R – Object Model Permission

sharepointsharepoint-2007

I'm trying to confirm my findings on permissions.

In order for the SharePoint object model to be accessed from a console application or for that matter a WinForm application, the user running the application must have db_admin permission to the content database for the web application in question.

In order to use Microsoft.SharePoint.Administration (like calling SPFarm.Local.Solutions.Add) inside an ASP.NET application the following must be true:

  • The call must be wrapped with RunWithElevatedPrivileges like the following:

SPSecurity.RunWithElevatedPrivileges(delegate() { code to run } );

  • The user accessing the ASP.NET page must be part of the Farm Adminstrators Group (the page is running under _layouts)

  • The user in the identity of the App Pool for the web application in question must also be in the Farm Adminstrators Group

Does this information look correct?

Best Answer

Yes but within the web service code you call the functional code using RunWithElevated Privileges this bypasses the identity you are running the web service as and instead uses the SPFarmAdmin user to execute the code.

Alternatively host the web service in an app pool which uses the same domain account as your central admin site, and allow anonymous access to the web service. This would be safe for internal use only and would mean that the web service always had elevated permissions.

Related Topic