K2 for SharePoint Required Permissions

When installing and working with the K2 for SharePoint components you must provide credentials for several different accounts. The following tables describe the accounts that are used to install, configure, and run the various K2 for SharePoint components.

K2 for SharePoint - Core

K2 for SharePoint components have a set of core features and security requirements that are required regardless of which features are actually activated in the target SharePoint farm.

A check is done to verify if the Setup user is part of the Farm Admin group, in which case the K2 SharePoint Integration features will be added to the system using this account. If the Setup user is not part of the Farm Admin group, then the Web App Pool identity is impersonated and used to add the K2 SharePoint Integration features.

Account	Purpose	Requirements
Setup user	The Setup user account is used to perform the following tasks: Install the K2 for SharePoint files on SharePoint Web Front-Ends Deploy K2 Solutions to SharePoint Farm	Domain user account (Note: This should not be the SharePoint System Administrator Account) Member of the SharePoint Farm Administrators group Installing and deploying the K2 solutions on the farm Configuring global K2 settings in Central Admin Database permissions - dbo_owner permission on all the following SharePoint databases: SharePoint Configuration Database[SharePoint_Config]
K2 Central Admin	The K2 Central Admin account is used to perform the following tasks: Use links on the K2 for SharePoint admin page (does not include K2 Designer for SharePoint links)	Full Control permissions on the Central Admin Site Collection is required to open the page. Admin rights on K2 server Retrieving Host Server configuration settings Setting Export rights for Deployment Application Pool account for K2 Designer for SharePoint
K2 Site Settings	The K2 Site Settings account is used to perform the following tasks: Use links on the K2 Site Settings page	Full Control permission on the Site Collection with the K2 Site Settings link
K2 Service account	The K2 Service account is used to perform the following tasks: Create/Modify/Delete Webs Create/Modify/Delete Lists and Libraries Create/Modify/Delete List Items and Documents Create/Modify/Delete	Full Control permission on all Site Collections that are part of any K2 process that will Create/Modify/Delete a Web or Create/Modify/Delete user permissions Designer permission on all Site Collections/Webs that are part of any K2 process that will Create/Modify/Delete a List or Library Contributor permission on all Site Collections/Webs that are part of any K2 process that will Create/Modify/Delete a List Item or Document The K2 runtime assumes the appropriate rights are granted to the K2 Service account based on the K2 process needs. If rights are not sufficient at runtime the process will enter an error state and the process will be halted. The process error state can be recovered via a retry operation after the rights have been corrected.

User Permissions

Account	Purpose	Requirements
K2 Runtime Services Application Pool	The K2 Runtime Services Application Pool account is used to perform the following tasks: Interact with K2 processes at runtime via Web services	Impersonate rights on K2 server
K2 Thick-client Designers (K2 Studio, K2 for Visual Studio)	The account of the person using the thick-client designer is used to perform the following tasks: Deploy SharePoint Workflow Integration designed processes	The thick-client designer account requires the following security configuration. Export rights on K2 server Additionally, either the thick client designer account or the SharePoint Application Pool account of the target SharePoint URL (Site Collection) requires the following security configuration. SharePoint Farm Administrators group membership Full Control permission on the Site Collection Modify rights on the Features folder on the SharePoint web front ends