locked
SSP access denied on secondary site collection admin RRS feed

  • Question

  • i am a member of Farm Admin group. As a add a secondary administrator on SSP site collection i got access denied. Please advise Thanks
    cal_bonjovi
    Tuesday, September 13, 2011 10:35 AM

Answers

  • Hi,

     

    Site collection administrators and other users with Full Control permission can add other site collection administrators at any time.

     

    The farm administrator accounts have full read and write access to the configuration database, Central Administration, and the SSP database, but have no permissions to the Shared Services Administration site. The farm administrator account used to create the SSP has Full Control permission to the Shared Services Administration site. Other accounts added to the farm administrators group have no permissions to the Shared Services Administration site.

     

    For the detailed information about managing permissions to the Shared Services Administration site, see this link:

     

    http://technet.microsoft.com/en-us/library/cc262153(office.12).aspx

     

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, September 14, 2011 6:47 AM
  • Delegating administration duties for a SharePoint Shared Service Provider (SSP) separates duties while keeping the environment secure and practicing the principle of least privilege. The process to grant access to other administrators might not be so obvious at first because you do not assign all SSP permissions in the Site Permissions section using SharePoint groups as one might expect.

    When you add a new user account to the SSP site, even if you grant them Full Control permissions or add them as a Site Collection Administrator, initially they will experience access denied error messages when they click on any of the following links:

    • User profiles and properties
    • Profile services policies
    • My Site settings
    • Personalization services permissions
    • Audiences
    • Import application definition
    • Business Data Catalog permissions

    These sections need to have permissions explicitly set. Initially, the setup account will have full access to the SSP, so use that account to grant rights to new SSP administrators you wish to delegate SSP administrative duties to.

    Notice the items highlighted in bold in the list above. These are where you assign the remaining SSP permissions. Adding new SSP administrators to the "Personalization services permissions" section and granting appropriate rights will grant rights related to the first five links in the list above. Repeating the process in the "Business Data Catalog permissions" section will grant rights related to the last two links.

    At this point, the new SSP administrator has all the appropriate access permissions they need to administrate the SSP.

    http://msmvps.com/blogs/shane/archive/2007/08/06/give-a-user-access-to-the-ssp.aspx

     

    Wednesday, September 14, 2011 3:10 PM

All replies

  • Being a member of the Farm Admin group alone will not give you access to everything in SP. Only the admin account used during installation has by default access to everything. Does it work if you use this account?

    Tuesday, September 13, 2011 1:28 PM
  • Even if i use the System Account, it is still not working.. Not working on adding secondary administrator. System Account cant add to peoples and group also inside SSP. But System account can go to SSP without problems
    cal_bonjovi
    Tuesday, September 13, 2011 1:33 PM
  • Are you able to see who the primary administrator of the SSP site collection is? If it is not an account you already use, try this one.
    Tuesday, September 13, 2011 1:47 PM
  • i noticed that there is policy on web applications.. i can add users in there and right now i can access SSP. but im still trying to figure out why i cant add users in SSP eventhough i have full control in Policy Web App
    cal_bonjovi
    Tuesday, September 13, 2011 2:00 PM
  • Hi,

     

    Site collection administrators and other users with Full Control permission can add other site collection administrators at any time.

     

    The farm administrator accounts have full read and write access to the configuration database, Central Administration, and the SSP database, but have no permissions to the Shared Services Administration site. The farm administrator account used to create the SSP has Full Control permission to the Shared Services Administration site. Other accounts added to the farm administrators group have no permissions to the Shared Services Administration site.

     

    For the detailed information about managing permissions to the Shared Services Administration site, see this link:

     

    http://technet.microsoft.com/en-us/library/cc262153(office.12).aspx

     

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, September 14, 2011 6:47 AM
  • Delegating administration duties for a SharePoint Shared Service Provider (SSP) separates duties while keeping the environment secure and practicing the principle of least privilege. The process to grant access to other administrators might not be so obvious at first because you do not assign all SSP permissions in the Site Permissions section using SharePoint groups as one might expect.

    When you add a new user account to the SSP site, even if you grant them Full Control permissions or add them as a Site Collection Administrator, initially they will experience access denied error messages when they click on any of the following links:

    • User profiles and properties
    • Profile services policies
    • My Site settings
    • Personalization services permissions
    • Audiences
    • Import application definition
    • Business Data Catalog permissions

    These sections need to have permissions explicitly set. Initially, the setup account will have full access to the SSP, so use that account to grant rights to new SSP administrators you wish to delegate SSP administrative duties to.

    Notice the items highlighted in bold in the list above. These are where you assign the remaining SSP permissions. Adding new SSP administrators to the "Personalization services permissions" section and granting appropriate rights will grant rights related to the first five links in the list above. Repeating the process in the "Business Data Catalog permissions" section will grant rights related to the last two links.

    At this point, the new SSP administrator has all the appropriate access permissions they need to administrate the SSP.

    http://msmvps.com/blogs/shane/archive/2007/08/06/give-a-user-access-to-the-ssp.aspx

     

    Wednesday, September 14, 2011 3:10 PM
  • Hi,

     

    How is it going? If you have any questions, feel free to reply to the forum.

     

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Regards, Rock Wang Microsoft Online Community Support
    Friday, September 23, 2011 3:38 AM