Allowing Self-Service Site Creation

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

SharePoint Team Services from Microsoft allows site administrators to create subwebs of their Web sites. These subwebs can be fully-functioning SharePoint team Web sites, complete with a home page, document libraries, and so on, and they can even have their own unique permissions. The Self-Service Site Creation add-in allows administrators to give users this same power. With the Self-Service Site Creation add-in installed and enabled, a user can create a SharePoint team Web site automatically as a subweb of the root web, without needing administrator rights to the root web. The user simply enters a name (and a user name and password, if required) for the new subweb, and the new team Web site is created with the user as the administrator of that site. By enabling Self-Service Site Creation on a virtual server, administrators do not need to create subwebs for users. You can even allow anonymous users to create subwebs — for example, if you want to provide a free trial of a fully functioning SharePoint Team Services site to potential customers.

Note Self-Service Site Creation is supported only for Windows 2000 or later.

About Self-Service Site Creation Security

Self-Service Site Creation allows users to create and administer their own SharePoint team Web sites automatically. This capability can obviously affect the security for your Web server running SharePoint Team Services.

Self-Service Site Creation Security and ACLs

Access to the default Self-Service Site Creation Add-in Web pages is controlled by access control lists (ACLs). The Self-Service Site Creation Add-in creates the following two sets of pages that interact with permissions:

Administration pages

For the administration pages (such as the Configure Self-Service Site Creation page), default scripts are stored in the global administration directories; therefore access to those scripts is restricted to local machine administrators. If the custom scripts option is chosen, and the default scripts are copied to a new location under the virtual server where the Self-Service Site Creation add-in is enabled, the permissions are inherited from the parent Web site, which could mean that any user of that Web site would have access to them.
Non-administration pages

The non-administrative pages (the Self-Service Site Creation Create New Subweb page, for example), inherit permissions from the parent Web site no matter where the pages are stored. So, if you are using the default script location, site administrators can access them, and if you copy the scripts to a virtual server where the Self-Service Site Creation add-in is enabled, most likely any user of that Web site would have access to them.

Allowing everyone to have read access to the custom (and copied) default administrator pages is not a security risk, because the methods in the SelfServ COM object require authorization before carrying out any task. This authorization is implemented internally, and is not granted by using ACLs. Administrative methods in the SelfServ COM require the user to be a local machine administrator to run. Non-administrative methods, like those used for creating a subweb, require the user to be part of the SSC group (OWS_SSC_W3SVCx, where x is the IIS instance ID). So, while a user without administrator or SSC group rights might be able to see the pages, they cannot execute commands on them.

The only exception to this inability to execute happens when you are allowing unrestricted accounts access to the Subweb.asp page (in other words, in an ISP situation, where you allow users to create accounts and subwebs at the same time). Because this page allows users to create a new account and add themselves to the SSC group, they can now execute commands on the Self-Service Site Creation Create New Subweb page. Such a user still cannot perform any other administrative actions, and because the methods used to create the new subweb are not used for any other purpose, so your site is still secure. Of course, Site administrators should still control tightly who has write permissions to the Self-Service Site Creation directories.

Self-Service Site Creation Security Options

You can choose the configuration that is more comfortable for you, but keep in mind that allowing users to create their own sites is an inherently more risky operation than creating the sites yourself.

When you are deciding whether or not to use Self-Service Site Creation, and which options in Self-Service Site Creation to take advantage of, consider the following:

Restricted or unrestricted users

When you run the installation for Self-Service Site Creation, you must choose whether to restrict the use of the Self-Service Site Creation add-in to users with existing accounts, or whether you want even users without existing accounts to be able to create subwebs automatically. If your Web server is in an intranet environment where all users already have domain accounts, you can choose to restrict access. If your Web server is on the Internet, hosted by an ISP, for example, where users do not already have accounts on the Web server, you can choose to allow unrestricted access to Self-Service Site Creation. That way, you can allow new users to create subwebs without having to create an account for them first.
Subwebs and administrator rights

When a user creates a subweb, the user automatically becomes the site administrator for that subweb. However, the user is not granted any administrator rights to the parent web. This configuration of rights protects your parent web, so that the user can only make changes to their own subweb. Because the user does not have rights to the parent web, however, it does mean that they cannot delete their own subweb. Only administrators of a parent Web site can delete a subweb.

