Friday, April 27, 2007

Shared Service Provider Access Denied

As I have had plenty of time playing with MOSS installs/upgrades over the last week (in between jobs), I discovered an interesting behaviour with Shared Service providers. I tried to simulate a proper production install, so I installed MOSS and configured the farm with a test administrator account (e.g. testadmin). During the upgrade process (database migration of the _PROF, _SERV and _SITE db) I logged on as a different administrator (not a domain admin, but a local admin on the box). Well the upgrade went through without a problem and I was able to restore the SSP. I then added myself to have full control over the dev intranet site and the SSP site (using Policy for Web Application). I then navigated to the SSP site and configured the search. Then I went to update the profile information and it was there that I got the old Access Denied, you must sign in as someone else. After scratching my head for a while, I discovered the 'Personalization services permissions' hyperlink in the SSP site. So I logged back in as testadmin (who at this time was the only user who could actually get to the profile settings page), invoked this function and added a new group to the list, giving them 'Create personal site', 'Use personal features', 'Manage user profiles', 'Manage audiences', 'Manage permissions' and 'Manage usage analytics' rights, and low and behold I was able to edit profile settings with my normal local administrator account.


Jacob Ross said...

Thank you, thank you, thank you.

I had installed a Single-Server instance, for testing, and this issue kept getting in my way. Since I had done a fair number of, shall we say less-than-supported things to that instance, I chalked it up as generically broken.

When I started to deploy my pre-live farm and ran into the same issue - I was frustrated.

Your post was perfect,

Startup Cohorts said...

Let me know what should be the ideal groups to which the sharepoint account belong to, as this account should be able to.
1. Create a Web application
2. Create a Web Site Collection
(NOTE, the New App Pool should
get created in IIS)

3. Create a new SSP
4. Create a new PWA for the above site
(NOTE - should also create a new App Pool ins IIS for the the SSP).

Paisley said...

omg - you are a sharepoint GOD