Required Permissions

To perform various operations on different SharePoint Site Collections, provide the following permissions to a SharePoint Server user that must be configured as Application User in the IdentityIQ application:

• User must be a part of the following groups on the SharePoint Server system: 

  • Remote Desktop Users

  • WinRMRemoteWMIUsers

  • WSS_ADMIN_WPG

• User must have SPShellAdmin access role on all the content databases from the SharePoint Server that this connector must manage. This allows the connector to execute SharePoint cmdlets. Run the following command on the SharePoint Server to give the SPShellAdmin role to the application user: 

  Add-SPShellAdmin -UserName <DOMAIN\UserName> -Database (Get-SPContentDatabase -Identity "WSS_Content")

  To grant access to all content databases use the following command:

  Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName

• On the SharePoint Server and IQService host, the Application User must have Read and Execute permissions for Microsoft.PowerShell32 and Microsoft.PowerShell. Run the following command on the SharePoint Server and IQService host systems to enable that permission:

  Set-PSSessionConfiguration -Name "Microsoft.PowerShell32"–ShowSecurityDescriptorUI 

  Set-PSSessionConfiguration -Name "Microsoft.PowerShell" –ShowSecurityDescriptorUI

• On the SharePoint Server and IQService system, restart the WinRM service for the new settings to take effect:

  Restart-Service WinRM 

• The Application User must have access to all SharePoint Web Applications that must be managed by the connector. Create a PowerShell script as follows and execute on SharePoint Management Shell:

  $webApp = Get-SPWebApplication -Identity "Web App Url"

  $webApp.GrantAccessToProcessIdentity("Domain\UserName")

  Add the above lines for each web application.