Friday, April 27, 2007
Shared Service Provider Access Denied
As I have had plenty of time playing with MOSS installs/upgrades over the last week (in between jobs), I discovered an interesting behaviour with Shared Service providers. I tried to simulate a proper production install, so I installed MOSS and configured the farm with a test administrator account (e.g. testadmin). During the upgrade process (database migration of the _PROF, _SERV and _SITE db) I logged on as a different administrator (not a domain admin, but a local admin on the box). Well the upgrade went through without a problem and I was able to restore the SSP. I then added myself to have full control over the dev intranet site and the SSP site (using Policy for Web Application). I then navigated to the SSP site and configured the search. Then I went to update the profile information and it was there that I got the old Access Denied, you must sign in as someone else. After scratching my head for a while, I discovered the 'Personalization services permissions' hyperlink in the SSP site. So I logged back in as testadmin (who at this time was the only user who could actually get to the profile settings page), invoked this function and added a new group to the list, giving them 'Create personal site', 'Use personal features', 'Manage user profiles', 'Manage audiences', 'Manage permissions' and 'Manage usage analytics' rights, and low and behold I was able to edit profile settings with my normal local administrator account.