Required Permissions

K2 application server

• Local Administrator

• The installation account must be a local administrator on all the servers that will have K2 components installed, since the account needs to perform several system-level operations such as editing the registry, installing files and setting local permissions.
• Assuming the installation account is not used as a service account as well, this permission can be revoked after installation is complete. However, if a K2 update or reconfiguration is required, it will be necessary to grant these permissions to the installation account again before running the update installer or reconfiguring the environment.

• dbcreator on the SQL Server.
• securityadmin on the SQL Server.

• For K2 database to be created and modified correctly, the Installation account requires dbcreator and securityadmin on the SQL server where the K2 database will be installed.

• View-Only Administrator rights

• Required to browse Exchange servers and mailbox databases.

Exchange 2010

Exchange 2013

Exchange 2016

• View-Only Organization Management role

• Required to browse Exchange servers and mailbox databases.

• Full control permissions are required on the Central Administration Site Collection
• securityadmin (required on K2 database and SharePoint database)
• dbcreator (required on K2 database and SharePoint database)
• db_owner (required on K2 database and SharePoint database)
• Authenticated Users need modify permissions on the temp folder (%SYSTEMROOT%\System32\config\systemprofile\AppData\Local\Temp)

• Required to:
  
  • Activate all K2 Site Settings
  • Create and configure hidden K2 list

• Domain Users group.

• Membership in Domain Users group is required.
• This account should be in the same domain as the service accounts, and, if possible, the user accounts as well.

• Log on as a service
• Log on as a batch job
• Member of Domain Users Group
• File System Permissions:
  
  • Full Control on the following directories:
    
    • %SYSTEMROOT%\temp
    • %ALLUSERSPROFILE%\Application Data\ Microsoft\Crypto\RSA
  • Modify on the following directories:
    
    • %PROGRAMFILES%\K2 blackpearl\Host Server\Bin
      
• Registry Permissions:
  
  • Full Control on the following Keys:
    
    • HKEY_LOCAL_MACHINE\SOFTWARE\Sourcecode\Logging
      

• In order to run the K2 blackpearl Service, the Service Account will need these permissions.
• The K2 Service Account needs to be part of the Domain Users group.
• Some file system permissions can only be configured post-installation.
• The Registry permission is configured post-installation.

• db_owner on K2 database

• The K2 Service account needs these permissions this at runtime to:
  • Create of tables for SmartBox SmartObjects
  • Execute Stored Procedures
  • Open of symmetric keys for encryption / decryption

• SharePoint Permissions
  
  • Site Collection Administrator
• SharePoint WFE Server Permissions
  
  • Local Administrator
  • File System Permissions:
    
    • Full Control:
      
      • %SYSTEMROOT%\temp
      • %ALLUSERSPROFILE%\Application Data\ Microsoft\Crypto\RSA
    • Write:
      
      • %COMMONPROGRAM%\Microsoft Shared\web server extensions\14
        
  • Registry Permissions:
    
    • Full Control on the following Keys:
      
      • HKEY_LOCAL_MACHINE\SOFTWARE\SourceCode\Logging
        
  • When using Windows 2008 server, Authenticated Users require Modify permission on C:\Users and all folders below on all SharePoint Web Front End Servers.

• The K2 service account needs to be a Site Collection Administrator on all sites where K2 Features are used, to create sites, assign permissions, work with the SharePoint Workflow Integration features, and for the Identity Service to be able to resolve and cache SharePoint groups
• The Registry permission is configured post-installation

• View-Only Administrator rights
  
• Exchange Organization Administrator rights*
• Exchange Impersonation**
  
  

• The K2 Service account requires a minimum permissions level of View-Only Administrator rights.
• Giving Exchange Service Impersonation rights for an account requires that account to NOT be part of the Exchange Organization Administrator group
  
• *The K2 Service Account must be given Exchange Organization Administrator rights if you want to allow the account to Create/Disable mailboxes in a workflow.
  • Alternatively, you can create a separate account with Exchange Organization Administrator rights, but when the Create/Disable mailbox action is used in a workflow, the event must be configured to Run As the Exchange Administrator account.
• **An Exchange Service Impersonation account can be created and given Exchange Impersonation rights. See Assigning Exchange Impersonation Rights for instructions
  • When a Meeting Request or a Send Task action is selected in the Exchange Event Wizard, the event should be configured to Run As the Exchange Service Impersonation account.

• Recipient Management
• Execute rights on Microsoft PowerShell

• Recipient Management rights required to create and disable mailboxes and browse Exchange servers and mailbox databases.
• See Set Exchange Permissions for instructions

Exchange 2013

Exchange 2016

• ApplicationImpersonation role
• Organizational Management or Recipient Management role or Global Administrator (to enable or disable a mailbox)
• Executerights on Microsoft.PowerShell

• See Set Exchange Permissions for instructions

• Write permissions in Azure Active Directory

• Required for the Azure Active Directory wizards to function correctly at runtime

• Domain Users group.
• Account Operators group.
• List contents and Read all properties permissions .
• Administrators group.

• Membership in Domain Users group is required.
• Membership in Account Operators group is recommended to allow the Active Directory SmartObjects and wizards to work.

• The K2 service account must be a member of the Administrators group to update user details using the Active Directory wizards.

• ApplicationImpersonation role

• A second service account (Exchange Impersonation Account) is required for Microsoft Exchange 2010 integration. This account should be assigned the ApplicationImpersonation role to be able to impersonate users for sending meeting requests and creating tasks.
• See Exchange Impersonation Account for instructions

• Member of the IIS_WPG Local Group
• Member of the Local IIS_IUSRS group (if Windows 2008 is used)
• Modify rights on
  
  • %SYSTEM%\temp

• See Setting Application Pool Rights for instructions.

