With the advent of the
service applications and their innate standalone nature, Farm
Administrators have the ability to delegate responsibility on a per
service basis. No longer is the Farm Administrator the only person
managing the SharePoint deployment and, as a consequence, becoming a
bottleneck for the organization.
In this recipe we can see that services can be
assigned to the responsible party. The Central Administration UI will
show only the pages for which the Server Administrator has rights.
As an example, search is a
critical component to many SharePoint 2010 installations and typically
there is a Subject Matter Expert who would be the administrator of this
service. Now that person can be assigned the role and that is the only
search service they will have access to administer.
Getting ready
You must have Farm Administrator rights or be an administrator of the service to perform this action.
The service you choose must be started and configured.
Create an Active Directory account that will be configured as an administrator for the Service Application.
How to do it...
Open Central Administration and click the Application Management option.
The third section is Service Applications, click Manage Service application.
Navigate
to the service on which you are going to delegate authority. You can do
this by finding the Service application and clicking to the right of
the name. The whole line will be highlighted as seen in the next
screenshot:
When the whole line is highlighted, the ribbon lights up as seen in the next screenshot:
Click on the button named Administrators. An input form will be displayed.
The first box is the people picker box. Here, you
will type in the name of the person you wish to administrate the service
application. By clicking the check icon, the system will validate the
user. You can also click the book icon and use the people picker.
After the administrator(s) are chosen, click the Add button. The Permissions box will dynamically be populated showing the level of control.
Finish the process by clicking OK at the bottom of the form. The administrators are now assigned.
How it works...
When a domain user account is granted permissions to a
service application, they are given the rights to manage the associated
service. From an administrative view, this is empowering to the user
and takes the responsibility from IT.
In addition, the user will be able to navigate to the Manage Service Applications
web page, but will be granted rights to only those services for which
they have permissions. The user will have access to these services
through Central Administration. They will be shown a subset of the
Central Administration User Interface.
The user will not see any other services, nor will they be able to manage any other services through PowerShell.
There's more...
PowerShell can be used in place of the UI to delegate administrative roles, using the following command:
Set-SPServiceApplicationSecurity <serviceapplication> -objectSecurity <security> -admin
