Permissions required for enumerating SharePoint workspaces for On-Demand scans
Technical Articles ID:
KB77084
Last Modified: 2022-06-09 10:28:48 Etc/GMT
Last Modified: 2022-06-09 10:28:48 Etc/GMT
Environment
Security for Microsoft SharePoint 3.x
Problem 1
When you try to configure an on-demand scan (ODS) in Security for Microsoft SharePoint and try to expand and select workspaces, you see an error similar to the following:
NOTE: Also, you're unable to expand other workspaces, and no error message is shown.
Problem 2
When you initiate an ODS, it starts and then stops immediately. Security for SharePoint indicates that the scan is complete, but no content is scanned.
Cause
Security for SharePoint uses the account credentials specified during installation to enumerate the list of Workspaces (Web Applications) and their Sites and Site Collections when determining what content to scan.
We recommend that you use an account with Farm Admin rights because this gives permissions to all SharePoint Web Applications that need to be scanned, as well as their respective Content databases.
If the account used is a custom user account (as described in the MSMS 2.5 Best Practices Guide), the account may not have the required permissions on certain Web Applications or Site Collections.
When you configure an ODS task using the Security for Microsoft SharePoint user interface, if this account doesn't have permissions on a Web Application or one of the underlying Site Collections, the enumeration process fails and you see the Java error shown above. This prevents you from expanding other Workspaces (Web Applications) in the ODS task configuration page.
We recommend that you use an account with Farm Admin rights because this gives permissions to all SharePoint Web Applications that need to be scanned, as well as their respective Content databases.
If the account used is a custom user account (as described in the MSMS 2.5 Best Practices Guide), the account may not have the required permissions on certain Web Applications or Site Collections.
When you configure an ODS task using the Security for Microsoft SharePoint user interface, if this account doesn't have permissions on a Web Application or one of the underlying Site Collections, the enumeration process fails and you see the Java error shown above. This prevents you from expanding other Workspaces (Web Applications) in the ODS task configuration page.
Solution 1
Perform the following steps to assign the correct permissions to the account on the Web Application or Site Collection using the SharePoint Central Administration user interface.
NOTE: If the account used by Security for Microsoft SharePoint is a Farm Administrator, make sure that the account has proper permissions to all the Web Applications you're attempting to expand or scan. The account must also have rights to the Web Content databases of all Web Applications that are selected for scanning.
NOTE: If the account used by Security for Microsoft SharePoint is a Farm Administrator, make sure that the account has proper permissions to all the Web Applications you're attempting to expand or scan. The account must also have rights to the Web Content databases of all Web Applications that are selected for scanning.
- Check the permissions for the Web Application:
SharePoint 2010 & 2013:
- Open the SharePoint Central Administration website.
- Click Application Management, Manage Web Applications.
This displays a list of all Web Applications with the URL and Port details.
- Click the specific Web Application you need to verify.
- Under the Policy group, click User Policy.
- Check to see if the User account used for Security for Microsoft SharePoint is displayed in the existing user list.
- If necessary, add the account:
- Click Add Users.
- On the Select Zone page, click Next.
- On the Add Users page, choose Users, and type the account name <Domain>\<AccountName> used by Security for Microsoft SharePoint.
- In the user Permissions, select the Full Control option and click Finish. To successfully enumerate the Workspace (Sites and Site Collections under the Web Application), the account must have at least Full Read permissions. If the ODS needs to clean and quarantine items, then it requires Full Control permissions.
NOTE: The SharePoint Central Admin Web Application policy can't be configured using these steps. To make sure that the account used by Security for Microsoft SharePoint can enumerate and scan the Central Administration site, you can add the account as a secondary Site Collection administrator for the SharePoint Central Admin site. To do this, perform the steps below:
- Open the Central Admin site.
- Browse to Central Administration, Application management.
- Under Site Collections, click Change Site Collection Administrators.
This allows you to specify one user account as Primary Site Collection Administrator and one login for Secondary Site Collection Administrator.
- Specify the account used by Security for Microsoft SharePoint as the Secondary Site Collection Administrator and click OK.
