In general, requirements relating to permissions can be split into two categories:
- Accounts / Permissions needed for running the Core
- Accounts / Permissions needed for running the modules
Each of those can use independent permissions. In fact, if required, each module can use independent permissions from each other module. And that account can be different from the one running the Core.
Installing the Core typically requires a plain domain service account with Local Admin permissions on the machine and the dbcreator role on SQL. Installing Modules requires a plain domain service account with Local Admin permissions (for the install only) and then different permissions, depending on the role of the module.
Core: Local Admin
Module: Local Admin
Staging: Full rights for Module users
Enterprise Vault: EV Service Account
- Exchange / O365: Domain service account with Local Admin rights (to run the module)
- Exchange: Multiple accounts with Application Impersonation will be added to our Credentials Editor
- O365: 5 Office 365 service accounts will be added to our Credentials Editor. All 5 accounts need Application Impersonation rights and 1 needs a custom admin role.