SharePoint Service Application permissions demystifying


  • Hi all,

    Recently i have been cleaning up the permissions on Service applications and wondered if anyone knows written material where could be found or can simply explained this:

    1. Administrators option on Service Application ribbon

    2. Permissions option on Service Application ribbon

         and Local Farm account or group that can be found within permissions


    1. Administrators option - To manage access to Service app trough CA

    All Farm administrators already have access to manage all service applications, so here you can add someone in specific if that person is not already in Farm admin group and you want them to be able to login to CA and manage specific web application.

    2. Permissions - to allow/deny specific web application to use service application 

    If there is Local Farm i guess all web applications can use this service application?

    What would be benefit to add some specific user (like admin or some other person) to this?

    Many thanks,


    Kind regards, Dusan Tomic

    Friday, April 14, 2017 9:17 AM


  • SharePoint 2013 permissions are a bit interesting, the model in 2010 is in theory the same but the implementation was flawed and gave too much permission to farm accounts. It got complicated.

    First you should almost never be logging in with the service accounts. Your Admins are the single biggest security weakness you'll find, always make them log in with individual dedicated administration accounts.

    Within that if you're in a normal farm (i.e. not a huge company) then you probably have a hand full of admins who can manage everything. They, with their named accounts, will be in the farm admins group.

    In addition to that they would need to be named in some or all of the service applications as administrators to allow them to configure some of the details of the applications. The farm admins can add themselves to it but in more complicated scenarios it's not considered good practice.

    Sunday, April 16, 2017 1:04 PM