Security settings to run an application that uses the SharePoint 2013/2016 APIs

[January 2017 – updated title to reference current SharePoint and to include PowerShell command that sets user permissions in SharePoint]

Applications, like migration tools, designed to use the SharePoint APIs exposed on servers in the SharePoint Farm need to be run with elevated security permissions.

With PowerShell

Run the following script in the SharePoint Management Shell as a farm administrator to give your migration user the necessary rights:

  • Get-SPDatabase | Add-SPShellAdmin Domain\Username

This will grant the user access to the configuration database as well as the content database.

You can revoke this with:

  • Get-SPDatabase | Remove-SPShellAdmin Domain\Username

If you want to apply the permissions more directly …

What I find works is:

  • dbo access (read and write at least) to the SharePoint Config and Content databases. The reason for this is that the API is just a set of DLLs and they access the SharePoint databases using the credentials of the user running the application. You might find mentioning this is useful when explaining to your client / boss why the application needs such rights.
    [Note: do not access the databases directly as this will invalidate the SharePoint warranty. Do everything through the APIs.]
  • enough access to the SharePoint Sites to do the required actions. Some people say Farm administrator rights are also required. I’m not sure this is also needed, but unless there are good reasons not to, it is quicker and easier to do it
  • enough access to run code on the server (local admin is a safe bet)
  • be a member of the WSS_ADMIN_WPG group.

And remember also the application needs to be compiled for 64 bit and must be run on a server in the farm.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.