AgilePoint Service Account (headless account)

The AgilePoint Service Account is the set of authentication credentials AgilePoint Server uses to connect to other systems, such as the database server.

The AgilePoint Service Account is a "headless" account, which means that a person is not associated with the credentials. Instead the AgilePoint Server software or AgilePoint NX system is represented with these credentials. In other words, the AgilePoint NX System Administrator manages the credentials for the AgilePoint Service Account, but the (human) adminsitrator does not use these credentials to authenticate to any system.

When AgilePoint Server is installed, the credentials for the AgilePoint System Account are the same as the AgilePoint Service Account. The purpose of this is to simplify the AgilePoint Server installation. However, for security purposes, AgilePoint recommends you separate these credentials after AgilePoint Server is installed.

Note: The names and purposes of the AgilePoint System Account and AgilePoint Service Account are similar, and they are often confused, even by AgilePoint employees. If there is a discrepancy about the purposes of these accounts, this document provides the official explanation from AgilePoint.
Note: In the AgilePoint UI, the Service Account is referred to as Impersonation.
Figure: AgilePoint Server Manager screen

AgilePoint Server Manager screen

Applies to Deployment Types

Permissions and Configuration

SystemPermissionsNotes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.

Database

  • db_owner privileges

During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated

It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT, UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.

SharePoint

  • Member of the following groups:
    • SharePoint Farm Administrators (applies to SharePoint Farm only)
    • Site Collection Administrators
  • When AgilePoint Server is installed, by default these privileges are associated with the AgilePoint Service Account. However, for security purposes, AgilePoint recommends separating this account from the AgilePoint Service Account to create a unique SharePoint account for the AgilePoint system. This account is sometimes referred to as the SharePoint impersonator.
  • AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least has Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process.

    Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must:

    • Make sure that group has Contribute rights on SharePoint.
    • Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.

Data Services Machine

  • Local administrator
  • ServiceLogon
  • This machine may be the same as the AgilePoint Server machine.

How To Create or Change This Account

Good to Know

  • Other system administrator types covered in this section — Tenant Administrator (person), Database Administrator, and Network Administrator — are all human roles in an organization. That is, these are functions that human users serve, rather than administrator accounts, roles, or access controls within AgilePoint NX. All of the credentials for these administrator types are covered on this page. The subsequent pages — Tenant Adminstrator, Database Administrator, and Network Administrator — represent ways that these credentials can be divided among the responsiblities of human administrator users. Thus, there is some duplication of content for these pages. However, subsequent pages also cover some privileges for AgilePoint NX on external systems that these people manage, such as the database and SharePoint.
  • These administrator types have similar names, and they are easy to confuse:
    • The AgilePoint NX System Administrator is a person who is responsible for several administrator accounts and roles. In most cases, there is one primary AgilePoint NX System Administrator, but this is not a technical limitation.
    • Tenant Administrator (capitalized) is a master administrator setting for the NX Portal. There can be only one Tenant Administrator.

      The Tenant Administrator is assigned on the Tenant screen.

    • A tenant administrator (small letters) is a person who is resonsible for one AgilePoint Server tenant. In multi-tenant environments, each tenant can have its own tenant administrator, but this is not a technical limitation.

      The tenant administrator (person) usually has the Tenant Administrator setting, as well as other security roles. However, the privileges are the decision of an organization and not a technical limitation.

    • The AgilePoint System Account is a set of credentials for managing AgilePoint Server. There can be only one AgilePoint System Account. In most cases, one human user is assigned these credentials. The names for the System Account and Service Account, especially, are often confused.
    • The AgilePoint Service Account is a set of credentials AgilePoint Server uses to connect with other systems. There can be only one AgilePoint Service Account. Only the AgilePoint Server software uses these credentials, and they are not assigned to a human user. However, the AgilePoint NX System Administrator is usually responsible for maintaining these credentials. The names for the System Account and Service Account, especially, are often confused.
    • Administrator is a security role on the NX Portal. Any number of users can be assigned the Administrator role.

Related Topics

Examples

About This Page

This page is a navigational feature that can help you find the most important information about this topic from one location. It centralizes access to information about the concept that may be found in different parts of the documentation, provides any videos that may be available for this topic, and facilitates search using synonyms or related terms. Use the links on this page to find the information that is the most relevant to your needs.

Keywords

system administrator, administrators, administrator, service account, system account, server administrator, service administrator, global administrator, master administrator, master account, super user