Example of a Minimum-Privilege Configuration for Power Pivot for SharePoint 2013

Example of a Minimum-Privilege Configuration for Power Pivot for SharePoint 2013

 

Applies To: SQL Server 2016

This topic describes an example Power Pivot for SharePoint 2013 configuration with minimum privileges. The configuration utilizes a different account for each of the three components and each account has the minimum level of privileges.

Applies to: SharePoint 2013

Power Pivot for SharePoint 2013 supports the use of the Network Service account for the Analysis Services service account. The Network Service account is not a supported scenario with SharePoint 2010. For more information on Service accounts, see Configure Windows Service Accounts and Permissions (http://msdn.microsoft.com/library/ms143504.aspx).

The following table summarizes the three accounts used in this example of a minimum privileged configuration.

ScopeName
SharePoint Administrator accountSPAdmin
SharePoint Farm accountSPFarm
Analysis Services service accountSPsvc

The SharePoint Administrator account (SpAdmin)

SPAdmin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard and the Power Pivot Configuration Tool for SharePoint 2013.The SPAdmin account is the only account that requires local Administrator rights. Before running the Power Pivot Configuration tool, grant the SPAdmin account privileges to the SQL Server database instance where SharePoint creates content and configuration databases. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator.

The Farm account (SPFarm)

SPFarm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.

The Service Account for Power Pivot Service (SPsvc)

If a new SharePoint farm is not configured before you run the Power Pivot Configuration tool, then by default the Power Pivot Configuration tool will create the following:

  • Power Pivot Service application.

  • Excel Services application.

  • Secure Store application.

The Power Pivot configuration tool configures all three of the service applications in the default application pool. That application pool is typically configured to run as the SPFarm account, which has access to many resources that a service account does not require.To make the environment a minimum-privileged environment, configure a new domain account to be use by the appropriate application pool and web application.

To create a new domain account SPsvc to be used as a SharePoint Service account:

  1. In SharePoint Central Administration, select Security.

  2. Select Configure Service Accounts

  3. Select Register new managed account.

The SPSvc account has no local administrator privileges and SPsvc will not have any privileges in the SharePoint database. The only privileges SPsvc requires is administrative rights to the Power Pivot Instance of the Analysis Services.

To configure the appropriate application pool to use the SPsvc account :

  1. In SharePoint Central Administration, select Security.

  2. Select Configure Service Accounts.

  3. Select the service application pool used by the Power Pivot Service application. Then select the SPSvc account.

To Grant access to the web application with PowerShell:

  1. Run the SharePoint 2013 Management Shell with administrator privileges.

  2. Run the following PowerShell code:

    $webApp = Get-SPWebApplication "http://<servername>"  
    $webApp.GrantAccessToProcessIdentity("DOMAIN\<ServiceAccountName>")  
    
    
    
Show:
© 2016 Microsoft