, see the topic How to Install a Management Server.

    Do not connect to the existing database. A new cryptographic key is generated when a new database is created.

  4. From the Runbook Designer, re-import the runbooks and any other data you exported.

    Provide the password used for the export. The data in the export file is decrypted using the password, and encrypted as it is imported to the database using the new Orchestrator master database key.