After you have decided whether to use restricted or unrestricted users, you can install the Self-Service Site Creation add-in.

Installing Self-Service Site Creation

The Self-Service Site Creation add-in requires an installation of SharePoint Team Services running Microsoft Windows 2000 Server or later. You must have SharePoint Team Services installed and configured before installing Self-Service Site Creation.

Note When you install the Self-Service Site Creation add-in, the Internet Information Service (IIS) processes are briefly stopped. They are restarted automatically after the installation is complete.

You install the Self-Service Site Creation add-in from a download on the Microsoft Web site.

To install the Self-Service Site Creation add-in from the download

Open your browser and navigate to the SharePoint Team Services Self-Service Site Creation Add-in page on the Microsoft TechNet Web site.
Under Installation, click the link for the language version of the Self-Service Site Creation Add-in that you want.
Click the download file name to begin the download.
Click Run this program from its current location to begin the installation now, or Save this program to disk to run later.

If you choose to Save this program to disk, you must then locate and run the program from your hard disk later.
Follow the steps in the Setup Wizard to install the Self-Service Site Creation add-in.

When asked Do you want to restrict the use of Self-Service Site Creation to users with existing accounts?, choose Yes if you want to give users access to Self-Service Site Creation by hand, and No if you want users to be able to create accounts and subwebs automatically.

Note The restriction setting for Self-Service Site Creation is only available during Setup. If you want to change this option, you must uninstall, and then reinstall the Self-Service Site Creation add-in.

Enabling Self-Service Site Creation

After you have installed the add-in, it can be used for any virtual server that has been extended with SharePoint Team Services on your server computer. However, you must enable Self-Service Site Creation for each virtual server individually. When you enable Self-Service Site Creation, you also specify a directory to use to store the Self-Service Site Creation scripts (the default name is selfserv, but you can specify any name to use for the script directory), and the type of script that you want to use. You can choose from the following script types:

Read-only SSC scripts

When you choose this script type, the Self-Service Site Creation scripts that are installed for the server are placed in a directory outside of the content area with a virtual directory pointing to that directory. Use this option if you always want to use the default Self-Service Site Creation scripts for the virtual server.
Customizable SSC scripts

When you choose this script type, a new subdirectory is created within the Web site content area and the Self-Service Site Creation scripts are copied into the subdirectory. Use this option if you want to customize the default Self-Service Site Creation scripts for the virtual server.

Any user with author privileges on the root Web site can customize the default Self-Service Site Creation scripts when you choose this option. If you want to control who can customize the scripts, you should restrict author access to the root Web site of any virtual servers running Self-Service Site Creation. Customizing the Self-Service Site Creation add-in is beyond the scope of this document, but you can find more information about developing software for SharePoint Team Services in the SharePoint Team Services Software Development Kit (SDK), available from the SharePoint Team Services Software Development Kit page on the Microsoft TechNet Web site.

Caution When you choose to put the Self-Service Site Creation scripts in the content area of your Web site, you are opening your server to a potential security vulnerability. Because the Self-Service Site Creation add-in runs as a system file, when you customize the scripts and run them, the scripts can make calls to the command-line tool Owsadm.exe — a result that may or may not be desired. A user with rights to customize the scripts and run them can potentially gain access to the server computer and make changes to it by way of the customized scripts.
Fully user-customized scripts

When you choose this script type, a new subdirectory is created under the Web site content area but no scripts are copied into the subdirectory. Use this option if you have already created customized scripts for this virtual server, and have placed them in the subdirectory. Customizing the Self-Service Site Creation add-in and creating your own add-ins is beyond the scope of this document, but you can find more information about developing software for SharePoint Team Services in the SharePoint Team Services SDK, available from the SharePoint Team Services Software Development Kit page on the Microsoft TechNet Web site.

