• Article

Planning Server Application Pool Identity and Service Identity Account Considerations

Updated: 2009-04-09

The Windows user account used for the Planning Server application pool and service identity (SI) account should be a domain account. The account cannot be a group account or the local administrator account on the SQL Server computer; it must be its own distinct account with both local and domain access.

The Planning Server application pool identity and SI account must have the following:

  • Network access to local computers

  • Access to log in to network and local computers as a batch process

  • Access to log in to network and local computers as a service

If network access to local computers has been explicitly denied on the host computer or the domain, by means of a group policy, then PerformancePoint Planning Server setup using the Planning Server Configuration Manager will be halted at the Account setup page.

If network login access as a batch process or service is denied, the Planning Server Configuration Manager will proceed to completion but errors will occur with the IIS application pool and Windows service used by Planning Server. The Windows service will not run and the application pools will not start when the Web site or Web service is accessed by Planning Server .

Note

We do not recommend choosing an account that is a computer or SQL Server administrator account.

Planning SI account permissions

The Planning Server Configuration Manager will set all permissions that the Planning SI account needs automatically.

The following are set by Planning Server Configuration Manager for the Planning SI account:

  • Planning account is added to the IIS_WPG Windows Group.

  • Planning account is added to a local security policy on the host computer.

  • Planning account is added to the SQL Server Security Logins.

    For a stand-alone Planning Server installation: The dbcreator permissions in SQL Server are set and Alter Trace permissions are granted on the SQL Server computer's application pool identity and SI account. Additionally, the Planning application pool identity and SI account is added to the Analysis Services server's security role.

    For a distributed Planning Server installation on a SQL Server computer that only contains application databases: The following are not set or added by the Planning Server Configuration Manager and must be set manually:

    • The dbcreator permission

    • The Planning application pool identity and SI accounts addition to the Analysis Services server's security role.

    Refer to Prepare SQL Server to host an application database for complete details.

  • The Planning application pool identity account is used to run two IIS application pools for the PerformancePoint Planning Administration console and Planning Web Service.

  • The Planning SI account is used to run the PerformancePoint Planning Process Service.

For a stand-alone installation, the Planning Server Configuration Manager will complete all tasks required to completely configure Planning Server accounts and permissions. For a distributed computer installation, the above noted exceptions apply. In addition, you must run the Planning Server Configuration Manager.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.