Wednesday, September 3, 2014

Misconceptions about SharePoint farm admin account

Two days ago I received a call regards to SharePoint farm admin account access level.

“SharePoint farm admin account has access to all site collection and able to site content” the argument is

“Farm admin defined in Central Admin will always have full access to everything in the farm, because they are by nature, farm admin.”

My reply was NO SharePoint farm admin account by default don’t have access to SharePoint Site collection or site content, unless the user is member of “Domain User” AD group. (By default when you create user in AD which automatically add user to “Domain User group”

So decided to try myself :

Created new user called user1 on my AD

image

Created Site Collection with User 1 as primary administrator

image

Login using Farm admin account  “Sorry, this site hasn’t been shared with you.

image

Login using User 1 account

image

Farm Administrator: This account refer to the SharePoint Administrator like us, these accounts are usually user account and they just explore the Central admin. A user with Farm Admin rights is not automatically granted rights in Site Collections. To bypass having to add the user to every Site Collection, in Central Administration go to Manage Web Applications.

Farm administrators have no access to site content by default; they must take ownership of site collections to view any content. They can do this by adding themselves as site collection administrators—but ideally, they’ll leave the content management side to you, so they can focus on the software.

SharePoint farm administrators (refer to http://office.microsoft.com/en-us/sharepoint-server-help/permissions-for-site-collection-administrators-HA101943260.aspx)

SharePoint farm administrators control settings in the SharePoint Central Administration Web site – that is, settings that apply to all the site collections in your organization’s SharePoint deployment. They also create site collections and set the first layer of permissions for site collections.

These settings affect the types of decisions that you can make, as a site collection administrator. Here are the permissions decisions that farm administrators can make:

  • Enable or disable the anonymous access feature.
  • Specify which permission levels are available for you to choose from.
  • Specify which individual permissions are available within each permission level.
  • Choose how much of SharePoint Designer is available in the site collection.
  • Choose which users can manage service applications, such as the User Profile Service application, or Search. Each service application has its own customizable permission settings.
  • Add another user as a farm administrator.

No comments: