Hey there,
A colleague asked a good question today about SQL and SharePoint, so I thought I’d share the answer.
The question was…
Why are there so many accounts under SQL Logins related to SharePoint and are these correct? (to paraphrase)
The answer is…
SharePoint manages these permissions, so long as we implement SharePoint correctly. When we install SharePoint, we make sure that:
The SharePoint Database Access Account (the Farm account) has the following permissions:
- DBCreator
- SecurityAdmin
The SharePoint Admin Account (also used for installing) has the following permissions:
- DBCreator
- SecurityAdmin
- SysAdmin (not needed for SharePoint, but needed to access/manage SQL)
So long as we do that, SharePoint manages the rest. Yes, a whole bunch of other accounts will appear as logins in SQL but that is because different accounts need different privileges to do different things. For example, the application pool accounts need different permissions than the accounts used for search, etc. SharePoint will handle this for us, so long as the system itself is configured to allow for that to happen. Occasionally, we need to modify a login to help it along (for example, there is some scenarios with some service applications where the extra logins might need some rights modified, but for the most part, let SharePoint and the ‘Managed Accounts’ handle that