AgilePoint Service Account

The AgilePoint Service Account is the set of authentication credentials AgilePoint Server uses to connect to other systems, such as the database server.

The AgilePoint Service Account is a "headless" account, which means that a person is not associated with the credentials. Instead the AgilePoint Server software or AgilePoint NX system is represented with these credentials. In other words, the AgilePoint System Administrator manages the credentials for the AgilePoint Service Account, but the (human) adminsitrator does not use these credentials to authenticate to any system.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.
Note: In the AgilePoint UI, the Service Account is referred to as Impersonation.
Figure: AgilePoint Server Manager screen

AgilePoint Server Manager screen

Applies to Deployment Types

Permissions and Configuration

System Permissions Notes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
    • adHocAdmin
  • Service Principle Name (SPN)
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.
  • The adHocAdmin group is required for Report Center. You may need to create this group in your environment.

    In most cases, Report Center is installed on the AgilePoint Server machine.

    Note: The current version of Report Center (sometimes referred to as AgileReports) can only be used by customers who purchased this component before April 1, 2020. This version is no longer available for purchase, including by current and previous purchasers of AgilePoint NX or the Report Center component. AgilePoint plans to release the new version of Report Center in Q3 2020.
  • SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).

Database

  • db_owner privileges

During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated

It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT,UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.

SharePoint

  • Member of the following groups:
    • SharePoint Farm Administrators (applies to SharePoint Farm only)
    • Site Collection Administrators
  • When AgilePoint Server is installed, by default these privileges are associated with the AgilePoint Service Account. However, for security purposes, AgilePoint recommends separating this account from the AgilePoint Service Account to create a unique SharePoint account for the AgilePoint system. This account is sometimes referred to as the SharePoint impersonator.
  • AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least has Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process.

    Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must:

    • Make sure that group has Contribute rights on SharePoint.
    • Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.

Data Services Machine

  • Local administrator
  • ServiceLogon
  • This machine may be the same as the AgilePoint Server machine.

How To Create or Change This Account

Good to Know

  • These administrator types have similar names, and they are easy to confuse:
    • The AgilePoint NX System Administrator is a person who is responsible for several administrator accounts and roles. In most cases, there is one primary AgilePoint NX System Administrator, but this is not a technical limitation.
    • A Tenant Administrator is a person who is resonsible for one AgilePoint Server tenant. In multi-tenant environments, each tenant can have its own administrator, but this is not a technical limitation.
    • The AgilePoint System Account is a set of credentials for managing AgilePoint Server. There can be only one AgilePoint System Account. In most cases, one human user is assigned these credentials.
    • The AgilePoint Service Account is a set of credentials AgilePoint Server uses to connect with other systems. There can be only one AgilePoint Service Account. Only the AgilePoint Server software uses these credentials, and they are not assigned to a human user. However, the AgilePoint NX System Administrator is usually responsible for maintaining these credentials.
    • The NX Portal Administrator is a master administrator role for the NX Portal. There can be only one NX Portal Administrator. In the NX Portal, this role is simply referred to as Administrator.

      The NX Portal Administrator is assigned on the Tenant Settings, so this can be easily confused with the Tenant Administrator. However, it is not a technical requirement that the Tenant Administrator and the NX Portal Administrator are the same person.

    • System administrator is a security role on the NX Portal. Any number of users can be assigned the system administrator role.

Related Topics

Examples

About This Page

This page is a navigational feature that can help you find the most important information about this topic from one location. It centralizes access to information about the concept that may be found in different parts of the documentation, provides any videos that may be available for this topic, and facilitates search using synonyms or related terms. Use the links on this page to find the information that is the most relevant to your needs.

Keywords

system administrator, administrators, administrator, service account, system account, server administrator, service administrator, global administrator, master administrator, master account, super user