Hi All,

As a part of requirements, I am creating a timer job in list event receiver.

The code is written in SPSecurity.RunwithelevatedPrivileges but still it is giving error The EXECUTE permission was denied on the object 'proc_putObjectTVP', database 'SharePoint_Config', schema 'dbo'

Looks like the application pool account is not having enough permissions on 'SharePoint_Config' DB.

Please guide me on the best practice way to resolve the issue or if there are any workarounds for the same as we don't want to compromise on Farm Security and best practices.

Appreciate your help on the same.

Thanks,

Rahul

https://social.technet.microsoft.com/Forums/office/en-US/88c2c219-e1b0-4ed2-807a-267dba1a2c0b/execute-permission-was-denied-on-the-object-procputobjecttvp?forum=sharepointadmin

From your description, you might find error 5214 in event log, one or more of the following might be the cause:

• The service account to which SharePoint is set does not have sufficient permissions to the database to which it is trying to connect.
• The service account is not set up properly in SharePoint.
• When using least privilege setup of the Farm.

Please perform the steps below and test the issue again:

1. Expand Databases then expand the SharePoint_Config Database.
2. Expand Security -> Roles -> Database Roles
3. Find WSS_Content_Application_Pools role, right click it, and select Properties
4. Click on Securables and click Search
5. Next click Specific objects and click OK
6. Click Object Types and select Stored Procedures. Click OK
7. Add the Stored Procedure 'proc_putObjectTVP' and click OK (if it does not automatically grant it exec permission; you need to click the checkbox on "execute" and save it)

https://sharepoint4admin.wordpress.com/2014/11/21/sharepoint-event-id-5214-execute-permission-was-denied-on-the-object-proc_putobjecttvp-database-sharepoint_config/

Thanks Inderjeet for the response.

I wanted to know if there is there a way to do it from SharePoint Side instead of changing it directly on Database server (which probably is not a best practice).

Thanks,

Rahul Babar

Hi,

First thing SPSecurity.RunwithElevatedPrivileges will not to impersonate as "Farm" account.
Can you please check the code with run with elevated privilege and also check the SPFarm account is not expired or undergone to password expiry policy.

Hi Murugesa ,

Thanks for the response.

Yes SPSecurity.RunwithElevatedPrivileges will not to impersonate as "Farm" account. SPSecurity.RunwithElevatedPrivileges uses Application Pool Account which is different from Farm Administrator account.

If I change the application pool account to Farm Administrator account, it works fine. But from the best practices perspective (to have least privileged farm setup), it is not possible to do this.

So just wanted to check if there is any alternative solution.

Thanks,

Rahul Babar

Hi Rahul,

Its seems that old application pool account got the problem or your farm account password has been expired or the new password changes were not propagated to all WFEs it seems.

And also I would suggest you whether the old application pool account has been used by any other services and their status.

Next time, use the AD account and elevate them as Managed account in the SharePoint. You can have full configuration control on its password policy.

These steps would be the best practices to manage the permission for FARM account in the SharePoint and especially for SharePoint_config database on the PRODUCTION Server.

If you are trying this in local server, then Inderjeet's suggestions are most welcome and very handy.

I checked the Application Pool Account. It is AD account and the account and it's password are set to never expire. Also it is registered as Managed Account in central administration site.

I am adding issue description again.

There is a custom list event receiver attached to a particular list. When a new item is added in list, based on the information specified in the list item, it will create an instance of custom timer job.

Similarly it will update the corresponding timer job instance when list item is updated. If the list item is deleted, corresponding timer job instance will also be deleted. Basically we are managing custom timer job instances through custom list event receiver.

Whenever we try to add a list item, it tries to create the custom timer job instance but fails due to permission issue and gives below error.

The EXECUTE permission was denied on the object 'proc_putObjectTVP', database 'SharePoint_Config', schema 'dbo'.  

    at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

    at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)

    at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)

    at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

    at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds)

    at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite)

    at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite)

    at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()

    at Microsoft.SharePoint.Utilities.SqlSession.ExecuteNonQuery(SqlCommand command)

    at Microsoft.SharePoint.Administration.SPConfigurationDatabase.StoreObject(SPPersistedObject obj, Boolean storeClassIfNecessary, Boolean ensure)

    at Microsoft.SharePoint.Administration.SPPersistedObject.BaseUpdate()

    at Microsoft.SharePoint.Administration.SPJobDefinition.Update()

Thanks,

Rahul Babar