You probably have deployed Office Web Apps on your Microsoft SharePoint Server 2010 farm by reading TechNet articles below:
The TechNet article tells you to use the existing application pool but we know that it's the best practice to use dedicated service accounts for each service application and give the accounts the least privilege access. If you happen to use dedicated service accounts for your Word Viewing Service, Visio Graphics Service, Excel Services Application and PowerPoint Services Application (which means you are creating a new application pool for the service), follow the below steps for additional database permissions for the service accounts.
Let us assume we have following configurations and newly created service accounts registerd as registered as managed accounts in Central Administration:
Content Database where documents reside: SP_Intranet_Content_DB_01
Word Viewing Service managed account: domain\sp_word
Visio Graphics Service managed account: domain\sp_visio
Excel Service Application managed account: domain\sp_excel
PowerPoint Services Application managed account: domain\sp_ppt
Note: Ensure your environment is updated to the latest version which is 14.0.5123.5000 as of 9/22/2010.
- Open the SQL Server Management Studio and connect to your SharePoint 2010 database instance.
- Go to the SharePoint content database (i.e., SP_Intranet_Content_DB_01) that contains a site collection that contains documents to you like to view and edit in a browser.
- In SP_Intranet_Content_DB_01 database, make sure you give the above 4 service accounts db_datareader and db_datawriter roles (under SP_Intranet_Content_DB_01 -> Security) and remove any other roles assigned.
Note: If these accounts are assigned any other roles, you must have modified the permission settings on the account previously. - Under SP_Intranet_Content_DB_01 -> Security -> Roles -> Database Roles, right-click and select to create a New Database Role.
- Enter Office_Web_Apps_Access as the role name and dbo as the owner.
Note: You can choose a different name for the database role; however, you want to make sure you avoid using any SharePoint reserved database role name for future. - On the same screen, click Add button located at the bottom to add domain\sp_visio, domain\sp_word, domain\sp_excel and domain\sp_ppt accounts.Note: Assumption is that these accounts already exist in SP_Intranet_Content_DB_01 -> Security -> Users prior to this step.
- After adding necessary users, click Securables on the left and then click Search button on the right.
- With the All objects of the types selected, click OK.
- Choose an object type as Databases and click OK.
- At the bottom in Explicit tab, look for Execute and check the Grant checkbox.
- Click OK to save all settings and close the pop-up window.
- Under SP_Intranet_Content_DB_01 -> Security -> Schemas, right-click and select to create a New Schema.
- Create a schema with Office_Web_Apps_Access (or the name of your choice used in step 5) as both the schema name and schema owner. Click OK.
- Make sure you delete your browsing history, offline files, etc. in your browser settings. Run an iisreset –noforce in your SharePoint front end servers and restart sptimerv4 and spadmin services in all of your SharePoint servers.
Note: I did this because I have observed weird behaviors on Office Web Apps right after I configured the database permissions. By performing a step 14, I seem to get consistent results. - Now, try opening Word, Visio, PowerPoint and Excel document in a browser and also try editing them to make sure your Office Web Apps work fine.
In the above steps, we are giving read/write permissions to the Office Web Apps service accounts as instructed by TechNet and in addition, we are giving Execute access to the service accounts which I observed to be one additional permission for Office Web Apps to work fine.
Hope this helps and let me know if you have any comment