diff --git a/docs/accessanalyzer/11.6/requirements/sharepoint/scanoptions/agentlessscans/agentlesspermissions.md b/docs/accessanalyzer/11.6/requirements/sharepoint/scanoptions/agentlessscans/agentlesspermissions.md index d933b5fa8a..3b93997a90 100644 --- a/docs/accessanalyzer/11.6/requirements/sharepoint/scanoptions/agentlessscans/agentlesspermissions.md +++ b/docs/accessanalyzer/11.6/requirements/sharepoint/scanoptions/agentlessscans/agentlesspermissions.md @@ -25,43 +25,5 @@ server: - This is required to gain read access to system resources used by Microsoft SharePoint Foundation. -- SharePoint Farm permissions: - - - Membership in the Farm Read group at the farm level - - - This is required so the Enterprise Auditor auditing account can make calls against the - SharePoint web services to remotely gather information around permissions, site hierarchy, - content and more. - - If the group does not exist already, then you will need to create a new group at that - level and grant it ‘Read’ access. Specifically, it is a group that exists within Central - Administration at the farm administrator level. This group only requires ‘Read’ access and - is not giving farm admin access. Once the group is created, add the service account that - Enterprise Auditor will be leveraging to scan SharePoint. - -- Web Application permissions: - - - Custom Role with Site Collection Auditor at the web application level with the Open Items - permission - - - This is needed for Enterprise Auditor to execute web service calls against Central - Administration. - -- SharePoint Database Server permissions: - - - SPDataAccess on the on the SharePoint Content database and all Configuration databases - - - This permission should be applied on the desired Configuration database and all Content - databases for the SharePoint version. - - This version-specific permission is required for Enterprise Auditor to execute read - operations directly against the SharePoint databases, gather information from the - configuration database regarding the names and locations of the web applications and - content databases, and give read access around sites, roles, and users. - -- MySites permissions are based on the SharePointAccess Data Collector configuration option: - - - Forcing the service account to become a temporary admin of the personal sites either as the - service account or as a member of the Company Administrators group requires SharePoint Farm - Administrator role or Site Collection Auditor at the web application housing MySites. - - The skipping inaccessible personal sites option will only scan sites where the service account - has administrative access. It requires the service account to be provisioned prior to the scan - to scan OneDrives / personal sites. +For complete configuration steps for farm, web application, database, and MySites permissions, see +[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md). diff --git a/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md b/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md index 7dd8cbf5cb..1aa2e80922 100644 --- a/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md +++ b/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md @@ -1,86 +1,106 @@ --- -title: "SharePoint Access & Sensitive Data Auditing Configuration" -description: "SharePoint Access & Sensitive Data Auditing Configuration" +title: "SharePoint required permissions for Access Analyzer" +description: "SharePoint required permissions for Access Analyzer" sidebar_position: 10 --- -# SharePoint Access & Sensitive Data Auditing Configuration - -Permissions are required on the SharePoint Farm, Web Application, and the SharePoint Database in -order for Enterprise Auditor to execute Access Auditing (SPAA) and/or Sensitive Data Discovery -Auditing scans. - -## Configure SharePoint Farm Permissions - -Follow the steps to configure the SharePoint Farm level permissions on SharePoint 2013 through -SharePoint 2019 farms. - -**Step 1 –** In the SharePoint Central Administration Center, navigate to the Security section. - -**Step 2 –** Select the Manage the farm administrators group option under Users. - -**Step 3 –** If the Farm Read group exists, add the service account to that group. If the Farm Read -group has been deleted, it is necessary to create a new group with Read privileges at the Farm -level: - -- Select More under the Groups section. -- Select New Group from the New drop-down menu. -- Ensure the group has the Read – Can view pages and list items and download documents permission. -- Add the service account to this new group. - -The service account has Read level access at the Farm level. - -## Configure SharePoint Web Application Permissions - -Follow the steps to configure the SharePoint web application level permissions on SharePoint 2013 -through SharePoint 2019 farms. - -**Step 1 –** In the SharePoint Central Administration Center, navigate to the Application Management -section. - -**Step 2 –** Select Manage web applications option under Web Applications. - -**Step 3 –** Create a new