You should now be able to expand and enumerate the SharePoint Central Admin Workspace (Web Application) when configuring ODS tasks.
SharePoint 2007:
- Open the SharePoint Central Administration website.
- Click Application Management, Application Security, and then click Policy for Web Application.
This displays a list of users and their permissions for the currently selected Web Application.
- In the Web Application drop-down list on the right, select Change Web Application.
- In the Select Web Application dialog, select the Web Application for which you wish to display the user list.
- Check to see if the User account used for Security for Microsoft SharePoint is displayed in the existing user list.
- If necessary, add the account:
- Click Add Users.
- On the Add Users page, make sure the Web Application is the one you want to change and click Next.
- Under Choose Users, type the account name; for example, <Domain>\<AccountName> used by MSMS.
- In the user permissions, select the Full Control option and click Finish. To successfully enumerate the Workspace (Sites and Site Collections under the Web Application), the account needs to have at least Full Read permissions. If the ODS needs to clean and quarantine items, then it requires Full Control permissions.
NOTE: The SharePoint Central Admin Web Application policy can't be configured using these steps. To make sure that the account used by Security for Microsoft SharePoint can enumerate and scan the Central Administration site, you can add the account as a Site Collection administrator for the SharePoint Central Admin site. To do this, perform the steps below:
- Open the Central Admin site.
- On the Home tab, under Central Administration, click Application Management.
- Under SharePoint Site Management, click Site Collection Administrators.
- Click the Site Collection drop-down list and select Change Site Collection.
- Under the Web Application drop-down list, select Change Web Application.
- In the Select Web Application dialog, click SharePoint Central Administration v3 Web application, then click OK.
This allows you to specify one user account as Primary Site Collection Administrator and one login for Secondary Site Collection Administrator.
- Specify the account used by Security for Microsoft SharePoint as the Secondary Site Collection Administrator and click OK.
You should now be able to expand and enumerate the SharePoint Central Admin Workspace (Web Application) when configuring ODS tasks.
- Check the permissions on the Web Content database(s):
SharePoint 2010:
You can check the name of the Content Database for a particular Web Application from the SharePoint Central Administration page. For example, to determine the Content Database for a SharePoint site named SharePoint - 80:
- Open the SharePoint Central Administration page.
- Click Application Management, Manage content databases.
- In the Web Application drop-down list, select Change Web Application. This lists the content databases for the selected Web Application.
You can check the name of the Content Database for a particular web application from the SharePoint Central Administration page. For example, to determine the Content Database for a SharePoint site named SharePoint - 80:
- Open the SharePoint Central Administration page, and then click Application Management.
- Under SharePoint Web Application Management, click Content databases.
- In the Web application drop-down list, select Change Web Application.
- Check and, if required, assign the database rights to the user account:
- Use SQL Server Management Studio to log in to the SQL server that hosts the Web Application content database.
- In the Object Explorer pane, expand the Databases node.
- Navigate to the Web Application content database you identified earlier.
- Expand the database and then the Security node.
- Expand the Roles node, right-click db_owner, then select Properties.
- Under the Members of this role, Role Members column, check to see if the account is listed.
- If the account isn't listed or isn't part of a Windows group that has db_owner rights, click Add.
- Type the account name in the format <Domain>\<Account> and click OK on each of the dialogs. This should add the required rights to the Content database.
- Repeat these steps for each of the Web Applications you need to scan.
Solution 2
If you've configured a custom Domain account when installing Security for Microsoft SharePoint (using the guidelines in the MSMS 2.5 Best Practices Guide), make sure that you check the following to verify that the account has the required permissions on the Web Application(s) in question. The following steps are adapted from the MSMS 2.5 Best Practices Guide:
- In SQL Server, add the Custom User Account (for example: MSMSDBAccnt) to be used for Security for Microsoft SharePoint database access. Provide the public permissions to the user.
- Under User Mapping, select:
- All SharePoint content databases corresponding to Web Applications
- Content database corresponding to your administrator Web Application
- SharePoint configuration database
- For each Web Content database and Administrator Content database, assign Execute rights to the following securables.
NOTE: Your list may differ from that shown below because of your environment and applications deployed in the SharePoint farm. You can monitor the event viewer regularly to fine-tune this list:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can assign the execute rights to these objects by clicking Programmability, Functions, Scalar-Valued Functions for each database.
On the SharePoint Server:
- From the Central Administration site, click Security.
- Under Users, click Specify web application user policy.
- In the left pane, select Manage Permission Policy Levels.
- In the Web Application drop-down list, select Change Web Application.
- In the Select Web Application dialog, click the Web Application where you want to define the Custom Policy.
- Click Add Permission Policy Level and type a name in the Name field (for example: MSMS-Permissions) and grant permissions as shown in the next section.
Permissions:
These permissions are the minimal set required for Security for Microsoft SharePoint to work with the SharePoint Object model and iterate over the SharePoint store to perform scan and clean operations. (SharePoint Farm administrator rights are required to make this change.)
These permissions are the minimal set required for Security for Microsoft SharePoint to work with the SharePoint Object model and iterate over the SharePoint store to perform scan and clean operations. (SharePoint Farm administrator rights are required to make this change.)
- Under Site Collection Permissions, grant the Site Collection Auditor permission.
Site Collection Auditors have Full Read access to the entire site collection, including reading permissions and configuration data. Security for Microsoft SharePoint requires this because it monitors the SharePoint anti-virus settings to determine whether real-time scanning is enabled or disabled.
- In List permissions section, grant the following permissions:
- Manage List — Required for replacing or deleting infected content added as an attachment under items in Discussions.
- Override Check Out — Required to forcefully check in a document detected as infected and perform the action according to policy.
- Add Items — Required for replacing the infected file with a file containing a replacement alert message.
- Edit Items — Required for updating the checked-out documents while forcefully checking in with a check-in comment.
- Delete Items — Required for removing an infected list item (document).
- View Items — Required for the target picker while defining a scan target.
- Under Site Permissions, grant the View Pages - View pages in a website permission. Without this, Security for Microsoft SharePoint is unable to iterate over the site in ODS tasks.
- Save the newly created permission policy level.
- Repeat the above steps to define the custom policy for each of the Web Applications in the Farm that you need to scan.
For each Web Application created in the SharePoint Farm that should be scanned using MSMS:
- Update the Web Application policy for that application and add the product database access account (for example: MSMSDBAccnt) with the Permission Policy Level created earlier (for example: MSMS-Permissions).
- Update the Web Application policy to cover any applications that are added in the future.
NOTE: The SharePoint Central Admin Web Application policy can't be configured using these. To make sure that the account used by Security for Microsoft SharePoint can enumerate and scan the Central Administration site, you can add the account as a Secondary Site Collection administrator for the SharePoint Central Admin site.
SharePoint 2010:
- Open the Central Administration site.
- Navigate to Central Administration, Application Management.
- Under Site Collections, click Change site collection administrators.
This allows you to specify one user account as Primary Site Collection Administrator and one login for Secondary Site Collection Administrator.
- Specify the account used by Security for Microsoft SharePoint as the Secondary Site Collection Administrator and click OK.
- You should now be able to expand and enumerate the SharePoint Central Admin Workspace (Web Application) when configuring ODS tasks.
SharePoint 2007:
- Open the Central Administration site.
- On the Home tab, under Central Administration, click on Application Management.
- Under SharePoint Site Management, click on Site Collection Administrators.
- Click the Site Collection drop-down list and select Change Site Collection.
- Under the Web Application drop-down list, select Change Web Application.
- In the Select Web Application dialog, click the SharePoint Central Administration v3 Web application, and then click OK.
This allows you to specify one user account as Primary Site Collection Administrator and one login for Secondary Site Collection Administrator.
- Specify the account used by Security for Microsoft SharePoint as the Secondary Site Collection Administrator and click OK.
- You should now be able to expand and enumerate the SharePoint Central Admin Workspace (Web Application) when configuring ODS tasks.
Affected Products
Languages:
This article is available in the following languages: