netwrix · nzimmer09 · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
@@ -25,43 +25,5 @@ server:
         - This is required to gain read access to system resources used by Microsoft SharePoint
           Foundation.
 
-- SharePoint Farm permissions:
-
-    - Membership in the Farm Read group at the farm level
-
-        - This is required so the Enterprise Auditor auditing account can make calls against the
-          SharePoint web services to remotely gather information around permissions, site hierarchy,
-          content and more.
-        - If the group does not exist already, then you will need to create a new group at that
-          level and grant it ‘Read’ access. Specifically, it is a group that exists within Central
-          Administration at the farm administrator level. This group only requires ‘Read’ access and
-          is not giving farm admin access. Once the group is created, add the service account that
-          Enterprise Auditor will be leveraging to scan SharePoint.
-
-- Web Application permissions:
-
-    - Custom Role with Site Collection Auditor at the web application level with the Open Items
-      permission
-
-        - This is needed for Enterprise Auditor to execute web service calls against Central
-          Administration.
-
-- SharePoint Database Server permissions:
-
-    - SPDataAccess on the on the SharePoint Content database and all Configuration databases
-
-        - This permission should be applied on the desired Configuration database and all Content
-          databases for the SharePoint version.
-        - This version-specific permission is required for Enterprise Auditor to execute read
-          operations directly against the SharePoint databases, gather information from the
-          configuration database regarding the names and locations of the web applications and
-          content databases, and give read access around sites, roles, and users.
-
-- MySites permissions are based on the SharePointAccess Data Collector configuration option:
-
-    - Forcing the service account to become a temporary admin of the personal sites either as the
-      service account or as a member of the Company Administrators group requires SharePoint Farm
-      Administrator role or Site Collection Auditor at the web application housing MySites.
-    - The skipping inaccessible personal sites option will only scan sites where the service account
-      has administrative access. It requires the service account to be provisioned prior to the scan
-      to scan OneDrives / personal sites.
+For complete configuration steps for farm, web application, database, and MySites permissions, see
+[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md).
@@ -1,86 +1,106 @@
 ---
-title: "SharePoint Access & Sensitive Data Auditing Configuration"
-description: "SharePoint Access & Sensitive Data Auditing Configuration"
+title: "SharePoint required permissions for Access Analyzer"
+description: "SharePoint required permissions for Access Analyzer"
 sidebar_position: 10
 ---
 
