Hey All - Recently ran into an issue where a customer had AvePoint installed in the farm (Which requires the DocAve account to have db_owner) and after every CU it'd...
TLDR – The Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity are very similar in what they do, but there are a few key differences:
- Add-SPShellAdmin: Should be used for granting admin accounts access to run PowerShell commands against the farm. This grants the account 2 database roles (SharePoint_Shell_Access and SPDataAccess) to the specified content database.
- SPWebApplication.GrantAccessToProcessIdentity: Should be used for granting service accounts access to the content database. This grants Full Control User Policy to the Web Application and adds the account to the SPDataAccess role for the specified content database.
OK, if you’re still reading…here’s the longer version:
- Add-SPShellAdmin (https://technet.microsoft.com/en-us/library/ff607596.aspx):
- Please review https://technet.microsoft.com/en-us/library/ff607596.aspx for prerequisites for account running script (SP Farm account should have everything you need)
- Add-SPShellAdmin adds a user to the SharePoint_Shell_Access AND SPDataAccess role for the specified database(s)
- SharePoint_Shell_Access Role:
- Members of the SharePoint_SHELL_ACCESS role have the execute permission for all stored procedures for the database. In addition, members of this role have the read and write permissions on all of the database tables.
- SPDataAccess Role:
- The SPDataAccess role will have the following permissions (SPDataAccess should be used for all object model level access to databases):
- Note: The SP_DATA_ACCESS role replaces the db_owner role in SharePoint 2013. (From https://technet.microsoft.com/EN-US/library/cc678863.aspx#Section4)
- Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
- Grant SELECT on all SharePoint tables
- Grant EXECUTE on User-defined type where schema is dbo
- Grant INSERT on AllUserDataJunctions table
- Grant UPDATE on Sites view
- Grant UPDATE on UserData view
- Grant UPDATE on AllUserData table
- Grant INSERT and DELETE on NameValuePair tables
- Grant create table permission
- SPWebApplication.GrantAccessToProcessIdentity (https://msdn.microsoft.com/en-us/library/ee556553.aspx):