Accounts and Permissions for Installation and Deployment

Below is a summary of the account permissions that you need to install and deploy Server Suite.

Authentication and Privilege Elevation Services permissions

Access Manager Account Permissions

Account name (suggested) Type of account Required permissions Notes
n/a Domain administrator (when running Access Manager for the first time) domain admin (in most cases) Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard.

For more information, see:

Zone Provisioning Agent Account Permissions

Account name (suggested) Type of account Required permissions Notes
Cfy_SVC_ZPA Active Directory account Log on as a service The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy.

For more information, see:

Report Services Account Permissions

User type Required Active Directory permissions Required security policy permissions(group policy, or local policy) Required SSRS permissions Required SQL Server or PostgreSQL permissions
report service account to run the Reporting Service For domain-based reporting: Replicating directory changes at the domain level (ADUC) and replicate directory changes in ADSI For zone-based reporting: Read permission Log on as a service
SQL Server service account to run SQL Server n/a Log on as a service member of the securityadmin role
PostgreSQL service account the account must have permission to connect to PostgreSQL and create a database
report admin to run the Report Configuration wizard or the Upgrade & Deployment wizard and deploy reports to an existing SQL Server instance needs to be a member of the domain n/a Folder Settings > Content Manager role member of the securityadmin role (At the very least, the user needs permission to connect to SQL Server and create a database.)
report admin to modify the Reports Control Panel Read permission to the domain root object of the selected domain. Read permission to all computer objects in the selected domain. n/a
Report viewer to view reports from SSRS/Internet Explorer Site settings > System user role Folder settings > browser (assign SSRS roles to Active Directory group or users)
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports Site settings > System user role Folder settings > Content Manager role (assign SSRS roles to Active Directory group or users)

SQL Server Permissions Set by the Report Services Configuration Wizard

User type Required SQL Server permissions
report services account to run the SQL Server Reporting Service Snapshot Service (predefined role)
SQL Server service account to run SQL Server If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account.

If you deploy to a new SQL Server instance: --If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows:

SQL Server engine:
NT SERVICE\MSSQL$<InstanceName>

SQL Server Agent:
NT SERVICE\SQLAgent$<InstanceName>

Full text search:
NT SERVICE\MSSQLFDLauncher$<InstanceName>

SSRS:
NT SERVICE\ReportServer$<InstanceName>

--Otherwise, the SQL Server service accounts are configured as follows:

SQL Server engine: NT Authority\Network Service
SQL Server Agent: NT Authority\Network Service
Full text search: NT Authority\Local Service
SSRS: NT Authority\Local Service
report admin to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance Connect SQL (cannot be revoked after setup) Create Database, Create any database, or Alter any database member of securityadmin role, or Alter any login permission
report admin to modify the Reports Control Panel SnapshotAdmin (predefined role)
Report viewer to view reports from SSRS/Internet Explorer Login permission SnapshotViewer (predefined role)
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports Login permission SnapshotViewer (predefined role)

Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.

For more information, see:

  • "Required User Permissions for Report Services" and "SQL Server Permissions that are Set by the Configuration Wizard" in the Report Administrator’s Guide

Audit & Monitoring Permissions

Auditing permissions for SQL Server

SQL Server account Type of account Required permissions Notes
NT Authority\System machine account SQL Server Roles: sysadmin role

Auditing security groups

Active Directory security groups Type of account Required SQL Server permissions Notes
Admins for the user accounts that perform administrative tasks using Audit Manager. Active Directory no explicit SQL Server permissions needed — Audit Manager handles the SQL Server permissions Creating Active Directory security groups with SQL Server logins enables you to manage access to the databases required for auditing through Active Directory group membership without the help of the database administrator.
Auditors for the user accounts that use Audit Analyzer.
Collectors for the computer accounts that host the collector service.

For more information, see Checking SQL Server Logins for Auditing.