policy for the desired web application. Follow these steps: - -- Click Permission Policy. The Manage Permission Policy Levels window opens. -- Click Add Permission Policy Level. Select the following: - - - Check the Site Collection Auditor permission. - - Check the Open Items box in the Site Permissions Grant column. - - Click Save. - -**Step 4 –** Repeat Step 3 for each web application in scope. It is recommended to give these -policies the same name. - -**Step 5 –** Add the service account to the newly created roles. Follow these steps: - -- Select a web application with the newly created role. -- Click User Policy. The Policy for Web Application window opens. -- Click Add Users. Leave all zones select and click Next. -- Add the service account in the Users textbox. -- Check the newly created role with site collection auditor in the Permissions section. Click - Finish. - -**Step 6 –** Repeat Step 5 for each web application in scope. - -The service account is provisioned as a Site Collection Auditor on all web applications to be +# SharePoint required permissions for Access Analyzer + +## Overview + +Enterprise Auditor requires specific permissions on the SharePoint farm, web applications, and +databases to execute Access Auditing (SPAA) and Sensitive Data Discovery Auditing scans. +Agent-less scans require additional permissions on the SharePoint Application Server. + +## Application server permissions (agent-less only) + +Agent-less scans perform all data collection from the Enterprise Auditor Console server across the +network. The service account requires the following permissions on the SharePoint Application +Server: + +- Membership in the local `Backup Operators` group — required so Enterprise Auditor can read the + remote registry to identify the server's role in the farm and locate the SharePoint + configuration database. +- Membership in the local `WSS_WPG` group — required for read access to system resources used + by Microsoft SharePoint Foundation. + +## SharePoint farm permissions + +The service account must be a member of the `Farm Read` group at the farm level. This allows +Enterprise Auditor to call the SharePoint web services to gather permissions, site hierarchy, and +content information remotely. + +Follow these steps to configure farm-level permissions on SharePoint 2013 through SharePoint 2019: + +1. In the SharePoint **Central Administration Center**, navigate to the **Security** section. +2. Select **Manage the farm administrators group** under **Users**. +3. If the `Farm Read` group exists, add the service account to that group. If the group has been + deleted, create a new group: + - Select **More** under the **Groups** section. + - Select **New Group** from the **New** drop-down menu. + - Ensure the group has the `Read – Can view pages and list items and download documents` + permission. + - Add the service account to the new group. + +The service account now has Read-level access at the farm level. + +## SharePoint web application permissions + +The service account requires a custom policy role with `Site Collection Auditor` and `Open Items` +permissions at the web application level. This allows Enterprise Auditor to execute web service +calls against **Central Administration**. + +Follow these steps to configure web application-level permissions on SharePoint 2013 through +SharePoint 2019: + +1. In the **Central Administration Center**, navigate to the **Application Management** section. +2. Select **Manage web applications** under **Web Applications**. +3. Create a new permission policy for the web application: + - Click **Permission Policy**. The **Manage Permission Policy Levels** window opens. + - Click **Add Permission Policy Level** and configure the following: + - Select the `Site Collection Auditor` permission. + - Select the `Open Items` box in the **Site Permissions Grant** column. + - Click **Save**. +4. Repeat step 3 for each web application in scope. Use the same policy name across all web + applications. +5. Add the service account to the newly created role for each web application: + - Select a web application with the newly created role. + - Click **User Policy**. The **Policy for Web Application** window opens. + - Click **Add Users**, leave all zones selected, and click **Next**. + - Enter the service account in the **Users** field. + - Select the newly created role with `Site Collection Auditor` in the **Permissions** section, + then click **Finish**. +6. Repeat step 5 for each web application in scope. + +The service account is provisioned as `Site Collection Auditor` on all web applications to be audited. -## Configure SharePoint Database Server Permissions +## SharePoint database server permissions + +The service account requires the `SPDataAccess` database role membership on the SharePoint +configuration database and all content databases. This allows Enterprise Auditor to execute read +operations directly against the SharePoint databases and gather information about web application +and content database locations. -Follow the steps to configure the SharePoint database server permissions on SharePoint 2013 through -SharePoint 2019 farms. +Follow these steps to configure database server permissions: -**Step 1 –** Navigate to the SharePoint database server user configuration via SQL Management -Studio. +1. Open the SharePoint database server user configuration in SQL Server Management Studio. +2. Grant the service account the `SPDataAccess` database role membership on the following + databases: + - The SharePoint Configuration database (`SharePoint_Config`) + - All SharePoint Content databases that house web application data (by default, content + databases begin with `WSS_Content`, but they can be customized) -**Step 2 –** Provision the service account to have: +The service account is provisioned with the required SharePoint database permissions. -- SPDataAccess Database role membership -- This database role membership needs to be configured on: +## MySites and OneDrive permissions - - SharePoint Configuration database (ShaerPoint_Config) - - All SharePoint Content databases housing web application data (by default the content - databases begin with WSS*Content*, but they can be customized) +MySites and OneDrive permissions depend on the SharePoint Access Data Collector configuration: -The service account is provisioned with SharePoint database permissions. +- **Force temporary admin access**: Granting the service account temporary admin access to + personal sites — either directly or as a member of the `Company Administrators` group — + requires the SharePoint Farm Administrator role or `Site Collection Auditor` at the web + application that hosts MySites. +- **Skip inaccessible personal sites**: This option scans only sites where the service account + already has administrative access. You must provision the service account before the scan to + scan OneDrives and personal sites. diff --git a/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/overview.md b/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/overview.md index d505668ce9..eb214eae7b 100644 --- a/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/overview.md +++ b/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/overview.md @@ -18,7 +18,7 @@ Auditing (SPAC) scans. topic for additional information. See the -[SharePoint Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md) +[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md) topic for instructions. ## Access & Sensitive Data Auditing Port Requirements diff --git a/docs/accessanalyzer/12.0/requirements/sharepoint/scanoptions/agent-less-scans/agentlesspermissions.md b/docs/accessanalyzer/12.0/requirements/sharepoint/scanoptions/agent-less-scans/agentlesspermissions.md index 085dbd133c..33ab35d0e3 100644 --- a/docs/accessanalyzer/12.0/requirements/sharepoint/scanoptions/agent-less-scans/agentlesspermissions.md +++ b/docs/accessanalyzer/12.0/requirements/sharepoint/scanoptions/agent-less-scans/agentlesspermissions.md @@ -25,43 +25,5 @@ server: - This is required to gain read access to system resources used by Microsoft SharePoint Foundation. -- SharePoint Farm permissions: - - - Membership in the Farm Read group at the farm level - - - This is required so the Access Analyzer auditing account can make calls against the - SharePoint web services to remotely gather information around permissions, site hierarchy, - content and more. - - If the group does not exist already, then you will need to create a new group at that - level and grant it ‘Read’ access. Specifically, it is a group that exists within Central - Administration at the farm administrator level. This group only requires ‘Read’ access and - is not giving farm admin access. Once the group is created, add the service account that - Access Analyzer will be leveraging to scan SharePoint. - -- Web Application permissions: - - - Custom Role with Site Collection Auditor at the web application level with the Open Items - permission - - - This is needed for Access Analyzer to execute web service calls against Central - Administration. - -- SharePoint Database Server permissions: - - - SPDataAccess on the on the SharePoint Content database and all Configuration databases - - - This permission should be applied on the desired Configuration database and all Content - databases for the SharePoint version. - - This version-specific permission is required for Access Analyzer to execute read - operations directly against the SharePoint databases, gather information from the - configuration database regarding the names and locations of the web applications and - content databases, and give read access around sites, roles, and users. - -- MySites permissions are based on the SharePointAccess Data Collector configuration option: - - - Forcing the service account to become a temporary admin of the personal sites either as the - service account or as a member of the Company Administrators group requires SharePoint Farm - Administrator role or Site Collection Auditor at the web application housing MySites. - - The skipping inaccessible personal sites option will only scan sites where the service account - has administrative access. It requires the service account to be provisioned prior to the scan - to scan OneDrives / personal sites. +For complete configuration steps for farm, web application, database, and MySites permissions, see +[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md). diff --git a/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md b/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md index 3d132bbb9d..224a1d8c56 100644 --- a/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md +++ b/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md @@ -1,86 +1,106 @@ --- -title: "SharePoint Access & Sensitive Data Auditing Configuration" -description: "SharePoint Access & Sensitive Data Auditing Configuration" +title: "SharePoint required permissions for Access Analyzer" +description: "SharePoint required permissions for Access Analyzer" sidebar_position: 10 --- -# SharePoint Access & Sensitive Data Auditing Configuration - -Permissions are required on the SharePoint Farm, Web Application, and the SharePoint Database in -order for Access Analyzer to execute Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing -scans. - -## Configure SharePoint Farm Permissions - -Follow the steps to configure the SharePoint Farm level permissions on SharePoint 2013 through -SharePoint 2019 farms. - -**Step 1 –** In the SharePoint Central Administration Center, navigate to the Security section. - -**Step 2 –** Select the Manage the farm administrators group option under Users. - -**Step 3 –** If the Farm Read group exists, add the service account to that group. If the Farm Read -group has been deleted, it is necessary to create a new group with Read privileges at the Farm -level: - -- Select More under the Groups section. -- Select New Group from the New drop-down menu. -- Ensure the group has the Read – Can view pages and list items and download documents permission. -- Add the service account to this new group. - -The service account has Read level access at the Farm level. - -## Configure SharePoint Web Application Permissions - -Follow the steps to configure the SharePoint web application level permissions on SharePoint 2013 -through SharePoint 2019 farms. - -**Step 1 –** In the SharePoint Central Administration Center, navigate to the Application Management -section. - -**Step 2 –** Select Manage web applications option under Web Applications. - -**Step 3 –** Create a new policy for the desired web application. Follow these steps: - -- Click Permission Policy. The Manage Permission Policy Levels window opens. -- Click Add Permission Policy Level. Select the following: - - - Check the Site Collection Auditor permission. - - Check the Open Items box in the Site Permissions Grant column. - - Click Save. - -**Step 4 –** Repeat Step 3 for each web application in scope. It is recommended to give these -policies the same name. - -**Step 5 –** Add the service account to the newly created roles. Follow these steps: - -- Select a web application with the newly created role. -- Click User Policy. The Policy for Web Application window opens. -- Click Add Users. Leave all zones select and click Next. -- Add the service account in the Users textbox. -- Check the newly created role with site collection auditor in the Permissions section. Click - Finish. - -**Step 6 –** Repeat Step 5 for each web application in scope. - -The service account is provisioned as a Site Collection Auditor on all web applications to be +# SharePoint required permissions for Access Analyzer + +## Overview + +Access Analyzer requires specific permissions on the SharePoint farm, web applications, and +databases to execute Access Auditing (SPAA) and Sensitive Data Discovery Auditing scans. +Agent-less scans require additional permissions on the SharePoint Application Server. + +## Application server permissions (agent-less only) + +Agent-less scans perform all data collection from the Access Analyzer Console server across the +network. The service account requires the following permissions on the SharePoint Application +Server: + +- Membership in the local `Backup Operators` group — required so Access Analyzer can read the + remote registry to identify the server's role in the farm and locate the SharePoint + configuration database. +- Membership in the local `WSS_WPG` group — required for read access to system resources used + by Microsoft SharePoint Foundation. + +## SharePoint farm permissions + +The service account must be a member of the `Farm Read` group at the farm level. This allows +Access Analyzer to call the SharePoint web services to gather permissions, site hierarchy, and +content information remotely. + +Follow these steps to configure farm-level permissions on SharePoint 2013 through SharePoint 2019: + +1. In the SharePoint **Central Administration Center**, navigate to the **Security** section. +2. Select **Manage the farm administrators group** under **Users**. +3. If the `Farm Read` group exists, add the service account to that group. If the group has been + deleted, create a new group: + - Select **More** under the **Groups** section. + - Select **New Group** from the **New** drop-down menu. + - Ensure the group has the `Read – Can view pages and list items and download documents` + permission. + - Add the service account to the new group. + +The service account now has Read-level access at the farm level. + +## SharePoint web application permissions + +The service account requires a custom policy role with `Site Collection Auditor` and `Open Items` +permissions at the web application level. This allows Access Analyzer to execute web service calls +against **Central Administration**. + +Follow these steps to configure web application-level permissions on SharePoint 2013 through +SharePoint 2019: + +1. In the **Central Administration Center**, navigate to the **Application Management** section. +2. Select **Manage web applications** under **Web Applications**. +3. Create a new permission policy for the web application: + - Click **Permission Policy**. The **Manage Permission Policy Levels** window opens. + - Click **Add Permission Policy Level** and configure the following: + - Select the `Site Collection Auditor` permission. + - Select the `Open Items` box in the **Site Permissions Grant** column. + - Click **Save**. +4. Repeat step 3 for each web application in scope. Use the same policy name across all web + applications. +5. Add the service account to the newly created role for each web application: + - Select a web application with the newly created role. + - Click **User Policy**. The **Policy for Web Application** window opens. + - Click **Add Users**, leave all zones selected, and click **Next**. + - Enter the service account in the **Users** field. + - Select the newly created role with `Site Collection Auditor` in the **Permissions** section, + then click **Finish**. +6. Repeat step 5 for each web application in scope. + +The service account is provisioned as `Site Collection Auditor` on all web applications to be audited. -## Configure SharePoint Database Server Permissions +## SharePoint database server permissions + +The service account requires the `SPDataAccess` database role membership on the SharePoint +configuration database and all content databases. This allows Access Analyzer to execute read +operations directly against the SharePoint databases and gather information about web application +and content database locations. -Follow the steps to configure the SharePoint database server permissions on SharePoint 2013 through -SharePoint 2019 farms. +Follow these steps to configure database server permissions: -**Step 1 –** Navigate to the SharePoint database server user configuration via SQL Management -Studio. +1. Open the SharePoint database server user configuration in SQL Server Management Studio. +2. Grant the service account the `SPDataAccess` database role membership on the following + databases: + - The SharePoint Configuration database (`SharePoint_Config`) + - All SharePoint Content databases that house web application data (by default, content + databases begin with `WSS_Content`, but they can be customized) -**Step 2 –** Provision the service account to have: +The service account is provisioned with the required SharePoint database permissions. -- SPDataAccess Database role membership -- This database role membership needs to be configured on: +## MySites and OneDrive permissions - - SharePoint Configuration database (ShaerPoint_Config) - - All SharePoint Content databases housing web application data (by default the content - databases begin with WSS*Content*, but they can be customized) +MySites and OneDrive permissions depend on the SharePoint Access Data Collector configuration: -The service account is provisioned with SharePoint database permissions. +- **Force temporary admin access**: Granting the service account temporary admin access to + personal sites — either directly or as a member of the `Company Administrators` group — + requires the SharePoint Farm Administrator role or `Site Collection Auditor` at the web + application that hosts MySites. +- **Skip inaccessible personal sites**: This option scans only sites where the service account + already has administrative access. You must provision the service account before the scan to + scan OneDrives and personal sites. diff --git a/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/overview.md b/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/overview.md index bc1bc229b4..7bea1053d2 100644 --- a/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/overview.md +++ b/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/overview.md @@ -17,7 +17,7 @@ Analyzer Activity Auditing (SPAC) scans. [SharePoint Support](/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint.md) topic for additional information. -See the [SharePoint Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md) topic for +See the [SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md) topic for instructions. ## Access & Sensitive Data Auditing Port Requirements