Manage permissions to the Shared Services Administration site
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2015-03-09
The Shared Services Administration site is the site collection that contains the administration pages for the shared services settings for a Shared Services Provider (SSP). The View Only permission to the site is required to administer any of the shared services for Microsoft Office SharePoint Server 2007, and a Viewers group is created by default with this permission. Site collection administrators and other users with Full Control permission to the site can add other users to the site and manage their site permissions. Site collection administrators can also add Design and Contribute permissions for users who are customizing the administration pages and other content on the site collection.
Typically, one user or a small number of users will be site collection administrators or have Full Control permissions. A site collection administrator selects one or more additional users with View Only permission in the Viewers group to act as administrators of one or more shared services.
In this article:
Default permissions to the Shared Services Administration site
Managing permissions after installation
Use the Central Administration account to add users to the Shared Services administration site
Task requirements
Default permissions to the Shared Services Administration site
The Shared Services Administration site is created during installation of Microsoft Office SharePoint Server 2007. In a Basic installation, one account is used during installation as the default farm administrator account and the administrator of the Shared Services Administration Web site. The Basic installation automatically creates the SSP and the Shared Services Administration site using the default farm administrator account.
Note
In a Basic installation, the farm administrator account is made the site collection administrator for the Shared Services Administration site.
In a farm installation, these administrator accounts can be assigned to two unique accounts, as follows:
The default farm administrator account is used to create Web applications during installation, including the Web application and application pool for the Shared Services Administration site. The farm administrator account must be a member of the local Administrators group on the server hosting the Shared Services Administration site. If the farm administrator account is not also a member of the local Administrators group, no Web applications can be created.
A farm administrator can add another farm administrator account, and that separate account can be used to create the SSP, including the SSP database and the site collection for the Shared Services Administration site. This account is subsequently made the site collection administrator for the Shared Services Administration site. This account has the Full Control permission enabled for the Shared Services Administration site. This account is also granted all of the services permissions for both personalization services and the Business Data Catalog.
Note
Creating these two unique accounts is recommended. In most farm installations, different users will be responsible for farm administration and shared services administration, and using two separate accounts helps to improve security by limiting the authorization permissions of any one account.
To help preserve security, the site administrator account for the Shared Services Administration site cannot access the SharePoint Central Administration Web site, and cannot write to the configuration database.
The farm administrator accounts have full read and write access to the configuration database, Central Administration, and the SSP database, but have no permissions to the Shared Services Administration site. The farm administrator account used to create the SSP has Full Control permission to the Shared Services Administration site. Other accounts added to the farm administrators group have no permissions to the Shared Services Administration site. These permissions are summarized in the following table.
| Account | Configuration database | SharePoint Central Administration site | SSP database | Shared Services Administration site |
|---|---|---|---|---|
Farm administrator |
Full Control |
Full Control |
Full Control |
No access (except for account used to create the SSP, or if a policy for the Web application is created) |
SSP administrator |
No access |
No access |
Full Control |
Full Control |
Note
Although anyone with the Full Control permission on the SharePoint Central Administration Web site (including farm administrators) can delete the SSP Web application from Central Administration, doing so is strongly discouraged because it renders the SSP non-functional. If the Web application is deleted, the only resolution is to restore the SSP from a recent backup. For more information about how to restore from a backup, see Back up and restore an entire farm (Office SharePoint Server 2007).
After installation, the default site collection administrator for the Shared Services Administration site can grant administrators of one or more shared services View Only permission to the site. Any user with View Only permission to the site can manage targeted links in personalization services and administer search and Excel Services. Users with additional services permissions can manage permissions, user profiles, My Sites, audiences, and usage reporting. Note that none of these management tasks requires site administrator permissions. The site collection administrator also grants services permissions to other users after installation. For more information about services permissions, see Manage permissions for personalization services and Manage authorization for the Business Data Catalog.
Managing permissions after installation
Site collection administrators and other users with Full Control permission can add other site collection administrators at any time. They can also create and manage SharePoint groups, add or remove users from groups, and add or remove permissions directly, just like site collection administrators for any other site. The available permissions are Full Control, Design, Contribute, Read, and View Only.
The following practices are recommended:
Full Control permission should be granted to site collection administrators only. As few people as possible should have full control over the site.
Note
New site collection administrators do not have any of the services permissions until they are granted those permissions by a user with the Manage Permissions permission. The exceptions to this include the farm administrator account that was used to create the SSP and the site collection for the Shared Services Administration site, and any account that has Full Control permission in a policy for the Web application for the Shared Services Administration site. Those accounts are granted all of the services permissions.
Most other users should be granted View Only permission. This is sufficient to access the administration pages, if the user also has the necessary services permissions.
Design and Contribute permissions should be used only for the accounts used to customize the administration pages or approve content on the site, if those accounts are distinct from the site collection administrator account. If no customization or content approval is required, do not use these groups.
Additional groups are typically not necessary, and should only be created if there is a specific business need for a different set of permissions than are provided in the default groups for the Shared Services Administration site.
Note that any user with at least View Only permission to the Shared Services Administration site can manage shared services settings for Search, Excel Calculation Services, and configuration of targeted links. Users must have additional services permissions to manage import connections, user profiles, audiences, or usage reporting. For more information about services permissions, see Manage permissions for personalization services and Manage authorization for the Business Data Catalog.
Use the farm administrator account to add users to the Shared Services administration site
Site collection administrators for the Shared Services Administration site can add or remove any account from any group, including their own personal accounts. This can result in a situation where no users are site collection administrators and permissions for the site can no longer be managed. It can even result in a situation where no user has any permission to the site at all. Site collection administrators should be careful not to do this. However, if this does occur, a farm administrator account can be used to add a site collection administrator for the site. The farm administrator can also add services permissions to the site if the Manage Permissions permission is removed from all users.
Task requirements
The following is required to perform the procedures for this task:
- Administrators must be site administrators on the Shared Services Administration site.
To manage permissions to the SSP administration site, you can perform the following procedures:
Modify permissions for users and groups in the Shared Services Administration site
Use the farm administrator account to add users to the Shared Services Administration site
See Also
Concepts
Manage permissions for personalization services
Manage authorization for the Business Data Catalog