SharePoint Console Application Permissions for Read Only Access
I was recently challenged with trying to come up with a least privilege scenario for running a console application or windows service against a SharePoint Farm to perform read-only type operations. Without the correct permissions there are several exceptions you will run into, including File IO, UnauthorizedAccess, SPException, etc. A joy to wade through. :-)
I used this KB article as a starting point for what we knew would work. It states that the identity used to run the console application should be the following:
- Farm Administrator
- Read/Write database permissions on the configuration and content databases.
- Site collection administrator
- Permissions to each site in the site collection
I started my quest with no permissions granted on the farm and slowly elevated them until I was able to successfully iterate the object model. I ended up with close to what is published above but I was showing DBO permissions were required for the database. After consulting with some people internally I was able to use the SQL Role WSS_Content_Application_Pools for the configuration database, but was still requiring DBO for the content databases. Again, some help internally brought to my attention that a stored procedure was required to enumerate the sites that exist in the site collection. I was able to grant execute permissions for the user on the content databases using the following command:
GRANT EXECUTE TO [DOMAIN\username]
I also changed the permissions for the user on the content database to db_datareader. After the changes were made the console application was able to successfully iterate the content in the site collection in a read-only fashion. The final permissions were as follows:
- Farm Administrator
- db_datareader permissions on the content databases
- WSS_Content_Application_Pools permissions on the SharePoint_Config (default name) database
- GRANT EXECUTE permission on the stored procs in the content database
- Site collection administrator
- Permissions to each site in the site collection
This could be further reduced to the exact stored procs required in the content databases, but I’ll leave that for another day. Write permissions don’t seem to be required on the content database as indicated in the KB and we can leverage the SharePoint specific SQL role for the configuration database. The fact that we can reduce this to db_datareader instead of read / write on the content databases should make some of the DBAs of the world a little happier.