Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's SharePoint Admin Blog > Posts > Demystifying SharePoint Admin Permissions
November 14
Demystifying SharePoint Admin Permissions

Recently I’ve gotten a couple of questions about how or where to apply administrative permissions in SharePoint. In a couple of cases someone has come to me after giving an account some permissions but it still couldn’t do what they needed. I’ve pointed people to my How to create a SharePoint 2010 admin account and stop using sp_farm blog post for some guidance. That blog post is more about the “how” and less about the “why.” So in this blog post I’m going to try to map out the “why.”

Again, this blog post is just about Farm Administrator permissions. It won’t cover any end user stuff. That stuff’s just confusing! It will cover four areas where server admin types can be given permission, and when that permission will work. Let’s dig in.

Web Application Policy

How Do You Give It?

In Central Admin > Manage Web Applications > Policy for Users

When does it work?

Only when the user is accessing SharePoint with a web browser through the web app’s URL, i.e. Internet Explorer pointed at http://portal.contoso.com

Why does it only work then?

That permission is telling the web app’s app pool to authorize that account to the URL in question. The app pool then accesses SharePoint on that user’s behalf like any other web request.

Farm Administrators in Central Admin

How do you give it?

In Central Admin > Security > Farm Administrators

When does it work?

When the user tries to log in to Central Admin

Why does it only work then?

The Farm Administrators is just a SharePoint group that gives a user permission to log in to Central Admin, it functions just like SharePoint groups do in any site collection. The Central Admin app pool (the Farm Account) then accesses SharePoint on that user’s behalf like any other web request. In a few cases like creating new web apps the user must also be a local admin.

 

SPShellAdmin

How do you give it?

From PowerShell with the Add-SPShellAdmin cmdlet.

When does it work?

  • When accessing SharePoint via PowerShell on the SharePoint server.
  • When accessing SharePoint via the object model in code on the SharePoint server
  • When using STSADM (blech!)

Why does it only work then?

It’s giving that account permissions directly to the SharePoint objects

  • SQL databases
  • Local machine permissions and resources

Any code or PowerShell executed runs as the user’s identity, not another account like above. These local permissions require direct access to the box to use, so they are more safe than methods that work remotely. If the user needs remote permissions they should use one of the methods above.

Service App Administrator

How do you give it?

Central Admin > Service Application Management. Highlight the service application and click “Administrators" in the ribbon. Add the user to the Administrators list.

When does it work?

When the service application administrator logs in to Central Admin.

Why does it only work then?

When a user is added as an administrator for a service application they are added to a SharePoint group in Central Admin called “Delegated Administrators.” This gives them permission to log in to Central Admin. Central Admin authorizes them to log in and gives them access to the service application they’ve been given access to. The Central Admin app pool (the Farm Account) then accesses SharePoint on that user’s behalf like any other web request.

 

I hope that clears up some of the confusion on why there are so many places you have to give administrators permissions.

tk

ShortURL: http://www.toddklindt.com/AdminPermissions

Comments

There are no comments for this post.

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 Please Support my Sponsors