Caution When you choose to put the Self-Service Site Creation scripts in the content area of your Web site, you are opening your server to a potential security vulnerability. Because the Self-Service Site Creation add-in runs as a system file, when you customize the scripts and run them, the scripts can make calls to the command-line tool Owsadm.exe — a result that may or may not be desired. A user with rights to customize the scripts and run them can potentially gain access to the server computer and make changes to it by way of the customized scripts.

To enable Self-Service Site Creation, you use the Manage Self-Service Site Creation link on the Virtual Server Administration page.

To enable Self-Service Site Creation for a virtual server

On the server computer click Start, point to Programs, point to Administrative Tools, and then click Microsoft SharePoint Administrator.
On the Server Administration page, click Administration next to the virtual server you want to manage.
In the Add-Ins section, click Manage Self-Service Site Creation (SSC).
In the Script Directory section, in the Name box, type a name for the directory that will contain the Self-Service Site Creation scripts (the default directory is selfserv).
In the Script Settings section, select the type of script you want to use (Read-only SSC Scripts, Customizable SSC scripts, or Fully user-customized scripts).
Click Enable.

When you click Enable, Self-Service Site Creation is enabled for the virtual server. You must then configure Self-Service Site Creation before you are ready to give users access to the Self-Service Site Creation Create New Subweb page.

Administering Self-Service Site Creation

After you have enabled Self-Service Site Creation, you can administer the settings for the add-in from the Site Administration page. If you have multiple virtual servers, you can specify different settings for each virtual server.

You can control the following settings for Self-Service Site Creation:

Self-Service Site Creation Access Control

During setup, you have the option of restricting the use of Self-Service Site Creation to users with existing accounts. If you choose to use this option, you must specify which users can create self-service sites.
Subweb logging

You can keep a log file of all the subwebs that are created with the Self-Service Site Creation add-in. Logging is either on or off. If you turn logging on, a link is added to the Configure Self-Service Site Creation page for you to view the current log. The log file can also be accessed from the following URL: https://<servername>/<scriptdirectory>/admin/sslog.htm.

The Configure Self-Service Site Creation page also has a link to the Self-Service Site Creation Create New Subweb page, the page that allows your users to create a new subweb automatically. Use this link to test subweb creation. The Self-Service Site Creation Create New Subweb page (subweb.htm) can be found at the following URL for your virtual server: https://<servername>/<scriptdirectory>/subweb.htm. If you choose the default script directory when you enable Self-Service Site Creation, the script directory is selfserv.

Managing Self-Service Site Creation Users

If you restrict the use of Self-Service Site Creation to users with existing accounts, you can manage the accounts from the Configure Self-Service Site Creation page in the Site Administration pages. You can add or remove users from the Self-Service Site Creation permission group by using the SSC Access Control link on this page. You cannot create a new account on this page, you can only grant Self-Service Site Creation rights to an existing user account.

To open the Site Administration pages

On the server computer click Start, point to Programs, point to Administrative Tools, and then click Microsoft SharePoint Administrator. On the Server Administration page, click the virtual server you want to manage.

– or –

In your site, click Site Settings, and then under Web Administration, click Go to Site Administration.

To add a user to the Self-Service Site Creation permission group

On the Site Administration page for your virtual server, under Add-Ins, click Self-Service Site Creation (Self-Service Site Creation).
In the SSC Access Control section, click SSC Access Control.
Click Add new user(s).
In the Name(s) box, type the user name or names to add. To add multiple user names, separate each name with a semicolon.
Click Add User(s).

If you have added a user and you no longer want to allow the user to create self-service sites, you can remove the user from the access list.

To remove a user from the Self-Service Site Creation permission group

On the Site Administration page for your virtual server, under Add-Ins, click Self-Service Site Creation (SSC).
In the SSC Access Control section, click SSC Access Control.
Select the user you want to delete.
Click Delete selected user(s).

