This article outlines the required permissions of the services account and the user performing the installation.
Applies to the following Sophos product(s) and version(s)
Sophos for Microsoft SharePoint
When installing Sophos for Microsoft SharePoint, you need to be logged on with local administrator rights. If you are in a domain, you must also be a domain user.
Note: By default the installer will create or attempt to use a local SOPHOS SQL instance for the Sophos for Microsoft SharePoint databases, if you want to use a different SQL instance then you need to be a member of the SQL Sysadmin role on this database server.
During the install you need to specify a services account for the Sophos for Microsoft SharePoint services. It is advised that the Farm account is not used because according to Microsoft guidance accounts used by application pools should not be in the Local Administrators group. The services account has the below requirements based on its scanning/cleaning functionality:
On-access (VSAPI) scanning for upload and download
The services account needs to be a member of the below groups:
- Local Administrators
- Farm Administrators
This account also needs to added to the SharePoint_Shell_Access role by running the below command in the SharePoint Management Shell:
PS C:\Add-SPShellAdmin DOMAIN\Account
Note: If SharePoint connects to your SharePoint databases using Windows authentication, this account must also be a member of the SQL sysadmin role on the database server.
On-demand and scheduled scanning
The services account needs permissions to scan and clean items, as required by the permissions model in use.
Note: For a default SharePoint installation, Site Collection Administrator rights over the required sites are usually required, including the SharePoint Central Administration web site if you need to scan this site.
Related information / See also
Sophos for Microsoft SharePoint startup guide Version 2
Sophos for Microsoft SharePoint startup guide Version 3