Plan for administrative and service accounts in Project Server 2013

Summary: Learn about the accounts that you must plan for and the deployment scenarios that affect account requirements in Project Server 2013.
Applies to: Project Server 2013

Use this article to plan for the account requirements and recommendations for accounts that are required to install, configure, and use Project Server 2013.

You must provide credentials for these accounts during Setup and configuration. This article does not discuss accounts that you do not have to configure or provide credentials for.

Administrative and service accounts that are required by Project Server 2013

This section lists and describes the accounts that are required by Project Server 2013.

Note

All Project Server 2013 and SharePoint Server 2013 service accounts must be granted interactive logon permissions for the computer where the service is running. By default, such permissions are normally granted when a new account is set up. However, you may have to make manual adjustments if your organization normally denies interactive logon permissions for service accounts.

The following table describes the standard account requirements for Project Server 2013.

Standard account requirements for Project Server 2013

Account Purpose Required permissions
Setup user account
The user account that is used to run:
Setup on each server computer
SharePoint Products Configuration Wizard
The Psconfig command-line tool
Log in with this account when you install SharePoint Server 2013 and Project Server 2013. This must be a domain account.
IMPORTANT - This account may already exist if you are deploying Project Server 2013 to an existing SharePoint Server 2013 farm.
This account must be a member of the local Administrators group on each application server in the farm.
This account must be:
a member of the local Administrators group on each application server in the farm.
A member of the sysadmin Server Role in SQL Server.
If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.
Server farm account
This account is also known as:
Farm administrator account
Database access account
This account servers as the following:
The application pool account for the SharePoint Central Administration Web site
The process account for the SharePoint 2013 Timer (SPTimerV4) service
IMPORTANT - This account may already exist if you are deploying Project Server 2013 to an existing SharePoint Server 2013 farm.
Additional permissions are automatically granted for this account when Project Server 2013 is installed and when additional application servers are added to the farm.
A logon is automatically created for this account in SQL Server, and that logon is automatically added to the following SQL Server Server Roles:
dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in the server farm
Application Pool
Runs the application pool associated with the Project Server service application.
NOTE - This account may already exist if you are deploying Project Server 2013 to an existing SharePoint Server 2013 farm. However, we recommend that you create a separate account for the Project Server service application.
The following SQL Server roles and permissions are automatically assigned to this account:
Database owner role for content databases associated with the Web application
Read/write access to the associated Service Application database
Read from the configuration database
Additional permissions for this account on front-end Web servers and application servers are automatically granted by Project Server 2013.
Workflow Proxy
Runs Project Server workflow activities. This account makes the Project Server Interface (PSI) calls associated with each workflow.
NOTE - This account is only used for workflows that use the SharePoint Server 2010 workflow platform.
This domain account must also be configured as a Project Server user account that has the following permissions:
Global permissions:
-Log On
-Manage Users and Groups
-Manage Workflow and Project Detail Pages
Category permissions:
-Open Project
-Save Project to Project Server
NOTE - If you are using SharePoint Permission mode, add this account to the Administrators for Project Web App security group.

Accounts and groups for business intelligence

In addition to the accounts listed earlier in this article, the following accounts and Active Directory directory service groups are required when you configure reporting for Project Server 2013.

Accounts and groups required for reporting in Project Server 2013

Account Purpose Required permissions
Report Authors Group
Active Directory security group to which you add users who will create reports.
This group requires db_datareader permissions on the Project Web App database.
Report Viewers Group
Active Directory security group to which you add users who will view reports.
None. (This group is used as part of Secure Store configuration.)
External Report Viewers Group
(Optional.) Active Directory security group for users who do not have a Project Web App user account but require access to the Project Server 2013 Business Intelligence Center to view reports.
This group requires read permissions to the Business Intelligence Center site.
Secure Store Target Application account
This account provides the credentials necessary for report viewers to view reports generated from data in the Project Web App database. This account is used as part of Secure Store configuration.
This account must have db_datareader permissions on the Project Web App database. We recommend that you add this account to the Report Authors Active Directory group described earlier in this section to give it the necessary permissions.