Creating a Link to the Self-Service Site Creation Create New Subweb Page

When you are ready for users to create their own subwebs by using the Self-Service Site Creation add-in, you must make the Self-Service Site Creation Create New Subweb page available to them. To expose this page to users, you can either send e-mail with a link to the page, or you can add the link to this page to the home page of your SharePoint team Web site.

The method you choose to expose the Self-Service Site Creation Create New Subweb page to users may depend on the level of restriction you specified during Self-Service Site Creation setup. Consider the following:

If you allowed any user to create a Self-Service Site Creation subweb, you can put the link on the home page of your parent Web. The user then clicks the link, enters a name for his or her site, and enters a user name and password. An account is created for the user, and then the site is created. This method is most useful for ISPs that want to allow many users to sign up for accounts and create subwebs.
If you restricted the use of Self-Service Site Creation to users with existing accounts during Setup, and are adding accounts individually, you may want to use the e-mail method to distribute a link instead. By using e-mail, you can notify only the users you select and provide them with the link directly. When you use the restricted option, users must already have a valid account to create a subweb. This method is most useful for a smaller organization, where you want more control over which users can create subwebs.

Whichever method you choose, the link to the Self-Service Site Creation Create New Subweb page is https://<servername>/<scriptdirectory>/subweb.htm. If you choose the default script directory when you enable Self-Service Site Creation, the script directory is selfserv. For example, if you choose the default script directory, and your server name is MyServer, the path to the Self-Service Site Creation Create New Subweb page is https://MyServer/selfserv/subweb.htm, and this is the URL you would link to from the home page or e-mail.

Deleting a Self-Service Site Creation Subweb

To make sure that the parent web stays secure, only users with administrator rights to the subweb and the parent web can delete a subweb, even one created by using Self-Service Site Creation. Because of this, users can create subwebs by using Self-Service Site Creation, but they cannot delete a subweb. Be sure that when you publish the ability to create subwebs automatically, you also give users a way to notify the parent web administrator if they need to delete their Self-Service Site Creation site.

Uninstalling Self-Service Site Creation

If you decide you no longer want to use Self-Service Site Creation for a particular virtual server, you can remove the add-in from any of the virtual servers that you enabled. If you do not want to use Self-Service Site Creation for any of your virtual servers, and you no longer want it available on your server computer, you can uninstall the add-in completely, removing it from the server computer and all of the enabled virtual servers at once.

Removing Self-Service Site Creation from a Single Virtual Server

To remove Self-Service Site Creation from a particular virtual server, you use the Manage Self-Service Site Creation link on the Virtual Server Administration page. Note that Self-Service Site Creation must be enabled for that virtual server before it can be removed.

To remove Self-Service Site Creation from a virtual server

Open the Server Administration page.
Next to the virtual server you want to change, click Administer.
In the Add-Ins section, click Manage Self-Service Site Creation (SSC).
Click Remove.

Uninstalling Self-Service Site Creation Completely

If you want to uninstall the Self-Service Site Creation add-in from your server computer completely, you can run the Uninstallssc.js script. This script was added to the following directory when Self-Service Site Creation was installed: \Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\Addins. Running this script uninstalls Self-Service Site Creation and deletes all of the Self-Service Site Creation subdirectories from the virtual servers where it was enabled.

Note When you uninstall the Self-Service Site Creation add-in, the Internet Information Service (IIS) processes are briefly stopped. They are restarted automatically after the uninstallssc.js script has completed.

Customizing Self-Service Site Creation

The Self-Service Site Creation Add-in is both an implementation of self-service site creation and an example of the types of automations you can create for SharePoint Team Services. If you want to create your own add-in, even your own implementation of Self-Service Site Creation, you can do so by using the Self-Service Site Creation Add-in as an example. You can customize Self-Service Site Creation by opening the Visual C++ Project files in \Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\addins\selfserv\src. Customizing the Self-Service Site Creation Add-in and creating your own add-ins is beyond the scope of this document, but you can find more information about developing software for SharePoint Team Services in the SharePoint Team Services SDK, available from the SharePoint Team Services Software Development Kit page on the Microsoft TechNet Web site.