Share via


Plan for administrative and service accounts (Project Server 2010)

 

Applies to: Project Server 2010

Topic Last Modified: 2011-11-18

Use this article to plan for the account requirements and recommendations for accounts that are required to install, configure, and use Microsoft Project Server 2010.

You must provide credentials for these accounts during Setup and configuration. This article does not discuss accounts that you do not have to configure or provide credentials for.

Administrative and service accounts

This section lists and describes the accounts that are required by Project Server 2010. The accounts are grouped according to scope. If an account has a limited scope, you might have to plan multiple accounts for this category.

Note

All Project Server 2010 and Microsoft SharePoint Server 2010 service accounts must be granted interactive logon permissions for the computer where the service is running. By default, such permissions are normally granted when a new account is set up. However, you may have to make manual adjustments if your organization normally denies interactive logon permissions for service accounts.

The following table describes the standard account requirements for Project Server 2010.

Account Purpose Required permissions

Farm Administrator

This account is also known as:

  • Server farm account

  • Database access account

This account servers as the following:

  • The application pool account for the SharePoint Central Administration Web site

  • The process account for the SharePoint 2010 Timer (SPTimerV4) service

Log in with this account when you install SharePoint Server 2010 and Project Server 2010.

Important

This account may already exist if you are deploying Project Server 2010 to an existing SharePoint Server 2010 farm. Project Server 2010 has additional requirements for this account. If you have already created a Farm Administrator account, make sure it has the required permission listed in this table.

This account must be a member of the local Administrators group on each application server in the farm.

Additional permissions are automatically granted for this account when Project Server 2010 is installed and when additional application servers are added to the farm.

A logon is automatically created for this account in SQL Server, and that logon is automatically added to the following SQL Server Server Roles:

  • dbcreator

  • public

  • securityadmin

  • sysadmin

Application Pool

Runs the application pools associated with each SharePoint Server 2010 service application. (This account may already exist if you are deploying Project Server 2010 to an existing SharePoint Server 2010 farm.)

The following SQL Server roles and permissions are automatically assigned to this account:

  • Database owner role for content databases associated with the Web application

  • Read/write access to the associated Service Application database

  • Read from the configuration database

Additional permissions for this account on front-end Web servers and application servers are automatically granted by Project Server 2010.

Workflow Proxy

Runs Project Server workflow activities. This account makes the Project Server Interface (PSI) calls associated with each workflow.

This domain account must also be configured as a Project Server user account that has the following permissions:

Global permissions:

  1. Log On

  2. Manage Users and Groups

  3. Manage Workflow and Project Detail Pages

Category permissions:

  • Open Project

  • Save Project to Project Server

Accounts and groups for business intelligence

In addition to the accounts listed earlier in this article, the following accounts and Active Directory directory service groups are required when you configure reporting for Project Server 2010.

Account Purpose Required permissions

Report Authors Group

Active Directory security group to which you add users who will create reports.

This group requires db_datareader permissions on the Project Server 2010 Reporting database.

Report Viewers Group

Active Directory security group to which you add users who will view reports.

None. (This group is used as part of Secure Store configuration.)

External Report Viewers Group

(Optional.) Active Directory security group for users who do not have a PWA user account but require access to the Project Server 2010 Business Intelligence Center to view reports.

This group requires read permissions to the Business Intelligence Center site.

Secure Store Target Application account

This account provides the credentials necessary for report viewers to view reports generated from data in the Project Server 2010 reporting database. This account is used as part of Secure Store configuration.

This account must have db_datareader permissions on the Project Server 2010 reporting database. We recommend that you add this account to the Report Authors Active Directory group described earlier in this section to give it the necessary permissions.