Below are the minimum privileges needed by the service account:
- The service account should have DBO access to the instance and configuration DB (in case you are using integrated security.)
- Full access to the following locations:
- company_files (by default it is c:\inetpub\wwwroot\rsaarcher\company_files, can be different depending on your environment)
- Search index (location mentioned in RSA Archer Control Panel)
- Log locations (location mentioned in RSA Archer Control Panel)
- File repositories (location mentioned in RSA Archer Control Panel)
- Datafeed home directory(if you have one) (location mentioned in RSA Archer Control Panel)
NOTE: All the above locations other than the company_files should be mentioned in the installation and instance settings in the RSA Archer control Panel.
- Apart from that it would need full privilege to the following locations:
- Website root directory (by default it is c:\inetpub\wwwroot\rsaarcher, can be different depending on your environment)
- Temporary ASP.net files. (by default C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files)
- Archer installation directory (By default C:\Program Files\RSA Archer can be different depending on your environment)
- Add the account in the IIS_IUSRS group.
- Apart from that, perform the port registration with the app pool identity if it is already not done as mentioned in the following Article: Archer Port Registration
- If the service account is specified as a local user in a single host install, the installer will place a .\ in reference to an absent domain on each of the RSA Services. This .\ must be appended to the Application Pool identity if they are specifying a local user.
We have also seen performance improvements if the service/iis account is added to the local administrators groups in the servers. This step is not necessary but can be considered.