Required permissions

Microsoft Azure Active Directory is now Microsoft Entra ID

The table below lists required permissions by the product component, Account and target System, including permissions for integration with third-party systems like Exchange, SharePoint and others. For the purposes of this table, "Service Account" refer to a runtime account that is used to run a service, such as the host server windows service or the identity associated with an Application Pool in IIS. "Installation Account " means the account that is installing or configuring the product. You should make note of which accounts will be used for which aspects of your installation.

For more information and background on the accounts described in this table, please refer to the topic Accounts used in an Installation, or click the hyperlinked account name to jump to the description for that account.

Nintex Automation

Account System Permissions/Rights Explanation and additional notes
Installation Account Application server
  • Local Administrator
  • The installation account must be a local administrator on all the servers that will have the components installed, since the account needs to perform several system-level operations such as editing the registry, installing files and setting local permissions.
  • Assuming the installation account is not used as a service account as well, this permission can be revoked after installation is complete. However, if an update or reconfiguration is required, it will be necessary to grant these permissions to the installation account again before running the update installer or reconfiguring the environment.
SQL Server
  • dbcreator on the SQL Server.
  • securityadmin on the SQL Server.
  • For the database to be created and modified correctly, the Installation account requires dbcreator and securityadmin on the SQL server where the database will be installed.
Exchange
  • View-Only Organization Management role
  • Required to browse Exchange servers and mailbox databases.
Active Directory
  • Domain Users group.
  • Membership in Domain Users group is required.
  • This account should be in the same domain as the service accounts, and, if possible, the user accounts as well.
Service Account Application server
  • Log on as a service
  • Log on as a batch job
  • Member of Domain Users Group
  • File System Permissions:
    • Full Control on the following directories:
      • %SYSTEMROOT%\temp
      • %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA
    • Modify on the following directories:
      • %PROGRAMFILES%\K2\Host Server\Bin
  • Registry Permissions:
    • Full Control on the following Keys:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Sourcecode\Logging
      • LocalMachine\System\CurrentControlSet\Services\EventLog
      • LocalMachine\System\CurrentControlSet\Services\Winsock2
      • LocalMachine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing – FullControl
      • LocalMachine\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Application - ReadKey;SetValue;CreateSubKey;
  • In order to run the server Service, the Service Account will need these permissions.
  • The Service Account needs to be part of the Domain Users group.
  • Some file system permissions can only be configured post-installation.
  • The Registry permissions are configured by the Setup Manager during installation or maintenance. No user intervention is required.
SQL Server
  • db_owner on K2 database
  • The Service account needs these permissions this at runtime to:
    • Create of tables for SmartBox SmartObjects
    • Execute Stored Procedures
    • Open of symmetric keys for encryption/decryption
Exchange
  • ApplicationImpersonation role
  • Organizational Management or Recipient Management role or Global Administrator (to enable or disable a mailbox)
  • Executerights on Microsoft.PowerShell
Azure Active Directory
  • Write permissions in Azure Active Directory
  • Required for the Azure Active Directory wizards to function correctly at runtime
Active Directory
  • Domain Users group.
  • Account Operators group.
  • List contents and Read all properties permissions .
  • Administrators group.
  • Membership in Domain Users group is required.
  • Membership in Account Operators group is recommended to allow the Active Directory SmartObjects and wizards to work.
  • The service account must be a member of the Administrators group to update user details using the Active Directory wizards.
Web Service Account IIS Server/Application Server
  • Member of the IIS_WPG Local Group
  • Member of the Local IIS_IUSRS group
  • Modify rights on
    • %SYSTEMROOT%\temp
Smartforms Runtime Site Application Pool Identity IIS Server/ Application Server
  • Member of the IIS_WPG Local Group
  • Modify rights on
    • %SYSTEMROOT%\temp
  • Permissions required on the server where the runtime website will be installed.
  • A runtime Website is included with the product installation.
  • See Setting Application Pool Rights for instructions.
Designer Site Application Pool Identity IIS Server/ Application Server
  • Member of the IIS_WPG Local Group
  • Modify rights on
    • %SYSTEMROOT%\temp
SQL Server
  • db_owner for the database
  • To allow the account to change the database as needed

Nintex K2 for SharePoint

Installation Account
Nintex K2 for SharePoint App Upload User Account
SharePoint
(On-Premises)
  • SharePoint Permissions and Rights
    • Local Administrator on the SharePoint Server
    • Site Collection Administrator on the App Catalog Site Collection
    • db_owner rights on the SharePoint_Config Database
    • db_datareader role on the SharePoint_Config Database
    • SharePoint Shell Access role
    • SPShelladmin DB role
  • Permissions
    • Administer permissions in the environment
  • For detailed information see Permissions for installing Nintex Automation in an on-premises SharePoint Environment
  • Minimum set of permissions that are required of the user that will upload the Nintex K2 for SharePoint app into the SharePoint app catalog in a SharePoint on-premises environment.
  • Also reflects the permissions required for installation of Nintex K2 for SharePoint in the App Catalog through the appdeployment.exe utility.
  • Appdeployment.exe is automatically called by the installer and hence is usually executed in the context of the Installation account.
  • The user executing the Appdeployment.exe needs to access the high trust certificate from the database to setup the high trust for the apps
  • To execute any SharePoint PowerShell command against a resource (where the resource is a Service Application or site/web application etc.) you need to be a member of the SPShelladmin DB role on that resource's database
  • See Add-SPShellAdmin article on the Microsoft TechNet website for more information on SharePoint Shell Access role
  • See the topic Using a cmdlet to add a user to the SharePoint_Shell_Access role for instructions on granting the Shell Access Role
SharePoint
(Online)
  • Tenant Admin of the SharePoint Environment
  • Required to upload the Nintex K2 for SharePoint App to the SharePoint App Catalog in a SharePoint Online environment
  • When the Nintex K2 for SharePoint App is installed for the first time, the user installing the app requires Tenant Admin permissions
Nintex K2 for SharePoint Registration User Account SharePoint
(On-Premises and Online)
  • Design permission on the SharePoint site.
  • Full Control permission on the SharePoint site
  • Design permissions required to run the Registration wizard after the first time the registration wizard is run elsewhere.
  • Full Control required to Remove or configure the application. The default Owners group typically has Full Control permission
Domain Users SharePoint
(On-Premises and Online)
  • Read permissions on the app catalog site (or Read permissions on the Application file directly
  • Contributor rights on the SharePoint site
  • Everyone needs read rights on the App Catalog site to see App components
  • Users who will be building apps in SharePoint require at least Contributor permissions on the sites where they will be building application
  • For more on permissions required to interact with SharePoint, please see the application permissions in SharePoint topic in the Nintex K2 for SharePoint User Guide
Web Service Account SharePoint
(On-Premises)
  • Server Admin
  • The Web Service needs Admin rights for application deployment.