This KB article outlines the requirements for the user accounts used to logon to BSI services

CA Business Service Insight 8.x and 9.x

When you install BSI, you are prompted to provide a domain account as part of the installation.

This account is used to start some of the BSI services, for the required COM+ component and to grant rights to the MSMQs.

It is recommended that this account also be the account you log into the server to perform the install. While not required, if you are not also logged in with the account for the install then it is recommended you follow through the document about changing the user account and verify you have the account properly set.

What rights does the account require?

1.  Domain rights

• In a multi-tiered BSI installation with the APP and the Web server on separate boxes, then the account will need to be a member of the domain
• In addition, the machines should be a member of the same domain and the MSMQ on the APP server should be installed in AD integration (or domain) mode
• The account does NOT need to be a domain administrator. It can be a regular domain user, but you will need additional rights to install MSMQ in domain mode.
• If this is a single tiered BSI install, then it does not need to be a domain account if MSMQ is installed in workstation mode.

2. Local Administrator rights

Whether the account is a domain account as discussed above or a local account only, the account MUST be a member of the local Administrators group. It is assumed the Administrators group contains all the default rights that Microsoft gives this group when it is  created. We do not support trying to reduce the rights on the Administrators group (or it would no longer be a local Administrator).

Some of the default rights it should have would include:

• Log on as a batch job
• Log on locally
• Log on as a service