Sophos for Microsoft SharePoint: permissions required by services account

  • Article ID: 58866
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 25 Mar 2011

You must ensure that the credentials you provide as the service account while installing Sophos for Microsoft SharePoint have the correct permissions. The permissions should be as described either for Account type 1 OR for Account type 2.

NOTE: On SharePoint 2010, the service user account will also require Shell Admin permission.

Account type 1

If you have a server farm scenario, you can use the 'Server Farm Account', (also referred to in the SharePoint documentation as 'database access account'). This is the account that you provided when setting up the farm in the SharePoint Configuration Wizard.

This account is also the application pool identity for the SharePoint Central Administration web site.

Account type 2

If you use an alternative account, ensure it has the following 3 sets of permissions:

  1. The user is listed under SharePoint Central Administration web site | Operations | Update farm administrator's group
  2. The user has full permissions for the Central Administration site collection,
    • verify they are a site collection administrator in SharePoint Central Administration web site | Site Actions | Site Settings | Site collection administrators
      OR
    • verify they are a site collection administrator in SharePoint Central Administration web site | Application Management | Site collection administrator. Click 'change site collection' and then change web application to be Central Administration
  3. The user has full permissions for all the other site collections (in addition to the Central Administration site collection, described in 2 above.)
    • verify they have 'Full control' under SharePoint Central Administration web site | Application Management | Policy for Web Application. This is the recommended option.
      OR
    • verify that they are a site collection administrator for all the other site collections (however, this option is not recommended).

Note: The user might have permissions set up indirectly, for example, the permissions might be set for a group (e.g. BUILTIN\Administrators) and the user might be member of that group.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments