Grant permission to access the managed metadata service (SharePoint Server 2010)

  • Article

 

Applies to: SharePoint Server 2010

When you create a connection from a Web application to a service in SharePoint Server 2010, the connection runs using the credentials of the Web application's application pool account. Before you can create a connection to a managed metadata service, the service must first grant permission to the application pool account of the Web application. Users of sites in the Web application can perform different actions depending on the permission that the service grants to the application pool account. There are three levels of permission: read, restricted, and full.

The following table indicates which actions are enabled, depending on the permissions the service grants.

Action Read Restricted Full

View terms and term sets

Yes

Yes

Yes

Add existing terms and existing enterprise keywords to documents and list items

Yes

Yes

Yes

Bind columns to existing term sets

Yes

Yes

Yes

View and use content types from the content type hub (if the service provides a hub)

Yes

Yes

Yes

Add new terms to open term sets

Yes

Yes

Create new enterprise keywords (if the connection is configured to enable this)

Yes

Yes

Create local term sets (if the connection is configured to enable this)

Yes

Yes

Add and modify content types in the content type hub (if the service provides a hub)

Yes

Manage terms and term sets (if the user is authorized to do this)

Yes

Procedures in this task:

  • Grant permission to access the managed metadata service

  • Revoke permission to access the managed metadata service

Task Requirements

The following are required to perform the procedures for this task:

  • The account to be granted permission must already exist.

  • The managed metadata service must already exist.

Grant permission to access a managed metadata service

Use this procedure to grant a service account permission to access a managed metadata service.

securitySecurity Note
By default, all application pool accounts on the local farm are granted full permissions to the service. To grant read or restricted access to an account, first revoke or reduce the Local Farm group’s permissions to the service by using the procedures in this article.

Administrative credentials

To use this procedure, you must be a member of the Farm Administrators SharePoint group on the computer that is running the SharePoint Central Administration Web site.

To grant a service account permission to access a managed metadata service by using Central Administration

  1. On the home page of the SharePoint Central Administration Web site, under Application Management, select Manage service applications.

  2. Select the Service Applications tab.

  3. Select the managed metadata service to which you want to grant permission and then click Permissions.

  4. In the first box, either type the name of the service account that you want to add by using the format <domain>\<username> or select the service account by using the address book, and then click Add.

  5. Double-click the service account that you added.

    The service account is moved from the box of accounts to be added to the box of accounts to be granted permissions.

  6. In the Permissions for <user> box, select one of the following options:

    1. Read Access to Term Store to grant permission to read the term store and content types that are associated with the managed metadata service.

    2. Read and Restricted Write Access to Term Store to grant permission to read the term store and content types that are associated with the managed metadata service, permission to write to local term sets and open term sets, and permission to create enterprise keywords.

    3. Full Access to Term Store to grant permission to read and write to the term store and content types that are associated with the managed metadata service.

  7. Repeat the previous three steps to grant permission to additional accounts.

  8. Click OK.

Revoke a service account’s permission to access a managed metadata service

Use this procedure to revoke a service account’s permission to access a managed metadata service.

Administrative credentials

To use this procedure, you must be a member of the Farm Administrators SharePoint group on the computer that is running the SharePoint Central Administration Web site.

To revoke permission to access a managed metadata service by using Central Administration

  1. On the home page of the SharePoint Central Administration Web site, under Application Management, select Manage service applications.

  2. Select the Service Applications tab.

  3. Select the managed metadata service to which you want to revoke permission and then click Permissions.

  4. In the second box, select the service account that you want to remove, and then click Remove.

  5. Click OK.

See Also

Concepts

Managed metadata roles (SharePoint Server 2010)
Add and remove term store administrators (SharePoint Server 2010)