Accounts and permissions for installation and deployment

Below is a summary of the account permissions that you need to install and deploy Server Suite.

The following topics are included:

Centrify Authentication and Privilege Elevation Services permissions

Access Manager account permissions
Account name (suggested)	Type of account	Required permissions	Notes
n/a	Domain administrator (when running Access Manager for the first time)	domain admin (in most cases)	Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard.

For more information, see:

Zone Provisioning Agent permissions

Zone Provisioning Agent account permissions
Account name (suggested)	Type of account	Required permissions	Notes
Cfy_SVC_ZPA	Active Directory account	Log on as a service	The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy.

For more information, see:

About Zone Provisioning Agent and its requirements-

Report Services permissions

Report services account permissions
User type	Required Active Directory permissions	Required security policy permissions(group policy, or local policy)	Required SSRS permissions	Required SQL Server or PostgreSQL permissions
report service account to run the Reporting Service	For domain-based reporting: Replicating directory changes at the domain level (ADUC) and replicate directory changes in ADSI For zone-based reporting: Read permission	Log on as a service
SQL Server service account to run SQL Server	n/a	Log on as a service		member of the securityadmin role
PostgreSQL service account				the account must have permission to connect to PostgreSQL and create a database
report admin to run the Report Configuration wizard or the Upgrade & Deployment wizard and deploy reports to an existing SQL Server instance	needs to be a member of the domain	n/a	Folder Settings > Content Manager role	member of the securityadmin role (At the very least, the user needs permission to connect to SQL Server and create a database.)
report admin to modify the Reports Control Panel	Read permission to the domain root object of the selected domain. Read permission to all computer objects in the selected domain.	n/a
Report viewer to view reports from SSRS/Internet Explorer			Site settings > System user role Folder settings > browser (assign SSRS roles to Active Directory group or users)
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports			Site settings > System user role Folder settings > Content Manager role (assign SSRS roles to Active Directory group or users)

SQL Server permissions set by the Report Services Configuration wizard
User type	Required SQL Server permissions
report services account to run the SQL Server Reporting Service	Snapshot Service (predefined role)
SQL Server service account to run SQL Server	If you deploy to an existing SQL Server instance, the configuration wizard makes no changes to the SQL Server service account. If you deploy to a new SQL Server instance: --If the operating system is Windows 2008 and you’re using a SQL Server version later than 2012, virtual accounts are used for various SQL Server components, as follows: SQL Server engine: NT SERVICE\MSSQL$<InstanceName> SQL Server Agent: NT SERVICE\SQLAgent$<InstanceName> Full text search: NT SERVICE\MSSQLFDLauncher$<InstanceName> SSRS: NT SERVICE\ReportServer$<InstanceName> --Otherwise, the SQL Server service accounts are configured as follows: SQL Server engine: NT Authority\Network Service SQL Server Agent: NT Authority\Network Service Full text search: NT Authority\Local Service SSRS: NT Authority\Local Service
report admin to run the Report Configuration Wizard and deploy reports to an existing SQL Server instance	Connect SQL (cannot be revoked after setup) Create Database, Create any database, or Alter any database member of securityadmin role, or Alter any login permission
report admin to modify the Reports Control Panel	SnapshotAdmin (predefined role)
Report viewer to view reports from SSRS/Internet Explorer	Login permission SnapshotViewer (predefined role)
Report writer read, write, edit access for reports, in addition to the permissions needed to view reports	Login permission SnapshotViewer (predefined role)

Note: Microsoft SQL Server Reporting System (SSRS) affords only role-based security in their reports. Be sure to grant appropriate access to reports. For example, if a user has access to only some data in the specified domain but all reports, they will be able to view all reports on all data from Active Directory.

For more information, see:

Audit & Monitoring permissions

Auditing permissions for SQL Server
SQL Server account	Type of account	Required permissions	Notes
NT Authority\System	machine account	SQL Server Roles: sysadmin role

Auditing security groups
Active Directory security groups	Type of account	Required SQL Server permissions	Notes
Centrify-Admins for the user accounts that perform administrative tasks using Audit Manager.	Active Directory	no explicit SQL Server permissions needed — Audit Manager handles the SQL Server permissions	Creating Active Directory security groups with SQL Server logins enables you to manage access to the databases required for auditing through Active Directory group membership without the help of the database administrator.
Centrify-Auditors for the user accounts that use Audit Analyzer.
Centrify-Collectors for the computer accounts that host the collector service.

For more information, see: