Setting Up the AgilePoint Service Account

An AgilePoint solution is comprised of a number of software components that all must communicate with one another. The AgilePoint Service Account is the master administrator account for the AgilePoint system.

The following table provides the systems and permissions that are required for the AgilePoint Service Account.

Good to Know

Because many of these systems manage user accounts independently, it is possible to set up different user accounts for different types of communication. Some customers also prefer to use different accounts for security reasons. However, to simplify account management, AgilePoint recommends using the same credentials for all of these accounts.
For AgilePoint versions that use a wizard-based installer (AgilePoint BPMS v5.0 SP3 Genesis Edition and later), you must use the AgilePoint Service account for all AgilePoint systems, although you can change it after installation, if desired.

AgilePoint Service Account Permissions

System	Permissions	Notes
AgilePoint Server Machines	Local administrator ServiceLogon Member of the following groups: Administrator Performance Monitor Users IIS_IUSRS (Windows Server 2008 or 2012) IIS_WPG (Windows Server 2003) adHocAdmin Service Principle Name (SPN)	This user account will also be used to initially login to AgilePoint Enterprise Manager. If you are installing AgilePoint Server on a Domain Controller, this cannot be a local administrator account. The adHocAdmin group is required for AgileReports. You may need to create this group in your environment. In most cases, AgileReports is installed on the AgilePoint Server machine. SetSPN is required for Kerberos only. For more information, see Setting Service Principle Name (SetSPN).
Database	db_owner privileges For Oracle, this user must be able to create and modify database tables, and data.	During installation, AgilePoint requires db_owner privileges in SQL Server (or equivalent privileges in Oracle) to create the tables required on the database. For security purposes, after finishing the AgilePoint Server configuration, you can remove the AgilePoint Server service account from the db_owner role in order to disallow the Create table privilege. Instead you can add this user to the db_datareader and db_datawriter role memberships. Please note that when updating the database schema in the future (e.g. for an upgrade), you will need to add this account back to the db_owner role in order for the database schema to be updated
SharePoint	Member of the following groups: SharePoint Farm Administrators (applies to SharePoint Farm only) Site Collection Administrators	AgilePoint recognizes that adding this user to the SharePoint Site Collection Administrators group does not follow the least-privileged account best practice. If you want to ensure you are following this best practice, ensure this account has at least have Contribute rights on each SharePoint site where Lists, Document Libraries or Form Libraries are associated to an AgilePoint Process. Usually, it's enough to add that this account to the [Site Collection Name] Members SharePoint Group. However, you must: Ensure that group has Contribute rights on SharePoint. Ensure inheritance is not broken on sub-sites as that might prevent that Impersonator account to access those sub-sites – it would have to be added to the Members role of each of those sub-sites that break inheritance with their parent site.
Data Services Machine	Local administrator ServiceLogon	This machine may be the same as the AgilePoint Server machine.
Deployment Service Machine	Local administrator ServiceLogon	This machine may be the same as the AgilePoint Server machine.
AgileForms Server Machine	Local administrator Application Pool Identity for the main AgileForms web application and proxy site (AFProxy).	For more information, see Setting Up IIS.