Configuring permissions for backup and recovery (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Before backing up or restoring Microsoft SharePoint Server 2010, you must ensure that the timer service account, SQL Server service account, and users running the backup or restore operations have the correct permissions or are members of the correct Windows security groups or SharePoint groups. These permissions and group memberships must be configured initially. Subsequently, they must be updated when new farm components are added to the environment and if you want to add users who will perform backup and restore operations.

In this topic:

  • Permissions for the SPTimerV4 timer service and SQL Server account

  • Group memberships required to run backup and restore operations in Central Administration

  • Setting permissions for running backup and restore operations from Windows PowerShell

Permissions for the SPTimerV4 timer service and SQL Server account in SharePoint

The Windows SharePoint Services Timer V4 (SPTimerV4) and the SQL Server service account in SharePoint Server 2010 perform backup and restore operations on behalf of the user. These service accounts require Full Control permissions on any backup folders.

Group memberships required to run backup and restore operations in SharePoint Central Administration

You must ensure that all user accounts that will be backing up or restoring your farm and farm components by using Central Administration have the group memberships that are described in the following table.

Required group memberships

Farm component Member of Administrators group on the local computer Member of Farm Administrators SharePoint group

Farm

Yes

No

Service Application

Yes

No

Content Database

Yes

No

Site Collection

No

Yes

Site, list, document library

No

Yes

Setting permissions for running SharePoint backup and restore operations by using Windows PowerShell

You must ensure that all user accounts that will be backing up or restoring your farm and farm components by using Windows PowerShell are added to the SharePoint_Shell_Access role for a specified database and have the permissions described in the table later in this section.

You can run the Add-SPShellAdmin cmdlet to add a user account to this role. You must run the command for each user account. Moreover, you must run the command for all databases to which you want to grant access.

Note

You only need to grant a user account access to back up and restore a specific farm component one time. You will have to perform this task again only when new farm components are added to your environment or when you want to add users to perform backup and restore operations.

To add a user to or remove a user from the SharePoint_Shell_Access role by using Windows PowerShell

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press ENTER:

    Add-SPShellAdmin -Username <User account> -Database <Database ID>

    To add a user account to all the databases in the farm, type the following command, and then press ENTER:

    ForEach ($db in Get-SPDatabase) {Add-SPShellAdmin -Username <User account> -Database $db}

    To remove a user account from all the databases in the farm, type the following command, and then press ENTER:

    ForEach ($db in Get-SPDatabase) {Remove-SPShellAdmin -Username <User account> -Database $db}

    To view the user accounts currently added to the databases in the farm, type the following command, and then press ENTER:

    ForEach ($db in Get-SPDatabase) {Get-SPShellAdmin -Database $db}

For more information, see Add-SPShellAdmin.

You might also have to grant additional permissions to the users running the backup or restore operation by using Windows PowerShell. The following table shows the permissions that are required.

Required permissions for Windows PowerShell

Farm component Member of Administrators group on the local computer Member of Farm Administrators SharePoint group Full Control on backup folder

Farm

Yes

No

Yes

Service application

Yes

No

Yes

Content database

Yes

No

Yes

Site collection

No

Yes

Yes

Site, list, document library

Yes

No

Yes

See Also

Other Resources

Resource Center: Business Continuity Management for SharePoint Server 2010