[January 2017 – updated title to reference current SharePoint and to include PowerShell command that sets user permissions in SharePoint]
Applications, like migration tools, designed to use the SharePoint APIs exposed on servers in the SharePoint Farm need to be run with elevated security permissions.
Run the following script in the SharePoint Management Shell as a farm administrator to give your migration user the necessary rights:
- Get-SPDatabase | Add-SPShellAdmin Domain\Username
This will grant the user access to the configuration database as well as the content database.
You can revoke this with:
- Get-SPDatabase | Remove-SPShellAdmin Domain\Username
If you want to apply the permissions more directly …
What I find works is:
- dbo access (read and write at least) to the SharePoint Config and Content databases. The reason for this is that the API is just a set of DLLs and they access the SharePoint databases using the credentials of the user running the application. You might find mentioning this is useful when explaining to your client / boss why the application needs such rights.
[Note: do not access the databases directly as this will invalidate the SharePoint warranty. Do everything through the APIs.]
- enough access to the SharePoint Sites to do the required actions. Some people say Farm administrator rights are also required. I’m not sure this is also needed, but unless there are good reasons not to, it is quicker and easier to do it
- enough access to run code on the server (local admin is a safe bet)
- be a member of the WSS_ADMIN_WPG group.
And remember also the application needs to be compiled for 64 bit and must be run on a server in the farm.