Adding users and Service Identity Account
(Norm - 12/27/07) Before I discuss the Identity account for PerformancePoint Server, I want to add that Nick Barclay covers troubleshooting permissions and the use of the Identity account very well in his blog post here.
As I read PerformancePoint deployment posts, I see a few scenarios that can prevent an administrator from adding users in the PerformancePoint Admin Console. For example, when PerformancePoint Server is installed by someone that is NOT a domain user. Now the person that installed cannot add users.
Reason: this is because the Windows user account used for the Planning Server application pool and service identity (SI) account must be a domain account. The account cannot be a group account or the local administrator account on the SQL Server computer; it must be its own distinct account with both local and domain access.
There is more information in the technical documentation about the Service Identity Accounts.
If PerformancePoint is installed by someone that is NOT a domain user, the following is a workaround provided by a Microsoft test engineer.
- Run the Configuration Manager and un-configure the system, (Remove Services Options… then on the next page check them all).
- Do not go into SQL and drop the DB’s… you can “attach” to the existing ones.
- Re-Run the Config Manager
- Choose the Distributed Configuration, (un-select Planning Server Databases… this will allow you to ATTACH to the existing DB’s)
- Since you’re re-attaching to an existing set of PPS DB’s… you won’t be asked for a GA… that’s fine.
- Specify your NEW SI Account… which is going to be a Domain Account.
- Continue with the rest of the Configuration as you normally would.
When done, you will have your SI Account switched to the new account… you should then be able to add Domain Users to your PPS System.
*A couple NOTEs:
1.) When you choose a DISTRIBUTED configuration the PPS Config Manager explicitly DENIES ‘Create Database’ permissions to the SI Account, (because a distributed system is considered a production system… so it has tighter security). So… if you want this option, (example: You want the GA to be able to automatically create apps with no IT intervention needed), your DBA will need to go into SQL and re-grant this Permission.
2.) When you change SI Accounts, the Config Manager only ‘touches’ the PPS System and Service DB’s. you will need to go into each of your actual Application DB’s and run a stored proc called ‘bsp_AssignSIPermissionsAppDB’ in order to grant the new SI Account the proper permissions to your existing App DB’s. You may also need to go in and map the NEW SI Account to the Staging DB so that the new SI Account is DBO on the Staging DB.
