Administrator Types and Security Roles

AgilePoint System Account

The AgilePoint System Account is the priamary administrator account for AgilePoint Server, especially the AgilePoint Server Configuration Utility and the Windows services associated with the AgilePoint server-side components.

By default, the AgilePoint System Account is assumed to use the same credentials as other administrator tasks on the AgilePoint Server machine, such as the Windows administrator account. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.

AgilePoint Server Configuration System tab — Figure: AgilePoint Server Configuration > System tab

Applies to Deployment Types

Permissions and Configuration

System	Permissions	Notes
AgilePoint Server Machines	Local administrator ServiceLogon Member of the following groups: Administrator Performance Monitor Users IIS_IUSRS adHocAdmin Service Principle Name (SPN)	This user account will also be used to initially sign in to AgilePoint NX. If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account. The adHocAdmin group is required for Report Center. You may need to create this group in your environment. In most cases, Report Center is installed on the AgilePoint Server machine. Note: The current version of Report Center (sometimes referred to as AgileReports) can only be used by customers who purchased this component before April 1, 2020. This version is no longer available for purchase, including by current and previous purchasers of AgilePoint NX or the Report Center component. AgilePoint plans to release the new version of Report Center in Q3 2020. SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).
AgilePoint Server service instances	Create an instance Delete an instance Configure AgilePoint Server Start or stop an instance	These privileges are for the AgilePoint System Administrator account. Do not confuse the system administrator role with the AgilePoint System Account. The system administrator role only has administrator access rights within the NX Portal. The AgilePoint System Account is a server-side administrator.
AgilePoint NX Portal tenants	provision a tenant Set the NX Portal Administrator for a tenant.	These privileges are for the AgilePoint System Administrator account. Do not confuse the system administrator role with the AgilePoint System Account. The system administrator role only has administrator access rights within the NX Portal. The AgilePoint System Account is a server-side administrator.

How To Create or Change This Account

The AgilePoint System Account is created when you install AgilePoint NX.
To change the AgilePoint System Account, refer to How Do I Change the Credentials for AgilePoint Administrator Accounts?.

AgilePoint Service Account

The AgilePoint Service Account is the set of authentication credentials AgilePoint Server uses to connect to other systems, such as the database server.

The AgilePoint Service Account is a "headless" account, which means that a person is not associated with the credentials. Instead the AgilePoint Server software or AgilePoint NX system is represented with these credentials. In other words, the AgilePoint System Administrator manages the credentials for the AgilePoint Service Account, but the (human) adminsitrator does not use these credentials to authenticate to any system.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.

Note: In the AgilePoint UI, the Service Account is referred to as Impersonation.

Figure: AgilePoint Server Manager screen

Applies to Deployment Types

Permissions and Configuration

System	Permissions	Notes
AgilePoint Server Machines	Local administrator ServiceLogon Member of the following groups: Administrator Performance Monitor Users IIS_IUSRS adHocAdmin Service Principle Name (SPN)	This user account will also be used to initially sign in to AgilePoint NX. If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account. The adHocAdmin group is required for Report Center. You may need to create this group in your environment. In most cases, Report Center is installed on the AgilePoint Server machine. Note: The current version of Report Center (sometimes referred to as AgileReports) can only be used by customers who purchased this component before April 1, 2020. This version is no longer available for purchase, including by current and previous purchasers of AgilePoint NX or the Report Center component. AgilePoint plans to release the new version of Report Center in Q3 2020. SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).
Database	db_owner privileges	During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT,UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.
SharePoint	Member of the following groups: SharePoint Farm Administrators (applies to SharePoint Farm only) Site Collection Administrators	When AgilePoint Server is installed, by default these privileges are associated with the AgilePoint Service Account. However, for security purposes, AgilePoint recommends separating this account from the AgilePoint Service Account to create a unique SharePoint account for the AgilePoint system. This account is sometimes referred to as the SharePoint impersonator. AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least has Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process. Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must: Make sure that group has Contribute rights on SharePoint. Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.
Data Services Machine	Local administrator ServiceLogon	This machine may be the same as the AgilePoint Server machine.

How To Create or Change This Account

The AgilePoint Service Account is created when you install AgilePoint NX.
To change the AgilePoint Service Account, refer to How Do I Change the Credentials for AgilePoint Administrator Accounts?.

NX Portal Administrator

The NX Portal Administrator is a special role that can only be assigned to one AgilePoint ID in an instance of NX Portal. In the NX Portal, this user is referred to as the System Administrator.

By default, in AgilePoint NX OnDemand (public cloud) the NX Portal Administrator is the user who submits the initial request for the tenant. In AgilePoint NX OnPremises or AgilePoint NX PrivateCloud, the AgilePoint NX System Administrator (AgilePoint System Account) assigns the tenant administrator when he or she provisions the tenant.

This table shows the permissions for the NX Portal Administrator.

