Note: This documentation gets updated only when necessary, as the product is in sustained mode. For product updates see the Release Notes.

Accounts used in a K2 Installation

This topic describes the various accounts that are necessary when installing, configuring and running K2. For more information on the permissions required for the accounts described in this table, please refer to the topic Required Permissions.

When planning the accounts to be used, consider accounts that may be unique to different environments within your organization, for example DEV, TEST, PROD type environments, and whether accounts will be used across environments. This may also depend on the patterns already established in an organizational plan. K2 recommends that you create separate accounts for the runtime services in each environment (i.e. separate Service Accounts, Administrative Account, Application Pool Accounts for each environment), so that you are better able to granularly control the security for each environment. This will, for example, enable you to restrict the DEV K2 Service Account from modifying data in the PROD environment by applying permissions in each environment.
Aligning with the STRIDE security model, the best practice recommendation is to dedicate separate accounts for each environment and avoid using “global” service accounts.

Some organization use multiple domains to separate Service Accounts from User Accounts. Please refer to the topic Multiple Active Directory Domains if this applies to your environment.

Account	Purpose	Practice Recommendation	Other Considerations
K2 Service Account	The K2 Service Account is the account under which the K2 application service (the "K2 blackpearl Server" service)runs.	Dedicate a new account for each environment, e.g DEV, TEST, PROD.	Unless configured differently, server events and other server-side code inside workflows will execute in the security context of this account. When Service Account is selected as the Authentication Mode for a Service Instance, interaction with the target system will happen in the security context of this account. If this service account's password expires, the K2 Service will not operate as expected. You may want to establish a policy where this account's password does not expire, or if it does, that the password is updated before it expires.
Installation Account	The installation account is the account used by operators to install and configure K2 on various servers in a topology	A dedicated K2 Setup account is not required, but using an account that is an administrator on the system is encouraged. Alternatively, you may install K2 while logged in as the K2 Service Account, provided that account has the necessary Required Permissions to both install and run K2.	This account must be a domain user account This account should be in the same domain as the service accounts, and, if possible, the user accounts as well, because the domain hosting the Installation Account will be set as the domain associated with the default “K2” security label for the AD User Manager. If Multiple Domains are used, please refer to the topic Multiple Active Directory Domains. Depending on an organization’s policy, K2 client components may be installed by their intended users. Use the same account for installing all K2 server components and use the same account for subsequent K2 reconfiguration or updates.
K2 Administrator Account	This account or group is used for basic administration of the K2 Server, such as setting security for the environment, accessing the K2 Management Site, and managing a K2 environment.	Using an Administration Account, or Group, supports separation of service accounts from user accounts. Establish an AD Group for administrative activities that members of the group will perform on K2 components. One principal authority group may be adequate for all areas of the K2 product suite, but it does not preclude additional separation of duties. Consider a different authority group for each environment, i.e. “K2 DEV Administrators, K2 PROD Administrators.”	This account could be the same as the K2 Service Account, but it is recommended that the Service Account and Administrative accounts are separate accounts
K2 Web Service Account	This account serves as the identity for application pools that run various K2 blackpearl web server components, such as the legacy K2 Workspace and K2 Web Services.	Establish a dedicated account for all K2 web server components and application pools. A single account such as “K2 Web Service” could serve all environments (e.g. DEV, TEST, PROD), depending on variances in the organizational planning.	If you are installing the K2 reports in a SSRS server, this account requires permissions on the SSRS server to execute the K2 reports
K2 Designer Site Application Pool Identity	This account is used as the Application Pool Identity for the K2 Designer web site, which is installed when you install K2 SmartForms.	Name the application pool to represent its role with K2 smartforms. e.g. K2 Designer App Pool. A single account such as “K2 Designer App Pool” could serve all environments, depending on variances in the organizational planning.	A custom application pool is required where Managed Pipeline mode must be set to Integrated. K2 smartforms Application Pools need to run on the .NET Framework v4.0.30319 Application Pool accounts will require elevated permissions to run the application pools
K2 smartforms Runtime Site Application Pool Identity	This account is used as the Application Pool Identity for the K2 smartforms Runtime web site, which is the website used by end users to access SmartForms.	The application pool identity and pool may be shared between the K2 Designer and K2 smartforms Runtime web sites when the web sites are all on the same host. If your organization wishes to implement a topology where additional SmartForms Runtime sites will exist, additional accounts and application pools may be considered to separate security, especially if you intend creating a dedicated SmartForms runtime site that is exposed to the internet and configured for Anonymous Access.	A custom application pool is required where Managed Pipeline mode must be set to Integrated. K2 smartforms Application Pools need to run on the .NET Framework v4.0.30319 Application Pool accounts will require elevated permissions to run the application pools
SharePoint 2010 Service Account	This account is used by the application pool that runs SharePoint 2010	It is recommended that the SharePoint Farm Account is not also used as the K2 Service account. The K2 Service Account will need additional rights and access into SharePoint 2010 not normally assigned to the SharePoint Service Account in a standard SharePoint installation.	The SharePoint 2010 Service Account probably already exists in your environment and is already associated with your SharePoint 2010 installation. Some Required Permissions should be validated to ensure that the K2 integration with SharePoint 2010 functions properly.
SharePoint Service Accounts	These accounts are used in a SharePoint 2013/ SharePoint 2016 environment.	It is recommended that SharePoint Accounts are not also used as the K2 Service account. The K2 Service Account will need additional rights and access into SharePoint not normally assigned to service accounts in a standard SharePoint installation.	The SharePoint 2013 Service Account probably already exists in your environment and is already associated with your SharePoint 2013 installation. Use different accounts to install and design K2 applications using K2 for SharePoint. Using the same account will cause issues due to security tokens being invalid. The Installation Account is used to execute the installation and configuration for K2 for SharePoint 2013.
K2 for SharePoint App Upload User Account	This account is used to upload the K2 for SharePoint App to the App Catalog.		Use different accounts to install and design K2 applications using K2 for SharePoint. Using the same account will cause issues due to security tokens being invalid. The Installation Account can be used to add the K2 for SharePoint App to the App Catalog
K2 for SharePoint Registration User Account	This account is used when adding the K2 for SharePoint App to a Site Collection in SharePoint.
Reporting Services Service Account	This account is used by SQL Server Reporting Services to run the application pool for the SSRS web services and reports home web site.	It is recommended that the Reporting Services Service Account not be used as the K2 Service account.	Integration between K2 and SSRS is optional. If you do not intend installing the K2 reports or K2 data source in SSRS, this account does not apply in a K2 environment The Reporting Services Service Account probably already exists in your environment and is already associated with your SSRS installation. It is important to understand how SSRS native mode works as K2 requires it.
Domain Users	This refers to user accounts for users that will interact with K2.
Exchange Impersonation Account	This account is required for Microsoft Exchange 2010 integration, to be able to impersonate users for sending meeting requests and creating tasks.