AgilePoint NX System Administrator

The AgilePoint NX system administrator is the primary custodian of AgilePoint Server installation and maintenance tasks. This user is required during installation, upgrades, managing server on a daily basis, assigning others permission to use the system, monitoring alerts, etc.

This function is usually fulfilled by a person from the customer's IT team who manages other servers in your environment. Once the installation is complete, a system administrator is required part time. AgilePoint Server typically does not need a full time administrator.

Good to Know

  • These administrator types have similar names, and they are easy to confuse:
    • The AgilePoint NX System Administrator is a person who is responsible for several administrator accounts and roles. In most cases, there is one primary AgilePoint NX System Administrator, but this is not a technical limitation.
    • A tenant administrator is a person who is resonsible for one AgilePoint Server tenant. In multi-tenant environments, each tenant can have its own administrator, but this is not a technical limitation.
    • The AgilePoint System Account is a set of credentials for managing AgilePoint Server. There can be only one AgilePoint System Account. In most cases, one human user is assigned these credentials.
    • The AgilePoint Service Account is a set of credentials AgilePoint Server uses to connect with other systems. There can be only one AgilePoint Service Account. Only the AgilePoint Server software uses these credentials, and they are not assigned to a human user. However, the AgilePoint NX System Administrator is usually responsible for maintaining these credentials.
    • The Tenant Administrator is a master administrator setting for the NX Portal. There can be only one Tenant Administrator.

      The Tenant Administrator is assigned on the Tenant Settings.

    • The Administrator is a security role on the NX Portal. Any number of users can be assigned the Administrator role.

AgilePoint System Account

The AgilePoint System Account is the priamary administrator account for AgilePoint Server, especially the AgilePoint Server Configuration Utility and the Windows services associated with the AgilePoint server-side components.

By default, the AgilePoint System Account is assumed to use the same credentials as other administrator tasks on the AgilePoint Server machine, such as the Windows administrator account. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.
Figure: AgilePoint Server Configuration > System tab

AgilePoint Server Configuration System tab

Applies to Deployment Types

Permissions and Configuration

System Permissions Notes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
    • adHocAdmin
  • Service Principle Name (SPN)
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.
  • The adHocAdmin group is required for Report Center. You may need to create this group in your environment.

    In most cases, Report Center is installed on the AgilePoint Server machine.

    Note: The Report Center component (sometimes referred to as AgileReports) can only be used by customers who purchased this component before April 1, 2020. This version is no longer available for purchase, including by current and previous purchasers of AgilePoint NX or the Report Center component. In AgilePoint NX v8.0 and higher, Report Center has been replaced with the Analytics Center component.
  • SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).

AgilePoint Server service instances

  • Create an instance
  • Delete an instance
  • Configure AgilePoint Server
  • Start or stop an instance

AgilePoint NX Portal tenants

How To Create or Change This Account

AgilePoint Service Account

The AgilePoint Service Account is the set of authentication credentials AgilePoint Server uses to connect to other systems, such as the database server.

The AgilePoint Service Account is a "headless" account, which means that a person is not associated with the credentials. Instead the AgilePoint Server software or AgilePoint NX system is represented with these credentials. In other words, the AgilePoint NX System Administrator manages the credentials for the AgilePoint Service Account, but the (human) adminsitrator does not use these credentials to authenticate to any system.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.
Note: In the AgilePoint UI, the Service Account is referred to as Impersonation.
Figure: AgilePoint Server Manager screen

AgilePoint Server Manager screen

Applies to Deployment Types

Permissions and Configuration

System Permissions Notes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
    • adHocAdmin
  • Service Principle Name (SPN)
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.
  • The adHocAdmin group is required for Report Center. You may need to create this group in your environment.

    In most cases, Report Center is installed on the AgilePoint Server machine.

    Note: The Report Center component (sometimes referred to as AgileReports) can only be used by customers who purchased this component before April 1, 2020. This version is no longer available for purchase, including by current and previous purchasers of AgilePoint NX or the Report Center component. In AgilePoint NX v8.0 and higher, Report Center has been replaced with the Analytics Center component.
  • SetSPN is required for Kerberos only. For more information, refer to Set Service Principle Name (SetSPN).

Database

  • db_owner privileges

During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated

It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT,UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.

SharePoint

  • Member of the following groups:
    • SharePoint Farm Administrators (applies to SharePoint Farm only)
    • Site Collection Administrators
  • When AgilePoint Server is installed, by default these privileges are associated with the AgilePoint Service Account. However, for security purposes, AgilePoint recommends separating this account from the AgilePoint Service Account to create a unique SharePoint account for the AgilePoint system. This account is sometimes referred to as the SharePoint impersonator.
  • AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least has Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process.

    Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must:

    • Make sure that group has Contribute rights on SharePoint.
    • Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.

Data Services Machine

  • Local administrator
  • ServiceLogon
  • This machine may be the same as the AgilePoint Server machine.

How To Create or Change This Account

Tenant Administrator (Setting) Permissions

The Tenant Administrator is a special setting that can only be assigned to one AgilePoint ID in an instance of AgilePoint NX Portal. In the NX Portal, this user is referred to as the Tenant Administrator.

By default, in AgilePoint NX OnDemand (public cloud) the Tenant Administrator is the user who submits the initial request for the tenant. In AgilePoint NX OnPremises or AgilePoint NX Private Cloud, the AgilePoint NX System Administrator (AgilePoint System Account) assigns the Tenant Administrator when they provisions the tenant.