• Content Manager
• Browse rights

• Note that these permissions are only required when using the legacy K2 Workspace and when the K2 reports are installed in SSRS.

• Domain Users members of the System role in Server Properties
• Domain Users members of the Browser role in Home Folder

• Note that these permissions are only required when using the legacy K2 Workspace and when the K2 reports are installed in SSRS.
• Users require these permissions to execute K2 reports from the SSRS server.

• Local Administrator
• Modify on the following directories
  
  • %SYSTEMROOT%\temp
• Write permissions on the following directories
  
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\14\Layouts\Features
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\14\ISAPI
• When using Windows 2008 server, Authenticated Users require Modify permission on C:\Users and all folders below on all SharePoint Web Front End Servers

• To log K2 blackpearl Server messages to the Event log, the SharePoint Service Account must be a local administrator on the SharePoint server. The SharePoint Service account can be added to the BUILTIN/Administrators group.

• Impersonate permissions on the K2 environment

• Only applies to K2 for SharePoint 2010
• The SharePoint Service Account requires Impersonation rights on the K2 Server in order execute K2 components at runtime.

• db_DataReader on the K2 database
• db_DataWriter on the K2 database
• Execute on the Stored Procedures in the K2 database

• Only applies to K2 for SharePoint 2010
• For the K2 Designer for SharePoint 2010 to function properly, the SharePoint Service Account needs read permission on the database. This is automatically set up by the Setup Manager during install and the database rights for webdesigner will be applied on the webdesigner schema.
• For the K2 Designer for SharePoint 2010 to function properly, the SharePoint Service Account needs write permission on the database. This is automatically set up by the Setup Manager during install.

• Application Pool Rights

• Note that these permissions are only required when using the legacy K2 Workspace and when the K2 reports are installed in SSRS.

• ASP.NET Service Account in Reporting Services Configuration

• Note that these permissions are only required when using the legacy K2 Workspace and when the K2 reports are installed in SSRS.

• Local Administrator

• The Installation User account must be a local administrator on all the servers that will have K2 smartforms installed.
• Assuming the installation account is not used as a service account as well, this permission can be revoked after installation is complete. However, if a K2 update or reconfiguration is required, it will be necessary to grant these permissions to the installation account again before running the update installer or reconfiguring the environment.

• dbcreator on the SQL Server
• securityadmin on the SQL Server

• For the K2 smartforms to be installed properly, the Installation Account needs dbcreatorand securityadmin permissions on the SQL server.

• Member of the IIS_WPG Local Group
• Member of the Local IIS_IUSRS group (if Windows 2008 is used)
• Modify rights on
  
  • %SYSTEM%\temp

• Permissions required on the server where the K2 smartforms runtime website will be installed.
• A SmartForms runtime Website is included with a K2 blackpearl installation.
• See Setting Application Pool Rights for instructions.

• Member of the IIS_WPG Local Group
• Member of the local IIS_IUSRS group (if Windows 2008 is used)
• Modify rights on
  
  • %SYSTEM%\temp

• Permissions required on the server where the K2 smartforms Designer website will be installed
• See Setting Application Pool Rights for instructions.

• db_owner for the K2 database

• To allow the account to change the database as needed

Installation Account

K2 for SharePoint App Upload User Account

• SharePoint Permissions and Rights
  • Local Administrator on the SharePoint Server
  • Site Collection Administrator on the App Catalog Site Collection
  • db_owner rights on the SharePoint_Config Database
  • db_datareader role on the SharePoint_Config Database
  • SharePoint Shell Access role
  • SPShelladmin DB role
• K2 Permissions
  • Administer permissions in the K2 environment

• For detailed information see Permissions for installing K2 in an on-premises SharePoint Environment
• Minimum set of permissions that are required of the user that will upload the K2 for SharePoint app into the SharePoint app catalog in a SharePoint on-premises environment.
• Also reflects the permissions required for installation of K2 for SharePoint in the App Catalog through the appdeployment.exe utility.
• Appdeployment.exe is automatically called by the installer and hence is usually executed in the context of the Installation account.
• The user executing the Appdeployment.exe needs to access the high trust certificate from the K2 database to setup the high trust for the apps
• To execute any SharePoint PowerShell command against a resource (where the resource is a Service Application or site/web application etc.) you need to be a member of the SPShelladmin DB role on that resource's database
• See Add-SPShellAdmin article on the Microsoft TechNet website for more information on SharePoint Shell Access role
• See the topic Using a cmdlet to add a user to the SharePoint_Shell_Access role for instructions on granting the Shell Access Role

• Tenant Admin of the SharePoint Environment

• Required to upload the K2 for SharePoint App to the SharePoint App Catalog in a SharePoint Online environment
• When the K2 for SharePoint App is installed for the first time, the user installing the app requires Tenant Admin permissions

• Design permission on the SharePoint site.
• Full Control permission on the SharePoint site

• Design permissions required to run the Registration wizard after the first time the registration wizard is run elsewhere.

• Full Control required to Remove or configure the application. The default Owners group typically has Full Control permission

• Read permissions on the app catalog site (or Read permissions on the Application file directly
• Contributor rights on the SharePoint site

• Everyone needs read rights on the App Catalog site to see K2 App components
• Users who will be building apps in SharePoint require at least Contributor permissions on the sites where they will be building application
• For more on permissions required to interact with SharePoint, please see the K2 application permissions in SharePoint topic in the K2 for SharePoint User Guide

• K2 server Admin

• The K2 Web Service needs K2 Admin rights for application deployment.