I want to setup a query user for monitoring my Teamspeak server with an automated monitoring tool (cacti in my case), and I'm wondering as how to create a query account that exactly has the required permissions, but no more permissions.
Is the solution below "best practice" and the intended way to achieve the result?

For monitoring, I need permission for these query commands:

- serverlist (this is for cacti to enumerate and display all existing virtual servers at discovery)
- use (this is for changing to the virtual server)
- serverinfo (this is for regular monitoring of one virtual server)

So the monitoring user needs these permissions:

- b_serverinstance_virtualserver_list (for serverlist)
- b_virtualserver_select (for use)
- b_virtualserver_info_view (for serverinfo)

All web-viewer applications need something like this, but no one says how to create a tailored user for this. Instead, they either say you use your serveradmin or you give the guest query additional permissions. But both are not acceptable from a security point of view.

So we need a user with a new query group with the above permissions. It must be a query group independent from a virtual server, because there is no virtual server known at the time of virtual server discovery.

So I create a new global query group by copying the serverquery guest group:

servergroupcopy ssgid=1 tsgid=0 name=monitor type=2

Then I give the new group the required permissions: (here it was created as id 9)

servergroupaddperm sgid=9 permsid=b_serverinstance_virtualserver_list permvalue=1 permnegated=0 permskip=0
servergroupaddperm sgid=9 permsid=b_virtualserver_info_view permvalue=1 permnegated=0 permskip=0

Then I create a new query user by doing this:
- create a new identity in my Teamspeak Client
- connect to the server with the Teamspeak client with this identity
- add "Server Admin" group to the new user
- create server query login in the client GUI for the new user
- remove "Server Admin" group from the user (it was only to be able to create the query login)

- finally, add the new user to the new group: (my user has id=5 and the group has id=9)
servergroupaddclient sgid=9 cldbid=5

Now I can login with the new query login and perform exactly the required commands and nothing more.

Is this the correct way? It seems straightforward, but I never saw anyone doing this. Instead I often read that someone destroyed the database of their server by making something with query accounts or query groups especially with serveradmin group.
Unfortunately, it was never clear what exactly was wrong - nobody ever describes exactly what he did - just the database was reported as broken at some point.

The only thing that bothers me is that it is perhaps not so straightforward to create the query group by copying the guest query group and assigning the user to it. Is this the way to go? I assume yes, because I used the tools the server gave me.