Tuesday, March 26, 2013

PowerPivot for SharePoint 2013 Account Permissions Overview

Following is a brief overview of the permissions and accounts required for PowerPivot on SharePoint 2013. This overview is intended to provide a basic understanding what accounts are required for PowerPivot to run correctly on a SharePoint 2013 farm.

SQL Server 2012 Analysis Services (POWERPIVOT)

Sample Account Name: SPAnalysisServices

Account Type: Domain User

Required Permissions:
  • Run as account for the "SQL Server 2012 Analysis Services (POWERPIVOT)" windows service on the SQL Server application server.
  • Member of local security group: SQLServerMSASUser$<ServerName>$PowerPivot
  • Member of local security group: WSS_WPG
Notes:
  • Windows service that runs on a SQL Server 2012 application server. In smaller SharePoint installations, this is usually the same server that the SharePoint database engine is installed.
  • Built in machine accounts are not allowed
  • Must be the same for all Analysis Services server instances used by a single farm

PowerPivot Service Application

Sample Account Name: SPPowerPivot

Account Type: Domain User

Required Permissions:
  • Run as account for the PowerPivot Service Application
  • Analysis Services system administrator
  • Connect, read and write to PowerPivot Service Application Database
Notes:
  • Shared web service that runs under an application pool identity in a SharePoint farm
  • Built in machine accounts are not allowed
  • On smaller farms or farms that don't need the account separation, this is typically the same domain account that is used to run other Service Application on SharePoint 2013.

 

PowerPivot Unattended Data Refresh Account

Sample Account Name: SPDataRefresh

Account Type: Domain User

Required Permissions:
  • Must be assigned Contribute permissions on any PowerPivot workbook for which it is used
  • Read permissions on any external data sources needed for a data refresh operation
Notes:
  • By default, the PowerPivot Configuration Tool configures this as the farm account
  • This can be left as the farm account if account separation is not needed and permission requirements outlined above are met. Larger farms or farms with external data sources may want a separate account for auditing and traceability.
  • If you don't use the farm account, additional permission configuration may be required on the Central Administration site and the PowerPivot Service Application Database in order for the PowerPivot reports to work in Central Administration.

 

Excel Services Service Application

Sample Account Name: SPExcelServices

Account Type: Domain User

Required Permissions
  • Analysis Services PowerPivot Instance system administrator
Notes
  • Excel services should be configured in advance of the PowerPivot installation.
  • On smaller farms or farms that don't need the account separation, this is typically the same domain account that is used to run other Service Application on SharePoint 2013.

Source Guidance and Additional Documentation


If you have any suggestions on how to improve the content of this post or if you just have a question, please comment below.