-# SharePoint Access & Sensitive Data Auditing Configuration
-
-Permissions are required on the SharePoint Farm, Web Application, and the SharePoint Database in
-order for Enterprise Auditor to execute Access Auditing (SPAA) and/or Sensitive Data Discovery
-Auditing scans.
-
-## Configure SharePoint Farm Permissions
-
-Follow the steps to configure the SharePoint Farm level permissions on SharePoint 2013 through
-SharePoint 2019 farms.
-
-**Step 1 –** In the SharePoint Central Administration Center, navigate to the Security section.
-
-**Step 2 –** Select the Manage the farm administrators group option under Users.
-
-**Step 3 –** If the Farm Read group exists, add the service account to that group. If the Farm Read
-group has been deleted, it is necessary to create a new group with Read privileges at the Farm
-level:
-
-- Select More under the Groups section.
-- Select New Group from the New drop-down menu.
-- Ensure the group has the Read – Can view pages and list items and download documents permission.
-- Add the service account to this new group.
-
-The service account has Read level access at the Farm level.
-
-## Configure SharePoint Web Application Permissions
-
-Follow the steps to configure the SharePoint web application level permissions on SharePoint 2013
-through SharePoint 2019 farms.
-
-**Step 1 –** In the SharePoint Central Administration Center, navigate to the Application Management
-section.
-
-**Step 2 –** Select Manage web applications option under Web Applications.
-
-**Step 3 –** Create a new policy for the desired web application. Follow these steps:
-
-- Click Permission Policy. The Manage Permission Policy Levels window opens.
-- Click Add Permission Policy Level. Select the following:
-
-    - Check the Site Collection Auditor permission.
-    - Check the Open Items box in the Site Permissions Grant column.
-    - Click Save.
-
-**Step 4 –** Repeat Step 3 for each web application in scope. It is recommended to give these
-policies the same name.
-
-**Step 5 –** Add the service account to the newly created roles. Follow these steps:
-
-- Select a web application with the newly created role.
-- Click User Policy. The Policy for Web Application window opens.
-- Click Add Users. Leave all zones select and click Next.
-- Add the service account in the Users textbox.
-- Check the newly created role with site collection auditor in the Permissions section. Click
-  Finish.
-
-**Step 6 –** Repeat Step 5 for each web application in scope.
-
-The service account is provisioned as a Site Collection Auditor on all web applications to be
+# SharePoint required permissions for Access Analyzer
+
+## Overview
+
+Enterprise Auditor requires specific permissions on the SharePoint farm, web applications, and
+databases to execute Access Auditing (SPAA) and Sensitive Data Discovery Auditing scans.
+Agent-less scans require additional permissions on the SharePoint Application Server.
+
+## Application server permissions (agent-less only)
+
+Agent-less scans perform all data collection from the Enterprise Auditor Console server across the
+network. The service account requires the following permissions on the SharePoint Application
+Server:
+
+- Membership in the local `Backup Operators` group — required so Enterprise Auditor can read the
+  remote registry to identify the server's role in the farm and locate the SharePoint
+  configuration database.
+- Membership in the local `WSS_WPG` group — required for read access to system resources used
+  by Microsoft SharePoint Foundation.
+
+## SharePoint farm permissions
+
+The service account must be a member of the `Farm Read` group at the farm level. This allows
+Enterprise Auditor to call the SharePoint web services to gather permissions, site hierarchy, and
+content information remotely.
+
+Follow these steps to configure farm-level permissions on SharePoint 2013 through SharePoint 2019:
+
+1. In the SharePoint **Central Administration Center**, navigate to the **Security** section.
+2. Select **Manage the farm administrators group** under **Users**.
+3. If the `Farm Read` group exists, add the service account to that group. If the group has been
+   deleted, create a new group:
+   - Select **More** under the **Groups** section.
+   - Select **New Group** from the **New** drop-down menu.
+   - Ensure the group has the `Read – Can view pages and list items and download documents`
+     permission.
+   - Add the service account to the new group.
+
+The service account now has Read-level access at the farm level.
+
+## SharePoint web application permissions
+
+The service account requires a custom policy role with `Site Collection Auditor` and `Open Items`
+permissions at the web application level. This allows Enterprise Auditor to execute web service
+calls against **Central Administration**.
+
+Follow these steps to configure web application-level permissions on SharePoint 2013 through
+SharePoint 2019:
+
+1. In the **Central Administration Center**, navigate to the **Application Management** section.
+2. Select **Manage web applications** under **Web Applications**.
+3. Create a new permission policy for the web application:
+   - Click **Permission Policy**. The **Manage Permission Policy Levels** window opens.
+   - Click **Add Permission Policy Level** and configure the following:
+     - Select the `Site Collection Auditor` permission.
+     - Select the `Open Items` box in the **Site Permissions Grant** column.
+     - Click **Save**.
+4. Repeat step 3 for each web application in scope. Use the same policy name across all web
+   applications.
+5. Add the service account to the newly created role for each web application:
+   - Select a web application with the newly created role.
+   - Click **User Policy**. The **Policy for Web Application** window opens.
+   - Click **Add Users**, leave all zones selected, and click **Next**.
+   - Enter the service account in the **Users** field.
+   - Select the newly created role with `Site Collection Auditor` in the **Permissions** section,
+     then click **Finish**.
+6. Repeat step 5 for each web application in scope.
+
+The service account is provisioned as `Site Collection Auditor` on all web applications to be
-The service account is provisioned as `Site Collection Auditor` on all web applications to be
+The service account now has `Site Collection Auditor` privileges on all web applications to be
-The service account is provisioned as `Site Collection Auditor` on all web applications to be
+The service account now has `Site Collection Auditor` privileges on all web applications to be
 audited.
 
-## Configure SharePoint Database Server Permissions
+## SharePoint database server permissions
+
+The service account requires the `SPDataAccess` database role membership on the SharePoint
+configuration database and all content databases. This allows Enterprise Auditor to execute read
+operations directly against the SharePoint databases and gather information about web application
+and content database locations.
 
