REST search gives zero results to users with custom read group

Question

I have two SharePoint groups that use custom permission levels. The first user group gives access to read specific content and access to SharePoint's APIs. This group does not have access to see system pages. The second group is for power users and they have more edit permission and can see system pages. They also have everything the user group would have.

The search service account is in the user group which gives it read access to crawl the content. Power users are able to search and see the results. Regular user however are not getting any results when they run a search.

If the search service account had the same permission as the regular users and was able to crawl the content I would not expect security trimming to restrict access to the users. I am expecting results to come from a custom list that does not inherit permissions. Any idea how I can troubleshoot this problem?

Answer 1

I found that the missing permission was view application pages on the target list. Without this search will not return values.

Answer 2

Generally, you give the crawl account read access to everything. This is usually done through web application policy at the time that the Crawl Account is set in the SSA. The crawl account reads the ACL on the content and security trims the results based on the user making the query.

I would first ensure that the crawl account has read permissions then run a full crawl. Then I would log in as the limited read user and ensure that that account has access to the desired content. Then test search as that limited read user.