kwizcom banner advertisement

How to Add Administrator and Grant Permission to Service Applications using PowerShell?

By default, Farm administrators group has rights to manage all service applications. Often there are situations when you may need to add additional administrators or grant permissions to SharePoint service applications. Say,
  • You want to delegate service application administration to other users
  • SharePoint farm admin account isn't added as service application administrator or not having permission to the service application.
SharePoint allows us to delegate permissions and distribute administration of Service applications to multiple users by granting access as either Service Application Administrator or Feature administrator. These service application administrators cannot create/delete any service application but they can perform actions within their service application that doesn't affects the farm. E.g. A Search service application administrator can make any change to the Search service application, But He/She cannot make changes to the Search topology.

How to Add Service Application Administrator in SharePoint 2016?
To add a  Service Application administrator, navigate to:
  • SharePoint 2016 Central Admin >> Manage Service Applications
  • From the list of available Service Applications, select the target service application such as "Managed Metadata service application" by clicking the respective row.
    sharepoint 2016 service application add administrator grant permission
  • In the Ribbon click on "Administrators" button. Enter the user name that you wish to have admin rights to SharePoint service application >> Click on "Add" button.
  • From the permissions section, select "Full Control". Commit your changes by clicking the OK button.
    powershell to add service application administrator in SharePoint 2016
  • Similarly, to add permission, Click on "Permissions" button from the ribbon, Enter the user and add appropriate permission to the user.
    How to grant permission to service application using PowerShell
Same steps applies to add sharepoint 2013 search service application administrators or user profile service application administrator. Once added, these delegated service application administrators can configure settings for a specific service application in a farm. However, these administrators cannot create new service applications or perform any farm-level operations, including topology changes.

When these permission delegations are repeated, Lets use PowerShell to add administrator and grant permissions to service applications, say: Managed Metadata Service Application.

PowerShell to Add Service Application Administrator 
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$ServiceAppName="Managed Metadata Service Application"
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Control"

#Get the service application
$ServiceApp = Get-SPServiceApplication -Name $ServiceAppName
#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the Service Application Security collection
$ServiceAppSecurity = Get-SPServiceApplicationSecurity $ServiceApp -Admin
#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppSecurity -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppSecurity -Admin 

Add Permission to a Service Application using PowerShell
How about granting permission to service application? Its also possible to grant subset of permissions in any Service Application. Well, the similar code goes for providing permission to service application, except the "-Admin" switch. Here is an example:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$ServiceAppName="Managed Metadata Service Application"
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Access to Term Store"

#Get the service application
$ServiceApp = Get-SPServiceApplication -Name $ServiceAppName
#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the Service Application Security collection
$ServiceAppSecurity = Get-SPServiceApplicationSecurity $ServiceApp
#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppSecurity -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppSecurity

Add User Profile Service Application Administrator and Grant Permissions: 
Lets combine both the scripts to add administrator and set permission to user profile service application in SharePoint 2016 to avoid "No User Profile Application available to service the request. Contact your farm administrator." error.  
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Control"

#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the user profile service application
$ServiceApp =  Get-SPServiceApplication | ? { $_.TypeName -eq "User Profile Service Application" }

Write-host "Adding Administrator to User Profile Service Application..."
#Get the Service Application Administrators Security collection
$ServiceAppAdmins = Get-SPServiceApplicationSecurity $ServiceApp -Admin

#Add user to the collection
Grant-SPObjectSecurity $ServiceAppAdmins -Principal $UserPrincipal -Rights $AccessRights

#Apply the new Security to service application
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppAdmins -Admin

Write-host "Granting permission to User Profile Service Application..."
#Get the Service Application Permissions Security collection
$ServiceAppPermission = Get-SPServiceApplicationSecurity $ServiceApp

#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppPermission -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppPermission
How to Add Administrator and Grant Permission to Service Applications using PowerShell? How to Add Administrator and Grant Permission to Service Applications using PowerShell? Reviewed by Salaudeen Rajack on 7:02 PM Rating: 5

1 comment:

Please Login and comment to get your questions answered!

Powered by Blogger.