none
SharePoint 2013 Administrative Account Permissions RRS feed

  • Question

  • I'm looking for documentation about the permissions needed to administrate SharePoint Server 2013. My administrative account needs to have access to Central Administration, web applications, PowerShell, and local server resources like the file system, event logs, services, etc.

    I have found several articles that I had hoped would have the information but do not:

    Plan for administrative and service accounts in SharePoint 2013 literally has the sentence:

    This article does not describe security roles and permissions required to administer in SharePoint 2013.

    This upsets me as I am looking for the documentation that does describe the roles and permissions required to administer in SharePoint 2013 and this line offers no help other than telling me what I need isn't here. For anyone from the documentation team that happens to read this I offer the feedback that following that sentence there should be a link to the documentation that I am asking about here (assuming it exists ;)

    Initial deployment administrative and service accounts in SharePoint 2013 details permissions for the setup user account which is like an administrative account except that in my case the farm has been set up and I need to have administrative accounts.

    Account permissions and security settings in SharePoint 2013 describes the permissions accounts and groups are granted on individual resources on the server. While this is informative, it doesn't describe what rights I need to grant an account so it can administer.

    Use Windows PowerShell to administer SharePoint 2013 describes the permissions needed to run Add-SPShellAdmin to grant others administrative access, but doesn't actually describe the permission needed to use PowerShell to administrate.

    Does this information exist publicly?


    Friday, April 24, 2015 5:27 PM

Answers

  • Partner Support has confirmed there is no documentation that details specific rights needed for specific administration tasks. Given how the permissions depend on the task and how many tasks there are I don't see this ever appearing in official public documentation.

    I did some testing and I was able to use PowerShell as a non-admin, but I was limited to accessing objects that don't require the admin rights. For example I couldn't get the farm object (I get an exception) or the search service application (Get-SPEnterpriseSearchServiceApplication returns null), but I could list site collections and sites. Again, certain tasks require certain rights and this totally makes sense given the ability to delegate permissions built into the SharePoint platform.

    So where does this leave me? For now I suppose it needs to be tested on a case-by-case basis.

    For users who I want to administrate a farm with PowerShell, who have the ability to log into the servers to check local resources, services, logs, etc. practically they need to be local administrators and have SPShellAdmin. For anything else I would be looking at creating an account with no rights and gradually add permissions until I get to a level where it can perform the required tasks. If I want an account to manage site collections I may need Remote Desktop User machine group, SPShellAdmin against the content database, and site collection administrator (at the moment this is a guess).

    So in the end it seems there is no definitive answer or broad best practice for assigning permissions to administrators beyond testing it out to see what works and hiring administrators who you trust and are accountable for their actions.


    • Marked as answer by Jason Warren Friday, August 14, 2015 11:06 PM
    Monday, April 27, 2015 8:19 PM

All replies

  • So I think you know, but you need:

    Local Administrator rights

    Farm Administrator rights

    Shell Administrator rights

    Local Administrator rights are required in order to work with objects that require that right (such as creating IIS sites or importing the Microsoft.SharePoint.Powershell module).

    Farm Administrator rights are required to perform various functions on the farm. Various APIs within SharePoint have an explicit farm administrator rights check.

    Shell Administrator rights gives you additional rights on the databases in use by the farm so you can operate directly against them (working with databases via Central Administration is done via the Farm Admin account).

    I'm not aware of this being available in any sort of official document. You would likely want to reach out to your TAM if you need something in writing.


    Trevor Seward

    Follow or contact me at...

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 24, 2015 5:56 PM
    Moderator
  • Yes, I do know. :) Thank you for the descriptions.

    Sometimes customers only believe things written in a TechNet article. I don't blame them, I don't grant local admin rights to just anyone without good reason either.

    I'll follow up through the partner channels and post back if I learn anything relevant.




    Friday, April 24, 2015 6:02 PM
  • Partner Support has confirmed there is no documentation that details specific rights needed for specific administration tasks. Given how the permissions depend on the task and how many tasks there are I don't see this ever appearing in official public documentation.

    I did some testing and I was able to use PowerShell as a non-admin, but I was limited to accessing objects that don't require the admin rights. For example I couldn't get the farm object (I get an exception) or the search service application (Get-SPEnterpriseSearchServiceApplication returns null), but I could list site collections and sites. Again, certain tasks require certain rights and this totally makes sense given the ability to delegate permissions built into the SharePoint platform.

    So where does this leave me? For now I suppose it needs to be tested on a case-by-case basis.

    For users who I want to administrate a farm with PowerShell, who have the ability to log into the servers to check local resources, services, logs, etc. practically they need to be local administrators and have SPShellAdmin. For anything else I would be looking at creating an account with no rights and gradually add permissions until I get to a level where it can perform the required tasks. If I want an account to manage site collections I may need Remote Desktop User machine group, SPShellAdmin against the content database, and site collection administrator (at the moment this is a guess).

    So in the end it seems there is no definitive answer or broad best practice for assigning permissions to administrators beyond testing it out to see what works and hiring administrators who you trust and are accountable for their actions.


    • Marked as answer by Jason Warren Friday, August 14, 2015 11:06 PM
    Monday, April 27, 2015 8:19 PM
  • I would question the requirement to use PowerShell for users who are not Farm Administrators. These users typically would not be trusted, and most of everything at the SPSite level can be configured via the site anyhow.

    That said, look into PowerShell Remoting versus giving them RDP access.


    Trevor Seward

    Follow or contact me at...

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, April 27, 2015 8:30 PM
    Moderator