Template:LeastPrivilegeServiceAccounts
Grooper services — such as the Activity Processing service — run under dedicated Windows service accounts to automate task processing for Batches. These accounts must be granted a minimum set of permissions to execute tasks.
From a security standpoint, service accounts should be granted only the permissions required for their function. It is unadvisable to grant full local administrator privileges or elevated database roles to any Grooper service account.
| Permission | Type | Where to Configure | Reason |
|---|---|---|---|
| Local Users Group | Local | Computer Management → Local Users and Groups → Groups → Users | Grants rights to run installed applications, including Grooper |
| File Store Access | NTFS / Share | Windows Explorer → Folder Properties → Security (NTFS) and/or Share Permissions | Read and write access to the Grooper file store location |
| Database Access | SQL Server | SQL Server Management Studio → Security → Logins → [account] → User Mapping → [GrooperDB] | Read and write access to the Grooper database. Grant db_datareader and db_datawriter on the Grooper database. |
| Logon As Service | Local Security Policy | Local Security Policy → Local Policies → User Rights Assignment → Log on as a service | Required to run services installed via Grooper Command Console |
Note: These permissions are sufficient for Activity Processing services and serve as a baseline for all Grooper services. Other Grooper services may require additional permissions depending on their function. For example, an Import Watcher service account may need read access to directories used as import sources. Always scope additional permissions to the minimum required for that service's specific function.