SharePoint 2010 allows Farm Administrators the ability to delegate
administrators for individual Service Applications. Once provisioned,
the Service Application Administrator will gain access to a
security-trimmed Central Administration where they can only access and
configure the roles granted to them. This is perfect for scenarios when
perhaps you want to offload the Profile, Managed Metadata, or Search
features off onto other departments.
Let’s walk through how we can use SharePoint 2010 to provide least privilege access to the User Profile Service Application to only Manage Audiences.
Our user that we want to delegate Audience control is Kyle Wilson (CONTOSO\kwilson). If we were simply to send him the link to Central Administration, then he would be met with an Access Denied page.
Now, logged in as a Farm Administrator, go to Application Management > Manage Service Applications. Next, highlight the desired Service Application, in this case the User Profile Service Application, and select Administrators from the ribbon interface as shown below:
You will be presented with a screen similar to the screenshot below where you need to add the account for which you want to delegate control. Notice that once added you can grant granular access to only those roles which you want to assign – for this instance we could assign Full Control, Manage Profiles, Manage Permissions, and etc. You may do a single role, a combo of roles, or Full Control. Note that not all Service Applications provide this additional granularity.
We will select Manage Audiences and click Ok to grant Kyle access.
If Kyle were to log into Central Administration now, he would be met with a security-trimmed UI that allows him only to navigate to the User Profile Service Application:
Once on the User Profile Service Application page, even if Kyle tries to perform other non-Audience tasks – as in configuring a sync connection or setup mysites, he will receive Access Denied.
With the Manage Audiences permission, Kyle can successfully access Manage Audiences and Schedule Audience Compilation.
If you need to later remove Kyle from having access, just use the same steps to uncheck and remove his account from the User Profile Service Application Administrator screen. However, when you assign Service App admins a grouped called Delegated Administrators gets created in Central Admin that you will need to go into and remove him from this group as well, else he would still have access to Central Admin but just no links.
As you can see, this is a valuable way of delegating control to others so you as a Farm Administrator can focus on just that – the farm!
Let’s walk through how we can use SharePoint 2010 to provide least privilege access to the User Profile Service Application to only Manage Audiences.
Our user that we want to delegate Audience control is Kyle Wilson (CONTOSO\kwilson). If we were simply to send him the link to Central Administration, then he would be met with an Access Denied page.
Now, logged in as a Farm Administrator, go to Application Management > Manage Service Applications. Next, highlight the desired Service Application, in this case the User Profile Service Application, and select Administrators from the ribbon interface as shown below:
You will be presented with a screen similar to the screenshot below where you need to add the account for which you want to delegate control. Notice that once added you can grant granular access to only those roles which you want to assign – for this instance we could assign Full Control, Manage Profiles, Manage Permissions, and etc. You may do a single role, a combo of roles, or Full Control. Note that not all Service Applications provide this additional granularity.
We will select Manage Audiences and click Ok to grant Kyle access.
If Kyle were to log into Central Administration now, he would be met with a security-trimmed UI that allows him only to navigate to the User Profile Service Application:
Once on the User Profile Service Application page, even if Kyle tries to perform other non-Audience tasks – as in configuring a sync connection or setup mysites, he will receive Access Denied.
With the Manage Audiences permission, Kyle can successfully access Manage Audiences and Schedule Audience Compilation.
If you need to later remove Kyle from having access, just use the same steps to uncheck and remove his account from the User Profile Service Application Administrator screen. However, when you assign Service App admins a grouped called Delegated Administrators gets created in Central Admin that you will need to go into and remove him from this group as well, else he would still have access to Central Admin but just no links.
As you can see, this is a valuable way of delegating control to others so you as a Farm Administrator can focus on just that – the farm!
No comments:
Post a Comment