Security Accounts Required by Notification Services
An instance of Notification Services requires accounts for the Notification Services engine that runs hosted event providers, generator, and distributors; for any external applications used to manage subscriptions or submit events; and for deploying and administering the instance. These accounts require permissions in Windows as well as in SQL Server.
The following accounts are required:
Engine account. An engine runs the generator, distributors, and hosted event providers of an instance of Notification Services. Typically, this engine is the NS$instanceName Microsoft Windows service, which is created when you register the instance of Notification Services, but the engine can also be hosted by a custom application or process. In either case, the engine must run under a local, domain, or built-in Windows account. The engine uses this account to access local and network resources, and to access databases. For more information, see Configuring Windows Accounts for an Instance of Notification Services.
The engine uses either a Windows account or a SQL Server login to connect to the databases that contain instance and application data. If you are using the Windows account for database access, you must grant the Windows account permission to log in to the database server and permissions in the instance's databases. If you are using a SQL Server login, you must create the SQL Server login account and then grant database permissions to the account. For more information, see Configuring SQL Server Permissions for an Instance of Notification Services.
Subscription management accounts. Subscription management interfaces must be able to connect to the database server and execute subscription management stored procedures. For more information, see Permissions Required by Client Applications.
Non-hosted event provider accounts. If you are using a non-hosted event provider, the account used by the event provider must be able to read instance and application data and to submit event data. For more information, see Permissions Required by Client Applications.
Deployment and administration accounts. When you deploy an instance of Notification Services, you must be able to create and register the instance and configure security. When you administer an instance of Notification Services, you may be required to update or upgrade instances, manage security, and monitor performance. These tasks require different permissions, so if this work is divided between staff members, you need to grant the proper permissions to each staff member's SQL Server account. For more information, see Permissions Required to Deploy and Administer Notification Services.
Each of these applications or activities has its own security requirements. Even though you can use the same account for deploying, administering, and running an instance of Notification Services, it is best to limit the permissions on each process or activity to the minimum required. Use separate accounts for each application or component when possible, and grant minimal permissions to database user accounts through predefined database roles.