Friday, December 3, 2010

Minimal Permission required to execute the code in Sharepoint

I always faced the access permission issue in consuming the Sharepoint object model from a exe or webservice or windows service with a user who have limited access.Each time i figured out the permission required then forget blog it so all the time i have to Dig again to find the permission.So let see what should we do in each type of application.

User Permission
SharePoint SiteMinimum Read Permission
Sharepoint ServerAdd to WSS_ADMIN_WPG group
DatabaseSharepoint Content DB (Site collection database) - db_owner permission
Sharepoint Config DB (Config DB of sharepoint installation) - - db_owner permission

Web Service / WCF Service
Most of  sharepoint developers could have created a webservice/wcf service which uses sharepoint object model to do some operation in a sharepoint site.

Error
The Web application at http://localhost/mysite/content could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application.

We are bound to solve the issue within time limit so forced to use the same application pool identity used by the Sharepoint Site and leave the issue behind.But if you want to know more about what should be the permission required for the user look at the table below.Make sure you application pool identity user have following preveleges.

Sharepoint Site
Add the IIS Application Identity user to Sharepoint Read Group in Sharepoint Site (minimal permission).If you need to do write operation or content type changes give the higher permissio to the user (Content Owner).This is to make sure that

SharePoint Server
Add the IIS Application Pool Identity User into WSS_ADMIN_WPG User Group of the physical server where Sharepoint is installed.

Database Server
IIS Application Pool Identity User should have DB_OWNER access in Sharepoint Configuration DataBase (Configuration DB created during the installation of sharepoint farm) and Sharepoint Content DataBase(Sharepoint Site Collection DataBase of the site you are trying to access).

Windows Service
In windows service case, the user account under which Window Service is running should have the similar access to application pool identity user case said above.

Sharepoint Site
Add the Window Service user account to Sharepoint Read Group in Sharepoint Site (minimal permission).If you need to do write operation or content type changes give the higher permissio to the user (Content Owner).This is to make sure that

SharePoint Server
Add the Window Service user account into WSS_ADMIN_WPG User Group of the physical server where Sharepoint is installed.

Database Server
Window Service user account should have DB_OWNER access in Sharepoint Configuration DataBase (Configuration DB created during the installation of sharepoint farm) and Sharepoint Content DataBase(Sharepoint Site Collection DataBase of the site you are trying to access).

4 comments:

Sharpguru said...

This post has helped me solve more than one permissions problem, thank you!

Hephs said...

Hi,

I developed a 32 bit web applicaiton (.net 3.5) that accesses Sharepoint 2007 .The application was build to run on Any CPU on my development m/c. Now I move the application to 64 bit production that has Sharepoint 2010on it. The application fails when I try to upload a document to sharepoint I tried all your steps yet its throws file not found exception

Please help!

Michael Herman (Toronto) said...

If you're running on an x64 architecture (required for SharePoint 2010), run the Configuration Manager in VS2010 and select x64.

Filip Hurta said...

Good to know, I was looking exactly for this specification of privileges.
BTW, because of lack of time during installation in my test environment I used SharePoint 2010 Powershell command Add-SPShellAdmin specifying account and content database.
It adds the user also to AdminContent database but it can be eventually removed.