Change databases

This article provides information on how to create users, assign roles, and membership to group Managed Service Accounts (gMSAs).


This article applies to Operations Manager 2019 Update Rollup 1 (UR1) and later.

These roles are similar to the roles created for non-gMSA accounts.


For all gMSA accounts used, you'll also need to create the accounts under the Security > Logins of the SQL instance directly, and not only under each individual DB. Without this, the other permissions won't take effect as the initial sign in is at the instance level.

Action account

System databases: msdb

  1. In the SQL Server Management Studio, go to Databases > System Databases > msdb > Security > Users.

  2. Create a new user.

  3. Select Windows user in the User type box.

  4. Select Entire Directory in the From the location box. Select Service Accounts in the Object types box.

    Screenshot of Server management object types.

  5. Check names for momActGMSA, which is an example gMSA for the Action account, in the directory. Because momActGMSA is an example, use the name of the gMSA that you intend to use as the Action account.

    Screenshot of server management select user.

  6. Assign the following roles for the Action account:

    • SQLAgentOperatorRole
    • SQLAgentReaderRole
    • SQLAgentUserRole

    Screenshot of Database user membership.

Follow steps 1 to 5 from the previous procedure. Assign the roles by using the information in this table.

Account Type Database Roles
Action account
Operations Manager DB db_datareader, db_datawriter, db_ddladmin, dbmodule_users
Data Access Service account
Systems Database: msdb for Operations Manager DB SQLAgentOperatorRole, SQLAgentReaderRole, SQLAgentUserRole, db_owner
Operations Manager DB ConfigService, db_accessadmin, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, sdk_users, sql_dependency_subscriber
Operations Manager DW apm_datareader, db_datareader, OpsMgrReader
Data Writer account
Operations Manager DB apm_datareader, apm_datawriter, db_datareader, dwsynch_users
Operations Manager DW apm_datareader, apm_datawriter, db_owner, OpsMgrWriter
Data Reader account
System Databases: master DB RSExecRole
System Databases: msdb for Operations Manager DW RSExecRole, SQLAgentOperatorRole, SQLAgentReaderRole, SQLAgentUserRole
Operations Manager DW apm_datareader, db_datareader, OpsMgrReader
Report Server Database db_owner, RSExecRole
Report Server Temp Database db_owner, RSExecRole

Next steps

Service-level changes