Configuring Web Application User Policy in SharePoint 2013 / 2016

A SharePoint web application may have hundreds or thousands of site collections. Providing same access to all of those site collections for a set of users can be difficult task, isn’t it? So here is where SharePoint Web application Policies comes to play. Consider these practical scenarios where:

  • Your SharePoint search crawl account needs read access on all site collections.
  • You’ll have to provide Read access to all site collections to “Auditors” group of your organization
  • You may want to provide read access to all users for an Intranet web application.  
  • Your CIO wants to get Full control on all site collections. 
  •  Your fellow farm administrator needs full control over all site collections on the SharePoint 2013 web application, etc.

Web application user polices are the comprehensive way to apply to permission to all site collections in a web application. Web application policy either grant or deny permissions to a set of users. By default, a web application has these four permission policy levels predefined:

  • Full Control
  • Full Read
  • Deny Write
  • Deny All

In fact, SharePoint web application policy is basically a mapping between Active Directory user or group and certain Web Application level permission policy.

Permissions applied using web application User Policy simply supersedes all other permissions applied at the individual site collection level. E.g., if a user has Read access to some site collections, granting the Full Control permission gives the user “Full Control” all site collections within the entire web application. With web application level permission policies you can control centrally manage access to all content in the web application without individually adding site collection administrators on each site.

Deny permission level takes precedence over any existing permissions applied. E.g. Applying Deny All to a user prevents any and all access to a web application and all its site collections. BTW, Deny policy at web application level is the only way to block someone’s access to SharePoint.

To access the user policy for a web application using Central Administration:

  1. Open SharePoint 2016/2013/2010 Central Administration site as a Farm Administrator
  2. Click Application Management >> Select Manage Web Applications.
  3. Select your target web application >> Click the User Policy button from the ribbon.
    web application policy in sharepoint 2013
  4. This page lists all user policies created for the web application. Usually, you’ll find the search service application crawl account here with full read access user policy granted.
    web application user policy sharepoint 2016

How to add a new Web application user Policy?

To add a new policy, click the Add Users link. Then perform the following steps:

  1. From the Policy for Web Application dialog box, click on the “Add Users” link. 
  2. Select All Zones for the web application and click on Next (You can optionally select a single zone such as the Internet and limit the policy with the zone)
    sharepoint central administration policy for web application
  3. Enter one or more user account names or security groups. You can enter multiple users or security groups.
  4. Select the permission policy levels that you want to apply. You can add custom permission policy levels from “Permission Policy”.
  5. Optionally, you can select the “Account Operates As System” check box, which means if a user creates or modifies any item in this web application, the Created By and Modified by entries will be shown as System Account.
    Add user to web application user policy sharepoint 2016
  6. Click Finish to save your changes. This ensures consistent security permissions across site collections of a web application.

By providing permissions policy at the web application level, Our purpose is to control who has access to the content within the site collections that are associated with the web application.

Edit Existing User Policies:

To edit any of the existing policy:

  • Click on the corresponding “Display Name” value (or you can check the policy and click the Edit Permissions Of Selected Users link). 
  • In the edit policy dialog box, adjust any required settings, such as permissions and click on Save once done..

To Delete a Web Application User Policy:

To remove a user policy, simply select the policy and click on “Delete Selected Users” link, Confirm when prompted.

As a best practice, use Active directory security groups in SharePoint web application user policies as adding individual users triggers SharePoint search crawl. As search crawl could be resource intensive, consider doing this in Off-business hours.

This procedure applies to all version of SharePoint: SharePoint 2016, 2013, 2010, and 2007 too! To create a SharePoint web application user policy using PowerShell: SharePoint PowerShell to Add web application user policy

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

3 thoughts on “Configuring Web Application User Policy in SharePoint 2013 / 2016

  • January 12, 2018 at 12:11 AM

    Does it makes any issue if I add the farm account (account which is used to configure sharepoint) is added to this. Actually my farm account was getting locked every time when the search full crawl happens and the found that the farm account is added in the policy option. When we removed that everything went normal. I don’t know how that solved the issue. Do you have any thought on that? Thank you.

  • July 13, 2017 at 2:42 PM

    Any idea what the limit is on the number of entries on this?

    • July 18, 2017 at 2:10 PM

      Technically there is no limit – AFAIK, However its not a good idea to have too many user policies!


Leave a Reply