Operating System and SQL Permissions for the Microsoft Office Project Server 2007 Service Accounts

As part of some internal training I captured the details of which groups the various accounts that can be used for Project Server 2007 end up belonging to.  I though this might be useful to share.  The key thing here is that you do not normally need to do any of this manually – and even if you change some accounts then as long as you use the UI or stsadm the group memberships should be set correctly. 

So for my scenario I have 4 users.  FarmAdmin, SSPAdmin, DefAppPool and SSPAppPool and these are going to used as the farm administrator of Windows SharePoint Services (FarmAdmin), the admin account for the Shared Services Provider (SSPAdmin) and the identities for the two application pools for the initial Port 80 site (DefAppPool) and the random port for the SSP (SSPAppPool).  In a farm environment these would all need to be domain accounts.  In my tests they were all local in a Virtual Server image.  These could all be the same account – but some customers prefer each to be different – thus allowing each to have minimum permissons.  I carried out the install as myself – an administrator on the server.

Once I had finished my installation the following groups had added the following members:-

IIS_WPG – FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool
WSS_ADMIN_WPG – FarmAdmin
WSS_RESTRICTED_WPG – FarmAdmin
WSS_WPG – FarmAdmin, SSPAdmin, DefAppPool, SSPAppPool

And in SQL Server the following logins had been added with roles set as noted below:-

FarmAdmin
Server roles – dbcreator and securityadmin
User mappings to the PWA, SSP and WSS content databases with dbo
User mappings to the SharePoint_Config and SharePoint_AdminContent  with dbo and WSS_Content_Application_Pools role

SSPAdmin
No server roles
User mapping to PWA Archive draft and published with datareader, datawriter and ProjectServerRole
User mapping to PWA reporting as above plus ddladmin
User mapping to SharedServices and WSS Content databases with dbo role
User mappings to the SharePoint_Config and SharePoint_AdminContent  with WSS_Content_Application_Pools role


DefAppPool and SSPAppPool
No server roles
User mapping to SharedServices database and their respective WSS_Content databases as dbo
User mappings to the SharePoint_Config and SharePoint_AdminContent  with WSS_Content_Application_Pools role

In my next posting I will take this to the next level and document other settings and permissions required to get Project Server 2007 working with SQL Server 2005 Analysis Services.

Technorati Tags: