Sharepoint UserProfileManager without Manage User Profiles right

Question

I have an issue that is driving me a bit nuts: Using a UserProfileManager as an non-authorized user.

The problem: The user does not have "Manage User Profiles" rights, but I still want to use the UserProfileManager. The idea of using SPSecurity.RunWithElevatedPrivileges does not seem to work, as the UserProfileManager authorizes against the SSP as it seems.

            SPSecurity.RunWithElevatedPrivileges(delegate()
            {
                using (SPSite site = new SPSite(inputWeb.Site.ID))
                {
                    ServerContext ctx = ServerContext.GetContext(site);
                    UserProfileManager upm = new UserProfileManager(ctx,true);
                    UserProfile u = upm.GetUserProfile(userLogin);
                    DepartmentName = u["Department"].Value as string;
                }
            });

This still fails on the "new UserProfileManager" line, with the "You must have manage user profiles administrator rights to use administrator mode" exception.

As far as I userstood, RunWithElevatedPrivileges reverts to the AppPool Identity. WindowsIdentity.GetCurrent().Name returns "NT AUTHORITY\network service", and I have given that account Manage User Profiles rights - no luck.

site.RootWeb.CurrentUser.LoginName returns SHAREPOINT\system for the site created within RunWithElevatedPrivileges, which is not a valid Windows Account ofc.

Is there even a way to do that? I do not want to give all users "Manage User Profiles" rights, but I just want to get some data from the user profiles (Department, Country, Direct Reports). Any ideas?

Answer 1

The permission that needs set is actually found in the Shared Service Provider.

1. Navigate to Central Admin
2. Navigate to the Shared Service Provider
3. Under User Profiles and My Sites navigate to Personalization services permissions .
4. If the account doesn't already exist, add the account for which your sites App Domain is running under.
5. Grant that user Manage user profiles permission.

I notice that you're running the application pool under the Network Service account. I implemented an identical feature on my site; however, the application pool was hosted under a Windows account. I'm not sure why this would make a difference, however.

Answer 2

There are two ways I've actually managed to accomplish this:

1. Put the code that uses the UserProfileManager behind a web services layer. The web service should use an application pool identity that has access to the User Profile services.
2. Use the impersonation technique describe in the following article: http://www.dotnetjunkies.com/WebLog/victorv/archive/2005/06/30/128890.aspx

Answer 3

Thanks for the Answers. One Caveat: if you run the Application Pool as "Network Service" instead of a Domain Account, you're screwed.

But then again, it's recommended to use a domain account anyway (On a test server I used network service, but after changing it to a domain account it worked).

Answer 4

Here's the answer. Its a stupid Microsoft bug, and there is a hotfix. I'm downloading now to test it.

http://support.microsoft.com/kb/952294/en-us