What are the minimum privileges required for a service account to execute the ‘Windows Server’ workflow action, specifically for connecting to a Windows Server or IQService server to execute PowerShell script?
It works fine when the service account is added as a local admin into the Windows Server or IQService server. Does anyone know if there’s a way to achieve this with lesser privileges?
Hi @rpriya,
Good point — the documentation doesn’t seem to provide detailed information about required permissions.
You might try something along these lines:
Additionally, you could open a support ticket to ask SailPoint for best practices around least privilege configuration.
Hope this helps, and good luck!
@rpriya Service account permission requirements would remain the same as mentioned in this url -Required Permissions
If you are executing the AD commands from the script, then the service acount would need the permission to execute them.
The Windows Server workflow action doesn’t require local admin rights. Instead, consider these least-privilege approaches:
Add to Remote Management Users group to establish PowerShell remoting sessions
Use Just Enough Administration (JEA) to delegate only specific cmdlets/tasks needed
Grant targeted permissions on relevant OUs, attributes, or services instead of full admin rights
For Active Directory operations specifically, follow the required permissions for AD connectors.
Opening a support ticket for SailPoint’s recommended least-privilege configuration is also suggested, as detailed documentation on workflow action permissions is limited.