Template:LeastPrivilegeAppPoolAccounts
When installing the Grooper web client, you will need to assign an application pool identity — a Windows account under which Grooper runs. This account must be granted specific permissions to launch and operate the Grooper website.
From a security standpoint, this account should be granted the minimum permissions required to function. It is unadvisable to grant full local administrator privileges to the Grooper app pool identity.
Note: The user performing the installation must also have the ability to query the domain in order to enter credentials for the app pool identity during setup.
| Permission | Type | Where to Configure | Reason |
|---|---|---|---|
|
Always Required | |||
| Read Member Of | Active Directory | Active Directory Users and Computers (or via Group Policy) | Required to check the authenticated user's group membership at login |
| Local Users Group | Local | Computer Management → Local Users and Groups → Groups → Users | Grants rights to run installed applications, including Grooper |
| File Store Access | NTFS / Share | Windows Explorer → Folder Properties → Security (NTFS) and/or Share Permissions | Read and write access to the Grooper file store location |
| Database Access | SQL Server | SQL Server Management Studio → Security → Logins → [account] → User Mapping → [GrooperDB] | Read and write access to the Grooper database. Grant db_datareader and db_datawriter on the Grooper database. |
|
Conditionally Required | |||
| C:\Release | Local / NTFS | Windows Explorer → Folder Properties → Security | Required when implementing Object Libraries or custom scripts — grants rights to run MSBuild for compilation |
| Logon As Service | Local Security Policy | Local Security Policy → Local Policies → User Rights Assignment → Log on as a service | Required only if the app pool identity is also being used as a Grooper service account |
Note: The permissions above cover normal application operation. Elevated database rights — such as the ability to create or alter tables — are only required during initial installation or upgrades if alterations to the Grooper database tables are required or new tables are added. Furthermore, only the user running Grooper Command Console (GCC) will need these rights.