Figure: Tenant Information tab (Settings)

Tenant Information tab

Applies to Deployment Types

Permissions

System Permissions Notes

AgilePoint NX Portal tenant

  • Receives e-mail notifications if an update or an exception occurs on the tenant.
  • Has all access rights for the Administrator role.
  • Can change the access rights for the Administrator role.
  • An AgilePoint NX Portal instance can have only one Administrator of this type.
  • Only the current Tenant Administrator can change the Tenant Administrator setting.

    For more information, refer to How Do I Change the Tenant Administrator?

How To Create or Change the Tenant Administrator

Administrators (role)

Administrator is the common system administrator role for the AgilePoint NX Portal. Any registered AgilePoint NX user can be assigned the Administrators role. There is no limit to the number of users who can be assigned the Administrators role. The Administrators role is subordinate to the Tenant Administrator.

Note: The Administrators role is different from the AgilePoint NX System Administrator. The AgilePoint NX System Administrator is one person, independent of any accounts or permissions. Administrators is a security role that can be assigned to any NX Portal user.
Figure: New User Access Rights screen (Manage Center)

New User Access Rights screen

Applies to Deployment Types

Permissions

System Permissions Notes

AgilePoint NX Portal tenant

  • You can have more than one AgilePoint NX account with the Administrator role.
  • You can add Administrator role types with different access rights. The default Administrator role is not the only type of Administrator role that you can create in the NX Portal.
  • For more information, refer to Add System Administrators

How To Add the Administrators Role to a User or Group

  • By default, in OnPremises or Private Cloud environments, the Tenant Administrator is assigned the Administrators role when you install AgilePoint NX.
  • By default, in OnDemand environments, the Administrators role is assigned to the first user added to an environment when you sign up for AgilePoint NX environment.
  • To add the Administrators role to other users or groups, refer to Add System Administrators.

Global Permissions Managers

A Global Permissions Manager is a type of permission group or role that has access rights to manage the permission groups for App Builder, Data Entities, Page Builder or other components that use permission groups in Manage Center.

Applies to Deployment Types

Global Permission Manager Permissions

Permission Group Definition Manage

Administrator

(role)

Administrators is the common system administrator role for the AgilePoint NX Portal. Any registered AgilePoint NX user can be assigned the Administrators role. There is no limit to the number of users who can be assigned the Administrators role. The Administrators role is subordinate to the Tenant Administrator.

App Builder permissions are different from Page Builder and Data Entities because in App Builder, Administrators and App Designers are based on roles. In Page Builder and Data Entities, these access rights are based on permission groups.

Note: The Administrators role is different from the AgilePoint NX System Administrator. The AgilePoint NX System Administrator is one person, independent of any accounts or permissions. Administrators is a security role that can be assigned to any NX Portal user.
Permissions:

This role has these permissions for all apps:

  • Manage permissions for App Builder.
  • Assign the App Designers role to users or groups in Manage Center.
  • Full acceess rights for all apps in App Builder.
  • Turn on App-Level Permissions in the Portal Settings

Global Data Entities Permission Managers

Global Data Entities Permission Managers is a permission group for users or groups who have full access rights for the Data Entities component. Global Data Entities Permission Managers can manage other permission groups for the Data Entities component and for all specific entities.

Limitations:
  • At least one user must belong to the Global Data Entities Permissions Managers security group to access the Data Entities component.

    Global Data Entities Permision Managers can add users to the Entity Designers permission group in Manage Center to access the Data Entities component, or to any entity-level permission group to access a specific entity.

Permissions:

This permission group has these permissions:

  • Manage permission groups for the Data Entities component and all specific entities
  • These permissions from Entity Designers, configured in Manage Center:
    • Create custom entities
    • Add picklists, picklist items, fields, and relationships in standard (out of the box) entities
    • Change custom entities
    • Delete custom entities
    • Save entity
    • Publish entity
    • Export entity
    • Import entity
    • Change entity properties
    • Create fields
    • Change fields
    • Delete fields
    • Create relationships
    • Change relationships
    • Delete relationships
    • Change picklists
    • Delete picklists
    • Create picklist items
    • Change picklist items
    • Delete picklist items
    • Export picklists
    • Import picklists
  • These permissions from Delete Records:
    • Delete records
  • These permissions from Create Records:
    • Create (add) records
  • These permissions from Edit Records:
    • Edit (change) records
  • These permissions from Read Records:
    • Read (view) records

Global Page Builder Permission Managers

Global Page Builder Permission Managers is a permission group for users or groups who have full access rights for the Page Builder component. Global Page Builder Permission Managers can manage other permission groups for the Page Builder component and for all specific custom pages.

Limitations:
  • At least one user must belong to the Global Page Builder Permissions Managers permission group to access the Page Builder component.

    Global Page Builder Permission Managers can add users to the Page Designers permission group in Manage Center to access the Page Builder component, or to any page-level permission group to access a specific page.

Permissions:

This permission group has these permissions:

  • Manage permission groups for the Page Builder component and all specific pages
  • These permissions from Page Designers, configured in Manage Center:
    • Create custom pages
    • Check out and check in pages on behalf of other users
    • Delete page
    • Preview page
    • Edit page
    • Create or change menus
    • Add or change custom CSS
    • Save page
    • Publish page
    • Check in and check out page
    • Roll back page version
    • Import page
    • Export page
  • These permissions from Page Viewers:
    • View page