There are 4 services accounts that must have appropriate permissions, 3 folders that require configuration and SQL privileges that must be correct if NetWitness Endpoint is to function correctly. You must also share both the QueuedData and Files directories to allow ConsoleServer, SQL Server and SQL Agent to access them remotely. The API Server service does not need access to these shares.  In cases where Console Server and API Server services are running under the same account the additional permissions do not impact performance. Remote users of the UI will need access to the Files directory as well.

SERVICE ACCOUNTS

• RSA ECAT API Server
• RSA ECAT Console Server
• SQL Server
• SQL Server Agent

DATABASE PERMISSIONS

• API Server and ConsoleServer service accounts require sysadmin
• SQL Server and SQL Agent service accounts require sysadmin
• User accounts do not require sysadmin

FOLDER PERMISSIONS

• QueuedData folder: ConsoleServer service account needs Full control, SQL Server & SQL Agent service accounts require read access. Additionally, the SQL Server service account may need to have delegation enabled to access the QueuedData share on the NetWitness Endpoint server; otherwise an "Access Denied" error occurs when SQL Server tries to bulk load the kerneldata.csv file.  Delegation and Kerberos double-hop authentication are detailed in the following KB:  Access denied error is logged in RSA NetWitness Endpoint when SQL attempts to insert KernelData.csv file 
• Files folder:  ConsoleServer service account must have Full Control, user accounts need read access
• Root folder (C:\ProgramFiles\RSA\ECAT\Server by default in 4.2, C:\ECAT\Server in 4.1): API server and ConsoleServer service accounts needs full control

 SHARING QueuedData folder

• QueuedData folder must be shared
• ConsoleServer.exe.config must be updated with the UNC path.  for example: <add key="QueuedDataPath" value="\\NWEServer\QueuedData"/>
• ConsoleServer service account needs full control
• SQL Agent and SQL server service accounts need read access

SHARING Files folder                

• Files folder must be shared (can be on a network share if desired)
• Console Server service account must have FULL control
• User accounts must have READ access

In most cases, the SQL and SQL Agent services are run under the same service account.  It is also common for the Console Server and API Server services to be run under the same account (not the same account as SQL and SQL Agent services).  This is not a requirement but does simplify initial configuration.