Applies to Deployment Types

Permissions

System	Permissions	Notes
AgilePoint NX Portal tenant	Receives e-mail notifications if an update or an exception occurs on the tenant. Has all access rights for the system administrator role. Can change the access rights for the system administrator role.	An AgilePoint NX Portal instance can have only one Administrator of this type. Only the current NX Portal Administrator can change the NX Portal Administrator. For more information, refer to How Do I Change the NX Portal Administrator?

How To Create or Change the NX Portal Administrator

By default, in OnPremises or PrivateCloud environments, the NX Portal Administrator is assigned to the AgilePoint System Account when you install AgilePoint NX.
By default, in OnDemand (public cloud) environments, the NX Portal Administrator is assigned to the first user added to an environment when you sign up for AgilePoint NX environment.
To change the NX Portal Administrator, refer to How Do I Change the Credentials for AgilePoint Administrator Accounts?.

System Administrator Role

System administrator is the common administrator role for the AgilePoint NX Portal. Any registered AgilePoint NX user can be assigned the system administrator role. There is no limit to the number of users who can be assigned the system administrator role. The system administrator role is subordinate to the NX Portal Administrator.

Note: The system administrator role is different from the AgilePoint NX System Administrator. The AgilePoint NX System Administrator is one person, independent of any accounts or permissions. System administrator is a security role that can be assigned to any NX Portal user.

This table shows the permissions for the system administrator role.

Applies to Deployment Types

Permissions

System	Permissions	Notes
AgilePoint NX Portal tenant	Manage settings on the AgilePoint NX Portal. Add, modify, and delete users, groups, and roles. Manage applications, processes, eForms, shared variables, shared lists and other shared resources.	You can have more than one AgilePoint NX account with the system administrator role. You can add administrator role types with different access rights. The default system administrator role is not the only type of administrator role that you can create in the NX Portal. For more information, refer to Add System Administrators

How To Add the System Administrator Role to a User or Group

By default, in OnPremises or PrivateCloud environments, the NX Portal Administrator is assigned the System Administrator role when you install AgilePoint NX.
By default, in OnDemand environments, the system administrator role is assigned to the first user added to an environment when you sign up for AgilePoint NX environment.
To add the system administrator role to other users or groups, refer to Add System Administrators.

Security Group Administrators

A security group is a set of permissions for functional areas within AgilePoint NX, such as apps or Data Entities. By default, the NX Portal Administrator has the highest level of permissions for all of these secuirty groups. Effectively, the NX Portal Administrator is also the default administrator for all security groups.

This table shows the permissions for the administrators of each secuirty group in AgilePoint NX.

Applies to Deployment Types

Security Group Types

Security Group	Definition	More Information
Enable Application Permission Control	The user who creates a form-based app or process-based app becomes an application owner by default. Other users can not see the application in the App Builder. The application owner must add application owners or designers on the Permission Settings screen. Lets you set access rights specific to an application as an alternative to applying access controls to all applications in your AgilePoint NX environment. When you enable this feature, it only applies to new applications, not the applications that already exist. To apply application level permissions to your existing applications, you can change the settings for those applications as necessary..	Tenant Settings.
Entity Global Permission Managers	A global entity permissions manager is a user or group who has full permissions read, edit, create, and delete records for all entities in AgilePoint NX Data Entities, and can also manage permissions for other users and groups on all entities. The entity owner role gives similar permissions for an individual entity in Data Entities.	Entity Global Permission Managers > Permission Settings screen.
Manage Global Permission	Manage global permission is a type of user or group who has full permissions for all pages in AgilePoint NX Page Builder. The members of manage global permission security group can add page, edit, check out and check in the page on behalf of other users, save, preview, publish, rollback, and delete page, and can also manage permissions for other users and groups on all pages. They can also create and edit menus and CSS snippets. The page owner role gives similar permissions for an individual page in Page Builder.	Manage Global Permission > Page Builder Permission Settings screen.

Security Group

Definition

More Information

Enable Application Permission Control

The user who creates a form-based app or process-based app becomes an application owner by default. Other users can not see the application in the App Builder. The application owner must add application owners or designers on the Permission Settings screen.

Lets you set access rights specific to an application as an alternative to applying access controls to all applications in your AgilePoint NX environment.

When you enable this feature, it only applies to new applications, not the applications that already exist. To apply application level permissions to your existing applications, you can change the settings for those applications as necessary..

Tenant Settings.

Entity Global Permission Managers

A global entity permissions manager is a user or group who has full permissions read, edit, create, and delete records for all entities in AgilePoint NX Data Entities, and can also manage permissions for other users and groups on all entities.

The entity owner role gives similar permissions for an individual entity in Data Entities.

Entity Global Permission Managers > Permission Settings screen.

Manage Global Permission

Manage global permission is a type of user or group who has full permissions for all pages in AgilePoint NX Page Builder. The members of manage global permission security group can add page, edit, check out and check in the page on behalf of other users, save, preview, publish, rollback, and delete page, and can also manage permissions for other users and groups on all pages. They can also create and edit menus and CSS snippets.

The page owner role gives similar permissions for an individual page in Page Builder.

Manage Global Permission > Page Builder Permission Settings screen.