Hello, PnP Provisioning experts,

SITUATION SPECIFICS

TARGET: newly created sub site in SP2013
IS SHAREPOINT ADD-IN? No
CODE CONTAINER: C# in a custom .NET 4.6.2 Console App
AUTHENTICATION: clientContext.Credentials = CredentialCache.DefaultNetworkCredentials (running the Console App as the same domain account that is a site collection administrator)
NUGET PACKAGE: SharePointPnPCore2013 v2.8.1610.1 (latest one at the time of this writing)

When ApplyProvisioningTemplate() is called, it successfully applies a saved .pnp site template to an existing sub site with the situation specifics above (no problem).

ISSUE

When ApplyProvisioningTemplate() is called when a saved .pnp site template has custom managed metadata site columns in it, an exception is thrown (note: full stack trace at the end of this message):

    Access denied. You do not have permission to perform this action or access this resource.

The ProgressDelegate messages stopped on "Term Groups":

    Regional Settings
    Supported UI Languages
    Features
    Term Groups

That gave me the immediate idea that this account does not have enough permission on the Managed Metadata service to read things inside it . So…In Central Admin, I added the (Test User) domain account I’m running the console app under to the Managed Metadata Service and gave it “Read Access to Term Store
permission.

After doing that, immediately re-ran the Console App, but same exact error.  :(

What am I missing? It shouldn’t need write permission, since the termsets and term groups are already in the farm, correct? Does it need more permissions than that?

Should I be configuring something else in Central Admin to give correct permissions to this account to access the Managed Metadata Service?  If so, where?

Any other ideas of things to try?  Anything else I'm missing?

Customer is looking for least privilege farm onfiguration above all else.

Thanks for any and all help.

Exception details:

Microsoft.SharePoint.Client.ServerUnauthorizedAccessException was unhandled by user code
HResult=-2146233088
Message=Access denied. You do not have permission to perform this action or access this resource.
ServerErrorCode=-2147024891
ServerErrorTraceCorrelationId=e575b39d-be11-5018-add7-0c0c29dd4875
ServerErrorTypeName=System.UnauthorizedAccessException
ServerStackTrace=""
Source=Microsoft.SharePoint.Client.Runtime
StackTrace:
at Microsoft.SharePoint.Client.ClientRequest.ProcessResponseStream(Stream responseStream)
at Microsoft.SharePoint.Client.ClientRequest.ProcessResponse()
at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)
at Microsoft.SharePoint.Client.ClientRequest.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientRuntimeContext.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryImplementation(ClientRuntimeContext clientContext, Int32 retryCount, Int32 delay)
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext clientContext, Int32 retryCount, Int32 delay)
at OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.ObjectTermGroups.ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
at OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.ApplyRemoteTemplate(Web web, ProvisioningTemplate template, ProvisioningTemplateApplyingInformation provisioningInfo)
at Microsoft.SharePoint.Client.WebExtensions.ApplyProvisioningTemplate(Web web, ProvisioningTemplate template, ProvisioningTemplateApplyingInformation applyingInformation)