Does the System Account need to have direct permissions on a site?

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/135037

Question

My team's created a new site collection in SharePoint 2010. I'm setting permissions on the site and when I go to "Site Actions > Site Settings" I noticed that the System Account SHAREPOINT\system has been directly given "Limited Access" permissions to the site, shown below:

site permissions

Does the System Account need to be given direct permissions like this? Or can I delete it from my site?

Was it helpful?

Solution

You could remove it, though it's likely to come back as it will be getting added by a workflow / event receiver type process. The permission is like an NTFS traverse folder permission

Either way it will have full access provided by the web application policy. It is normally the account that is running the web app pool or an account that has marked as a system account within the web app policy.

OTHER TIPS

What is SharePoint\System account? So here is the answer

  1. SHAREPOINT\System account is the same account used by application pool of your SharePoint web application in IIS at the time of creation/extension of respective web application.
  2. This is the account which is used when you run your code in under elevated privileges by SPSecurity.RunWithElevatedPrivileges.
  3. When you create/extend a web application in SharePoint and specify an Application Pool then the identity (Network Account) used by that Application pool becomes the SHAREPOINT\System account.
  4. It is highly recommended that end user should not be allowed to use this account to avoid unexpected errors.
  5. If you change the identity of App Pool account after creating/extending the SharePoint web application, the new account will not become the SHAREPOINT\System.

Even if you remove the System Account from your site permission settings still it will continue to have the access on the entire site including every content and documents. At a higher level it has the access on the entire web application under whom this site is created. Because this is the same account used by the application pool of the SharePoint web application running in IIS.

To preserve the security, the System Account is an alias assigned to the application pool account to hide its real account name.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top