Set Up the AgilePoint Service Account

An AgilePoint solution is comprised of a number of software components that all must communicate with one another. This topic shows the systems and permissions that are required for various AgilePoint administrator accounts.

Good to Know

AgilePoint Service Account Permissions

SystemPermissionsNotes

AgilePoint Server Machines

  • Local administrator
  • ServiceLogon
  • Member of the following groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
  • This user account will also be used to initially sign in to AgilePoint NX.
  • If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account.

Database

  • db_owner privileges

During installation, AgilePoint requires db_owner privileges in SQL Server to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated

It is recommended to configure permissions for the SQL database account for AgilePoint, which grants INSERT, UPDATE, DELETE and SELECT, … by schema (namespace), ONLY on AgilePoint tables at the database level, instead of using the generic dbo schema to restrict access.

SharePoint

  • Member of the following groups:
    • SharePoint Farm Administrators (applies to SharePoint Farm only)
    • Site Collection Administrators
  • When AgilePoint Server is installed, by default these privileges are associated with the AgilePoint Service Account. However, for security purposes, AgilePoint recommends separating this account from the AgilePoint Service Account to create a unique SharePoint account for the AgilePoint system. This account is sometimes referred to as the SharePoint impersonator.
  • AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to make sure you are following this best practice, make sure this account has at least has Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint process.

    Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must:

    • Make sure that group has Contribute rights on SharePoint.
    • Make sure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.

Data Services Machine

  • Local administrator
  • ServiceLogon
  • This machine may be the same as the AgilePoint Server machine.