Symptoms

Last week we set up K2 QA System for one QA SP 2013 farm. This week we wanted to activate the features also on this second QA farm.
We ran into a problem on the productive system. On the second farm the activation for the features did work right away after setting up permissions within the Sharepoint and K2 Application - NO additional PERMISSIONs set up Sharepoint SQL Server!
On our third farm the same procedure does not work. The Sharepoint farms are setup with the same scripts and have identical setup with different service accounts.
Please find the errors attached.
= During ticket _71565 we ended up adding every account to every possible area and at some point it worked.
= On the second farm it worked with application permissions (Farm Admin, Export Admin Permission on K2)
= Now we are on the third farm and still have 3 more to install. Therefore we will not go again with the try and error procedure and require a solid documentation about the required permissions for all accounts:
- Install Account on SP Server (logged on user)
- Application Pool Account of Central Administration
- Deployment Pool Account requested in Feature activation
- K2 Service Account
- K2 Application Pool Account
 

Diagnoses

See documentation in Resolution
 

Resolution

Please have a look at this article:
http://help.k2.com/onlinehelp/k2blackpearl/icg/current/webframe.html_k2_for_sharepoint_-_required_permissions-sp_core.html

It seems to me it describes all the accounts that you have requested information for, but I'm not sure if this is for SP2010 or for SP2013. My guess is that it applies to both.

I've also come across this document:
K2 for SharePoint RC Installation.pdf - you can find it here: http://help.k2.com/files/7147

This document describes how to install the K2 for SharePoint 2013 App, on page 11 it says the following:

Site Admin / Owner rights are needed to install the K2 for SharePoint App and Contributor rights are needed to use the app.

I hope this document helps you with your investigations, although it doesn't really describe what other permissions are needed for the specific user accounts.

You can have a look at this site:

http://help.k2.com/onlinehelp/k2blackpearl/icg/current/webframe.html_claims_authentication_configuration.html

It explains the use of claims in the K2 DB and under the Issuers heading, it also notes that K2 supports a one-to-many mapping between K2 and the certificates that the SharePoint STS uses to sign (SharePoint Security Token Service) and encrypt (SharePoint Security Token Service Encryption) the security tokens it issues.

Keep in mind however, that when you register the K2 for SharePoint 2013 app (which you will have to add to the app store), it will automatically insert all the necessary Claim Mappings and Group Providers and SharePoint Thumbprints etc in the K2 DB.

I realize you use SP2013 in SP2010 compatibility mode, however it might just be easier to register the app on a different site collection, which will build all the necessary info above, then continue from there.