Plan for security roles (Search Server 2008)
Applies To: Microsoft Search Server 2008
Topic Last Modified: 2009-08-04
Note
Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.
In this article:
Farm-level administration
Site-level administration
Worksheet
Microsoft Search Server 2008 supports a two-tier administrative model that centralizes configuration and administration tasks, enables administrative roles to be differentiated, and administration to be delegated and assigned to the appropriate people in your organization. The administrative model can help IT organizations perform administrative tasks more efficiently and effectively. You can use the administrative model and SharePoint groups to give only the permissions that are required to perform specific tasks based on specific roles in your organization. To more effectively work within the two-tier administrative model, many organizations designate specific administrative roles within each tier. This article discusses administrative roles within each tier that you can use to help administer your solution.
The following list describes each administrative tier.
Tier 1: Farm-level administrators Administrators in this tier are the top-level administrators and have permissions to and responsibility for all servers and farm-level services in the server farm. Members can perform all administrative tasks in the Central Administration Web site and in the Search Administration pages for the server or server farm.
Tier 2: Site collection administrators Site collection administrators have the Full Control permission level on their site collections. In Search Server 2008, there is single site collection by default that contains the Search Center. Site collection administrators have full control over the Search Center. You can also choose to create other site collections and subsites.
Search Server 2008 provides flexibility in how you assign administrative roles. In a centralized administration model, you can assign all administrative roles to one or two people in the organization. Alternatively, in a distributed administration model, you can delegate farm-level and site collection administrative roles to different people in the organization.
Farm-level administration
Note
The information in this section does not apply to Microsoft Search Server 2008 Express. It applies to the full version of Microsoft Search Server 2008 only.
Farm-level administration typically is performed by the following roles:
Farm administrators
Server-level administrators
Farm administrators
The farm administrator has permissions to and responsibility for all servers in the server farm. Members of the Farm Administrators SharePoint group do not have to be added to the Administrators group for each server. Farm administrators are members of the WSS_WPG and WSS_RESTRICTED_WPG groups on the computers where Central Administration is hosted and have the Full Control permission level on all servers in the environment. By default, members of the Administrators group are members of the Farm Administrators group.
Members of the Farm Administrators group have broad ability to manage the Central Administration site and Search Administration pages, but are restricted in performing some actions (that is, create Internet Information Services (IIS) Web sites, create or delete SharePoint Web applications, update account passwords or Windows services) because of certain constraints in IIS and the Microsoft .NET Framework. The Farm Administrators group is used in Central Administration and Search Administration only, and is not available for any sites.
Note
Carefully decide to whom you grant memberships in the Administrators group on the local database server computer and to whom you grant memberships in fixed database roles and fixed server roles in Microsoft SQL Server. This is because this group and these roles have the Full Control permission level on the SharePoint Products and Technologies configuration database.
The following table lists tasks that members of the Farm Administrators group can perform.
| SharePoint group | Does role exist by default? | Can do this | Cannot do this |
|---|---|---|---|
Farm Administrators |
Yes |
Perform administrative tasks in Central Administration. Perform administrative tasks in Search Administration. Take ownership of the Search Center or any content site. |
Administer other sites or site content unless they take ownership. |
Server-level administrator
Members of the Administrators group on the local server computer are automatically added to the Farm Administrators SharePoint group and can perform all farm administrator actions. The Administrators group is a Windows group, not a SharePoint group, but the Administrators group on the local computer runs certain administrative tasks in Search Server 2008.
The following table describes the server-level administrator role.
| Group | Does role exist by default? | Can do this | Cannot do this |
|---|---|---|---|
Administrators |
Yes. Windows group that exists by default; not a SharePoint group. |
Install products. Create new Web applications and new Internet Information Services (IIS) Web sites. Start services. Deploy Web Parts and new features to the global assembly cache. Perform all farm-level tasks in Central Administration and Search Administration (as long as the Central Administration site is located on the local computer). Run the Stsadm command-line tool. Note Being a server-level administrator is a pre-requisite of running the Stsadm command-line tool. Depending on which command you actually run, you might need additional permissions. For example, if you run stsadm.exe –o deleteweb, the command requires that the account have write access to the content database that contains the Web application. |
Administer the Search Cetner or other sites or site content. Administer databases. |
Site-level administration
When you install Microsoft Search Server 2008, a site collection is created to host the Search Center. In most cases, no additional site collections or subsites are required and site-level administrators are those who control the Search Center. Optionally, you can create other site collections or subsites with other site-level administrators, but this is not typical in a Search Server 2008 deployment.
Site-level administration includes the following roles:
Site collection administrators
Site owners
Site collection administrators
Site collection administrators have the Full Control permission level on the Search Center. From the site collection level, site collection administrators manage settings (such as site collection features, site collection audit settings, and site collection policies) from the Site Settings page for the top-level site. When you create a site collection, you can specify the primary and secondary site collection administrators. A site collection administrator is a user with a flag in the content database that states they can perform all tasks in a site collection, including all tasks for specific sites in a site collection. This flag can be changed by using the Site Collection Administrators page in Central Administration, by using the Site Settings page on a top-level site, or by using the site owner operation with the Stsadm command-line tool. Generally, you designate site collection administrators when you create the site, but you can change them as needed in Central Administration or by using the Site Settings pages.
The following table describes the site collection administrator role.
| SharePoint group | Does role exist by default? | Can do this | Cannot do this |
|---|---|---|---|
Site collection administrator |
Yes |
Perform all administration tasks for the Search Center or other site collection or subsites. |
Access the Central Administration site or the Search Administration pages. |
Site owners
Site owners are those who have been specifically granted the Full Control permission level on the site, either directly or by being a member of a SharePoint group — for example, the Owners group — that has the Full Control permission level on the site. Site owners can perform tasks related to the site only, not the whole site collection.
Note
In a typical Search Server 2008 system, there is only one site – the Search Center. Therefore, site owners and site collection administrators have the same role. If you decide to create subsites, the site owner and site collection administrator roles are differentiated because the site owner can administer only a subsite. The site collection administrator can administer all sites in the site collection.
Note
The user who creates the site is automatically added to the Owners group for the site.
The following table describes tasks that site owners can perform.
| SharePoint group | Does role exist by default? | Can do this | Cannot do this |
|---|---|---|---|
<Site name> Owners |
Yes |
Perform administration for the site only, not the whole site collection. Perform administrative tasks for documents, lists, and libraries. |
Access the Central Administration site. Access the Search Administration pages. Perform site collection administration tasks, such as restoring items from the second-stage Recycle Bin and managing the site hierarchy. |
For more information about site-level administration, see Choose administrators and owners for the administration hierarchy (Office SharePoint Server).
Worksheet
Use the following worksheet to plan for security roles.
See Also
Concepts
Plan for security (Search Server 2008)
Choose the security environment (Search Server 2008)
Plan server farm security (Search Server 2008)
Plan secure configurations for Search Server 2008 features
Plan environment-specific security (Search Server 2008)