-Follow the steps to configure the SharePoint database server permissions on SharePoint 2013 through
-SharePoint 2019 farms.
+Follow these steps to configure database server permissions:
 
-**Step 1 –** Navigate to the SharePoint database server user configuration via SQL Management
-Studio.
+1. Open the SharePoint database server user configuration in SQL Server Management Studio.
+2. Grant the service account the `SPDataAccess` database role membership on the following
+   databases:
+   - The SharePoint Configuration database (`SharePoint_Config`)
+   - All SharePoint Content databases that house web application data (by default, content
+     databases begin with `WSS_Content`, but they can be customized)
 
-**Step 2 –** Provision the service account to have:
+The service account is provisioned with the required SharePoint database permissions.
-The service account is provisioned with the required SharePoint database permissions.
+The service account now has the required SharePoint database permissions.
-The service account is provisioned with the required SharePoint database permissions.
+The service account now has the required SharePoint database permissions.
 
-- SPDataAccess Database role membership
-- This database role membership needs to be configured on:
+## MySites and OneDrive permissions
 
-    - SharePoint Configuration database (ShaerPoint_Config)
-    - All SharePoint Content databases housing web application data (by default the content
-      databases begin with WSS*Content*, but they can be customized)
+MySites and OneDrive permissions depend on the SharePoint Access Data Collector configuration:
 
-The service account is provisioned with SharePoint database permissions.
+- **Force temporary admin access**: Granting the service account temporary admin access to
+  personal sites — either directly or as a member of the `Company Administrators` group —
+  requires the SharePoint Farm Administrator role or `Site Collection Auditor` at the web
+  application that hosts MySites.
+- **Skip inaccessible personal sites**: This option scans only sites where the service account
+  already has administrative access. You must provision the service account before the scan to
+  scan OneDrives and personal sites.
@@ -18,7 +18,7 @@ Auditing (SPAC) scans.
   topic for additional information.
 
 See the
-[SharePoint Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md)
+[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/11.6/requirements/sharepoint/sharepoint/sharepoint/access.md)
 topic for instructions.
 
 ## Access & Sensitive Data Auditing Port Requirements

@@ -25,43 +25,5 @@ server:
         - This is required to gain read access to system resources used by Microsoft SharePoint
           Foundation.
 
-- SharePoint Farm permissions:
-
-    - Membership in the Farm Read group at the farm level
-
-        - This is required so the Access Analyzer auditing account can make calls against the
-          SharePoint web services to remotely gather information around permissions, site hierarchy,
-          content and more.
-        - If the group does not exist already, then you will need to create a new group at that
-          level and grant it ‘Read’ access. Specifically, it is a group that exists within Central
-          Administration at the farm administrator level. This group only requires ‘Read’ access and
-          is not giving farm admin access. Once the group is created, add the service account that
-          Access Analyzer will be leveraging to scan SharePoint.
-
-- Web Application permissions:
-
-    - Custom Role with Site Collection Auditor at the web application level with the Open Items
-      permission
-
-        - This is needed for Access Analyzer to execute web service calls against Central
-          Administration.
-
-- SharePoint Database Server permissions:
-
-    - SPDataAccess on the on the SharePoint Content database and all Configuration databases
-
-        - This permission should be applied on the desired Configuration database and all Content
-          databases for the SharePoint version.
-        - This version-specific permission is required for Access Analyzer to execute read
-          operations directly against the SharePoint databases, gather information from the
-          configuration database regarding the names and locations of the web applications and
-          content databases, and give read access around sites, roles, and users.
-
-- MySites permissions are based on the SharePointAccess Data Collector configuration option:
-
-    - Forcing the service account to become a temporary admin of the personal sites either as the
-      service account or as a member of the Company Administrators group requires SharePoint Farm
-      Administrator role or Site Collection Auditor at the web application housing MySites.
-    - The skipping inaccessible personal sites option will only scan sites where the service account
-      has administrative access. It requires the service account to be provisioned prior to the scan
-      to scan OneDrives / personal sites.
+For complete configuration steps for farm, web application, database, and MySites permissions, see
+[SharePoint required permissions for Access Analyzer](/docs/accessanalyzer/12.0/requirements/sharepoint/sharepoint/sharepoint/access.md).