By default the CA Data Protection Infrastructure Service runs as the Windows "NT Authority\System" account (also known as the LocalSystem account). Depending upon your security policy there may be requirements to run CA Data Protection Services as a named account with fewer privileges and these are detailed below.
If I want to use a named domain account to run Data Protection what are the minimum privilege requirements?
When installing a CA Data Protection server or client machine, you are prompted to specify a logon account for the infrastructure service. This account defaults to LocalSystem, but if necessary you can specify a named user account. You can use a named user account with specific considerations in the following scenarios:
CMS or Gateway:
If you specify a remote Data folder, the local infrastructure must log in as a Domain User with administrative rights to read and write to the remote folder.
Remote Data Manager (RDM):
The infrastructure must log in as a named Domain User account. This user account must have the 'Log on a service' security permission and permissions to retrieve data from archives. See Archive Integration for more details.
To running the CA Data Protection Infrastructure service (wgninfra.exe) under a named user account (Domain User), that account should have read\write privileges to the following file locations:
The 32-bit Data Protection Installation path depicted by the system variable %WGNINSTALLDIR%
The 64-bit Data Protection Installation path depicted by the system variable %WGNINSTALLDIR64%
and read\write\modify privileges to the CA Data protection data path depicted by the system variable %WGNDATADIR%.
This account should have read privileges to registry hives
and read,write privileges to
You can run the service under a named user account (Domain user account) on the CMS and\or a GATEWAY machine while installing the Data Product Product.
More information on privileges can be found in the CA Data Protection 15.2 Product documentation.