tags:

views:

609

answers:

6
+2  Q: 

Object Model Permission

I'm trying to confirm my findings on permissions.

In order for the SharePoint object model to be accessed from a console application or for that matter a WinForm application, the user running the application must have db_admin permission to the content database for the web application in question.

In order to use Microsoft.SharePoint.Administration (like calling SPFarm.Local.Solutions.Add) inside an ASP.NET application the following must be true:

  • The call must be wrapped with RunWithElevatedPrivileges like the following:

SPSecurity.RunWithElevatedPrivileges(delegate() { code to run } );

  • The user accessing the ASP.NET page must be part of the Farm Adminstrators Group (the page is running under _layouts)

  • The user in the identity of the App Pool for the web application in question must also be in the Farm Adminstrators Group

Does this information look correct?

+1  A: 

Edit: Contrary to Michael's comment I have assumed that this app is not going to be run from within the SP farm.

I would not recommend this approach at all as it is an unupported method of using the SharePoint OM.

You are much better off writing a web service that sits on the SP farm and uses the OM, and then access the web service mehods to perform your required functionality.

You could also look at the out of the box sharepoint web services.

RunWithElevatedPrivileges will not work in your scenario I dont think as it requires a base indetity to fall back on which in the case of code executing on the SP farm is the SP App Pool identity which is usually a farm admin account.

I am happy to be corrected on all of this, but certainly in my environment it would not be wise to invest in a non-standard and unsupported approach to a problem.

Charlie  2009-01-30 13:29:42
A: 

Yes, Michael, the apps are running on the server.

Charles, I have looked at the out of the box Web Services quite a bit. In some areas I felt quite limited. That is why I wanted to go my own route.

I will definitely look at the approach of writing my own web service. But won't that web service still need proper privileges to the Object Model?

hobbyman  2009-01-30 13:43:24
A: 

Yes the web service will need proper access rights, but this is easier to control with a web service running locally.

However if as you say the apps are always running on the server then using RunWithElevatedPrivileges will solve any permissions issues as you are in effect running that code as an SPFarmAdmin (as long as the app pool identity is configured correctly).

Note: you could use this approach with either bespoke web services or client apps such as console applications or windows forms.

Charlie  2009-01-30 13:48:48
A: 

If I create a Web Service, will the methods called be running under the permissions passed from the calling program?

If my webservice is named ABC.asmx on server SPDev1 and I have a console application on my desktop, I will have to pass permission information from my desktop, correct? And the calls in the ABC.asmx web service will be running as my desktop userid, correct? If that is the case then writing my own web service doesn't buy me much.

hobbyman  2009-01-30 14:10:07
+1  A: 

Yes but within the web service code you call the functional code using RunWithElevated Privileges this bypasses the identity you are running the web service as and instead uses the SPFarmAdmin user to execute the code.

Alternatively host the web service in an app pool which uses the same domain account as your central admin site, and allow anonymous access to the web service. This would be safe for internal use only and would mean that the web service always had elevated permissions.

Charlie  2009-01-30 16:40:34
A: 

Apologies hobbyman, I never saw you reply.

If you use RunWithElevatedPermissions then it doesn't matter which user the web service runs as, because you are effectivley impersonating a farm admin account.

You could additionally do your own impersonation within the web service and impersonate any user you wish.

Essentially if the web service is running within a given application pool then the web service will run under the indentity which the app pool runs as. Does this clarify things?

Charlie  2009-02-11 15:05:56
OK - I'll try the web service next.
hobbyman  2009-02-11 15:31:20

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?