Recently I’ve gotten a couple of questions about how or where to apply administrative permissions in SharePoint. In a couple of cases someone has come to me after giving an account some permissions but it still couldn’t do what they needed. I’ve pointed people to my How to create a SharePoint 2010 admin account and stop using sp_farm blog post for some guidance. That blog post is more about the “how” and less about the “why.” So in this blog post I’m going to try to map out the “why.”
Again, this blog post is just about Farm Administrator permissions. It won’t cover any end user stuff. That stuff’s just confusing! It will cover four areas where server admin types can be given permission, and when that permission will work. Let’s dig in.
Web Application Policy
How Do You Give It?
In Central Admin > Manage Web Applications > Policy for Users
When does it work?
Only when the user is accessing SharePoint with a web browser through the web app’s URL, i.e. Internet Explorer pointed at http://portal.contoso.com
Why does it only work then?
That permission is telling the web app’s app pool to authorize that account to the URL in question. The app pool then accesses SharePoint on that user’s behalf like any other web request.
Farm Administrators in Central Admin
How do you give it?
In Central Admin > Security > Farm Administrators
When does it work?
When the user tries to log in to Central Admin
Why does it only work then?
The Farm Administrators is just a SharePoint group that gives a user permission to log in to Central Admin, it functions just like SharePoint groups do in any site collection. The Central Admin app pool (the Farm Account) then accesses SharePoint on that user’s behalf like any other web request. In a few cases like creating new web apps the user must also be a local admin.
SPShellAdmin
How do you give it?
From PowerShell with the Add-SPShellAdmin cmdlet.
When does it work?
- When accessing SharePoint via PowerShell on the SharePoint server.
- When accessing SharePoint via the object model in code on the SharePoint server
- When using STSADM (blech!)
Why does it only work then?
It’s giving that account permissions directly to the SharePoint objects
- SQL databases
- Local machine permissions and resources
Any code or PowerShell executed runs as the user’s identity, not another account like above. These local permissions require direct access to the box to use, so they are more safe than methods that work remotely. If the user needs remote permissions they should use one of the methods above.
Service App Administrator
How do you give it?
Central Admin > Service Application Management. Highlight the service application and click “Administrators" in the ribbon. Add the user to the Administrators list.
When does it work?
When the service application administrator logs in to Central Admin.
Why does it only work then?
When a user is added as an administrator for a service application they are added to a SharePoint group in Central Admin called “Delegated Administrators.” This gives them permission to log in to Central Admin. Central Admin authorizes them to log in and gives them access to the service application they’ve been given access to. The Central Admin app pool (the Farm Account) then accesses SharePoint on that user’s behalf like any other web request.
I hope that clears up some of the confusion on why there are so many places you have to give administrators permissions.
tk
ShortURL: http://www.toddklindt.com/AdminPermissions