Best Practice for EFP Security Setup

The Best Practice recommendation is to run Planner and EFP on a dedicated server with SQL Server (MSSQL), Analysis Server (MSAS) and Internet Information Server (IIS) installed. In this recommended scenario the source database(s) will exist on another server and will be linked to the EFP dedicated server.

Other setups are possible as well. For example it is possible to run IIS on a separate server. MSAS is also possible to run on a separate server. In a low budget scenario it is also possible to run everything on one server including the ERP systems.

Anyhow, on this page we only describe the recommended setup.

All what is described on this page has to be done before the installation of Planner and EFP.


For version 1.4 or later, you need to have 2 User IDs with Administrator privileges.
So in this best practice example, you need to have two IDs, but one without granting access to SQL Analysis Services.

Create a new domain account (EFP Service Account), which has local administrator rights on the server where EFP will be installed.

In this example:

  • the domain is named DSPCanvas
  • the EFP Service account is named EFP_Service
  • that gives the name DSPCanvas\EFP_Service


The EFP_Service account needs read access to the source database on the source database server.

  1. login the source database server with local administrator right
  2. start SQL Server Database Engine
  3. expand Security
  4. expand Logins
  5. right click on the EFP_Service account
  6. Properties
  7. User Mapping:
    • tick the source database
    • grant the db_datareader access

      In this example, the source database name is EAS


Setup the security in SQL Server Database Engine
(This is to add the EFP_Service account, so it can access things in SQL)

  • Connect to SQL Server Database Engine.
  • Security → right click on LoginsNew Login…
  • In General, Use Search… to find the EFP_Service account.
  • In Server Roles, assign sysadmin → OK.
  • You can find EFP_Service account is added in Logins now.


In version r1.4 or later, one of the account should not be granted access to SQL Server Analysis Services.

Setup the security in SQL Server Analysis Services
(This is to add the EFP_Service account to SSAS so it can deploy and view cubes)

  • Connect to SQL Server Analysis Services
  • Right click on SQL Server Analysis ServicesPropertiesSecurityAdd…
  • Add EFP_Service account in Security


The EFP Service account needs to run 3 Services
Use the account that has both access to SQL Database Engine and SQL Server Analysis Service.

  • SQL Server
  • SQL Server Analysis Services
  • SQL Server Agent

Right click on each service → PropertiesLog On tab


Check IIS: the default website & port number (OPTIONAL)
If you want to install Planner against a different site & a different port number, you need to create a new site with a different port number

  • Add Website…
  • Give a Site name
  • Locate a Physical path
  • Put a Port number that is available → OK


Later when you run EFP → Customer Metadata step, make sure to put EFP_Service account in the AdminUser field

  • efp/tech/installguide/security.txt
  • Last modified: 2018/02/21 14:03
  • by pcevli