Export (0) Print
Expand All

Set permissions to published service applications in SharePoint 2013

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Topic Last Modified: 2014-08-13

Summary:Learn how to configure permissions to the Application Discovery and Load Balancing Service Application and published service applications for the consuming farm in SharePoint 2013.

In SharePoint 2013, you must establish a relationship between the publishing farm and the consuming farm by giving the consuming farm permission to the Application Discovery and Load Balancing Service Application on the publishing farm. After doing this, the consuming farm can be given permission to other service applications. For more information about the process of sharing service applications across farms see Share service applications across farms in SharePoint 2013.

In this article:

ImportantImportant:
You must perform steps 1 through 5 in the Windows PowerShell procedure to obtain the consuming farm ID, which you must have in order to complete either the Windows PowerShell or Central Administration procedures.

Before you begin this operation, review the following information about prerequisites:

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

The first procedure explains how to set permission to the Application Discovery and Load Balancing Service Application. The second explains how to set permissions to any other service applications.

To set permission to the Application Discovery and Load Balancing Service Application for a consuming farm by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      1. On a server in the consuming farm, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • On a server in the consuming farm, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    Get-SPFarm | Select Id
    

    For more information, see Get-SPFarm.

  4. On a server in the publishing farm, access the SharePoint 2013 Management Shell and at the Windows PowerShell command prompt, type the following commands:

    $security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
    
    $claimprovider=(Get-SPClaimProvider System).ClaimProvider
    
    $principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue <consumingfarmid>
    
    Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
    
    Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
    

    Where:

    Consumingfarmid is the GUID value of the consuming farm

    For more information, see the following:

To set permission to a published service application for a publishing farm by using Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      1. On a server in the publishing farm, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • On a server in the publishing farm, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. At the Windows PowerShell command prompt, type the following command:

    $security=Get-SPServiceApplication <GUID>| Get-SPServiceApplicationSecurity
    
    $claimprovider=(Get-SPClaimProvider System).ClaimProvider
    
    $principal=New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue <consumingfarmid>
    
    Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights <NamedAccessRights>
    
    Set-SPServiceApplicationSecurity <GUID> -ObjectSecurity $security
    

    Where:

    Consumingfarmid is the GUID value of the consuming farm

    <GUID> is the ID of the published service application.

    <NamedAccessRights> is the name of the access right from the Get-SPServiceApplicationSecurity <GUID>.NamedRights.

    For more information, see the following:

This procedure explains how to set permission to any service application, but most specifically, the Application and Load Balancing Service Application.

ImportantImportant:
You must perform steps 1 through 5 in the Windows PowerShell procedure to obtain the consuming farm ID, which you must have in order to complete this procedure.
To set permission to the Application Discovery and Load Balancing Service Application and any other published service application for a consuming farm by using Central Administration
  1. On the server that hosts the SharePoint Central Administration website for the publishing farm, verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. On the SharePoint Central Administration website, click Application Management, and then click Manage service applications.

  3. Click the row that contains Application Discovery and Load Balancing Service Application.

  4. On the ribbon, click Permissions.

  5. In the Connection Permissions dialog box, do the following:

    1. Manually paste the ID of the consuming farm from Step 5 of the Windows PowerShell section.

    2. Click Add.

    3. Select the consuming farm ID, and then select the Full Control check box.

    4. Click OK.

  6. Repeat steps 2 through 5 for any published service applications for which you want to enable access from the consuming farm and assign the necessary permission.

NoteNote:
To enable access to the User Profile service application, which is not available in SharePoint Foundation 2013, you must give the consuming farm's web application pool identity (that is, DOMAIN\Username) the permission instead of the consuming farm ID.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft