AgilePoint Service Account

The AgilePoint Service Account is the master administrator account for the AgilePoint NX system, including related systems, such as the AgilePoint Server machine, databases, and SharePoint farms and site collections, if applicable.

When AgilePoint Server is installed, the AgilePoint Service Account is given the same credentials as the AgilePoint System Administrator account. (The AgilePoint System Administrator is sometimes called the AgilePoint System Account). This is for ease of system management, and AgilePoint recommends keeping these accounts linked (the credentials the same) unless your organization has a strong reason to separate them.

This table shows the default permissions for the AgilePoint Service Account including the System Administrator account privileges. The System Administrator account privileges are specified in case you want to separate these accounts.

System Permissions Notes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
    • adHocAdmin
  • Service Principle Name (SPN)
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.
  • The adHocAdmin group is required for Report Center. You may need to create this group in your environment.

    In most cases, Report Center is installed on the AgilePoint Server machine.

  • SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).

AgilePoint Server service instances

  • Create an instance
  • Delete an instance
  • Configure AgilePoint Server
  • Start or stop an instance
  • These privileges are for the AgilePoint System Administrator account.
  • Do not confuse the system administrator role with the System Administrator account. The system administrator role only has administrator access rights within the AgilePoint NX Portal. The system administrator account is a server-side administrator that is usually connected to the AgilePoint Service Account.

AgilePoint NX Portal tenants

  • These privileges are for the AgilePoint System Administrator account.
  • Do not confuse the system administrator role with the System Administrator account. The system administrator role only has administrator access rights within the AgilePoint NX Portal. The system administrator account is a server-side administrator that is usually connected to the AgilePoint Service Account.

Database

  • db_owner privileges

During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated

It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT,UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.

SharePoint

  • Member of the following groups:
    • SharePoint Farm Administrators (applies to SharePoint Farm only)
    • Site Collection Administrators

AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least have Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process.

Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must:

  • Make sure that group has Contribute rights on SharePoint.
  • Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.

Data Services Machine

  • Local administrator
  • ServiceLogon
  • This machine may be the same as the AgilePoint Server machine.

Related Topics

Examples

About This Page

This page is a navigational feature that can help you find the most important information about this topic from one location. It centralizes access to information about the concept that may be found in different parts of the documentation, provides any videos that may be available for this topic, and facilitates search using synonyms or related terms. Use the links on this page to find the information that is the most relevant to your needs.

Keywords

system administrator, administrators, administrator, service account, system account, server administrator, service administrator, global administrator, master administrator, master account, super user