New SharePoint developers can often be confused about farm administration. In the Central Administration -> Operations -> Update Farm Administrators there are a list of users who are farm administrators. These users are farm administrators but they are not “The Farm Administrator.” This is actually a wrapper on the local operating system group WSS_ADMIN_WPG which has the description: “Members of this group have write access to system resources used by Windows SharePoint Services.” The group exists locally on each server in the farm and the Central Administration application propagates changes to all servers in the farm.
If you wish to know who is “The Farm Administrator” you need to look at the local group WSS_RESTRICTED_WPG. This group has the description: “Group for the Windows SharePoint Services farm administrator.” Normally this group contains one and only one user. This should be the same user that was entered in “Specify Database Access Account” in the “Advanced” SharePoint configuration path. It is also the same user used for the Central Administration Application Pool as well as the Timer Service process. Any time a SharePoint object is updated by this user will be marked as changed by “SHAREPOINT\system”. This is “The Farm Administrator.” For the “Basic” SharePoint configuration path this user is always NT AUTHORITY\NETWORK SERVICE. This user is called the “Server farm account” in Microsoft’s Office SharePoint Server security account requirements document.
There is an erroneous perception amongst new SharePoint programmers that this user is all powerful. This is not quite true. Here are the facts.
Does “The Farm Administrator” have operating system administration rights on each of the SharePoint servers? NO. If configured correctly (for best security) this user has no power outside of the SharePoint domain.
Does “The Farm Administrator” have read and write rights on all site collections in SharePoint? NO. If configured correctly (for best security) this user does not have direct access to business data. That access has been delegated to the site collection administrators. There are several methods of indirect access (1) (2), but there is no assumption that any farm administrator can simply ask for any Site or Web in the system.
There is one last group worth mention in this article. The local WSS_WPG group which has the description: “Members of this group have read access to system resources used by Windows SharePoint Services.” The process users who run SharePoint services are added to this group. This includes the web application pool users as well as any windows service that SharePoint oversees.
No comments:
Post a Comment