TLDR – The Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity are very similar in what they do, but there are a few key differences:

  1. Add-SPShellAdmin: Should be used for granting admin accounts access to run PowerShell commands against the farm. This grants the account 2 database roles (SharePoint_Shell_Access and SPDataAccess) to the specified content database.
  2. SPWebApplication.GrantAccessToProcessIdentity: Should be used for granting service accounts access to the content database. This grants Full Control User Policy to the Web Application and adds the account to the SPDataAccess role for the specified content database.

OK, if you’re still reading…here’s the longer version:

      • SharePoint_Shell_Access Role:
        • Members of the SharePoint_SHELL_ACCESS role have the execute permission for all stored procedures for the database. In addition, members of this role have the read and write permissions on all of the database tables.
      • SPDataAccess Role:
        • The SPDataAccess role will have the following permissions (SPDataAccess should be used for all object model level access to databases):
        • Note: The SP_DATA_ACCESS role replaces the db_owner role in SharePoint 2013. (From https://technet.microsoft.com/EN-US/library/cc678863.aspx#Section4)
          • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
          • Grant SELECT on all SharePoint tables
          • Grant EXECUTE on User-defined type where schema is dbo
          • Grant INSERT on AllUserDataJunctions table
          • Grant UPDATE on Sites view
          • Grant UPDATE on UserData view
          • Grant UPDATE on AllUserData table
          • Grant INSERT and DELETE on NameValuePair tables
          • Grant create table permission
  • SPWebApplication.GrantAccessToProcessIdentity (https://msdn.microsoft.com/en-us/library/ee556553.aspx):
    • Used for service accounts requiring elevated access to the content database(s)
    • Most Common Use – Needs to be set for service accounts (If using least privileged) running Excel, PerformancePoint, SSRS, etc.
    • First, this sets a full control User Policy for the Web Application:
    • clip_image004
    • Then, this adds the user to the SPDataAccess role for the specified database(s) for the Web Application:
    • clip_image005

-AJB

Leave a Reply

Your email address will not be published. Required fields are marked *