My Sites and The SPDataAccess SQL Role

You’ve been busy spinning up your RTM SharePoint 2013 farms haven’t you? And of course, you’ve been deploying under the least-privileged security model like any good IT Pro. After you have everything configured, you open the event viewer and what to your wondering eyes should appear? An error of course!

The error and why

So, why is my content Application Pool attempting to access My Sites? Well, if we read Account permissions and security settings in SharePoint 2013 (go ahead, I’ll still be here when you finish) under the SharePoint service application accounts section (specifically My Sites application pool account) there’s a little follow-section titled Other application pool accounts. Let’s take a look at the permissions our “Other” pool accounts should be granted automatically:

Configuration Item Works as advertised
This account is assigned to the SP_DATA_ACCESS role for the content databases. No*
This account is assigned to the SP_DATA_ACCESS role for search database that is associated with the web application No**
This account must have read and write access to the associated service application database. Yes
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database. Yes
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database. Yes

* The account is not automatically added to the My Sites content database(s). If it was, we wouldn’t be here.
** The search databases don’t have the SPDataAccess role.

Fixing the error

To alleviate the error (and make your servers happy again!), we’ll be heading off to SQL and executing a quick query on each content databases associated with your My Sites web application: