Documentation forAccess Rights Manager

Configure additional properties

Click the link.

 

Select the SharePoint version.

To communicate with the SharePoint system, Access Rights Manager uses Microsoft components that are specific to the version of the SharePoint system that is used. Specifying the correct SharePoint version ensures that all information is shared correctly with the SharePoint system. If the configured version of SharePoint differs from the actual version, this may result in incomplete or incorrect data.

 

  1. Determine how many maximum parallel requests the scan will perform. The higher the number, the higher the scanning speed and the load on the SharePoint server.

    Possible values: 1 to 10
  2. Specify how often an attempt is made to connect to the SharePoint server.
  3. Specify how long Access Rights Manager waits for the connection to the SharePoint Server or the result of a query.
    Possible values: 1 to 120 min,
    Recommended for systems with lists and libraries < 5,000 elements: 10 min
    Recommended for systems with lists and libraries > 5,000 elements: 60 min

 

  1. Option enabled: Access Rights Manager excludes administrators from the scan. They are not available in views and reports.
  2. Option enabled: Access Rights Manager excludes owner from the scan. They are not available in views and reports.
    This option is not effective for SharePoint 2010. Microsoft does not provide the information about the owner in this release.


Option enabled:

Access Rights Manager excludes secondary contacts from the scan. They are not available in views and reports.

The secondary contact is optional in SharePoint. The option is ineffective if no secondary contact is entered.

This option is not effective for SharePoint 2010. Microsoft does not provide the secondary contact information in this release.

 

  1. Option enabled: Access Rights Manager excludes the limited access from the scan. This information is not available in views and reports.
    Limited access is automatically granted by the SharePoint system to a large extent, ensuring that SharePoint users can navigate through the system.
  2. Option enabled: Access Rights Manager excludes hidden lists from the scan. They are not available in views and reports.

 

  1. Option enabled: Access Rights Manager excludes list items from the scan. They are not available in views and reports.
  2. Determine whether only list elements or documents with specific permissions (interrupted inheritance) will be scanned.

 

  1. Determine the maximum number of attempts after which the scan of a specific SharePoint object is canceled. Possible values: 1 to 5, Recommended: 3
  2. With the threshold value for reading list elements, you determine how many list elements are read at maximum.

 

Enable the option for extended error analysis only. If this option is enabled, the scan speed will slow down and the size of the log file of the Access Rights Manager server will increase faster.

 

Only for SharePoint on-premise:

Activate this property if the system to be scanned is not operated in the local network infrastructure (e.g. by an external service provider) and the account name is used in the form abc@xyz.com.

 

Recommended: Enable the option. ARM needs this option to determine the available SharePoint items and make them available for selection in the tree view.

Enable it if SharePoint is running in a multi-server environment, i.e. if dedicated servers are used for front end and database.

In order for the scanner to work properly, you must first configure WinRM and prepare PowerShell to use CredSSP authentication (see next section).

 

  1. Enable the option to use WSMan/WinRM over SSL.

  2. Specify a non-default port for WSMan/WinRM. If you are using the default ports, you can leave the field blank. Default ports for WSMan/WinRM are 5985 for HTTP and 5986 for HTTPS.

 

 

Prepare SharePoint to use CredSSP

First configure all SharePoint servers and then the ARM server. The ARM server needs to access SharePoint already during the configuration.

 

SharePoint frontend server

  1. Start the SharePoint Management Shell with local administrator privileges.
  2. Activate Remoting for PowerShell
    Enable-PSRemoting -Force
  3. Activate MultiHop support in WinRM
    Enable-WSManCredSSP -Role "Server" -Force

 

ARM server

  1. Start PowerShell as administrator
  2. Activate MultiHop support in WinRM
    Enable-WSManCredSSP -Role "Client" -DelegateComputer "FQDN-SharePoint-FrontEnd-Server-Name" -Force
    Replace the yellow marked text with the Fully Qualified Domain Name of your SharePoint frontend server.

 

More information can be found in the article How to enable Remote PowerShell for SharePoint 2013 for Non-Administrators (© 2020 Microsoft, https://docs.microsoft.com/de-de/archive/blogs/anneste/how-to-enable-remote-powershell-for-sharepoint-2013-for-non-administrators, obtained on November 27, 2020).