Configuring Web Application User Policy in SharePoint 2016

A SharePoint web application may have hundreds or thousands of site collections. Providing the same access to all of those site collections for a set of users can be a difficult task, isn’t it? So, here is where SharePoint Web application Policies come to play. Consider these practical scenarios where:

  • Your SharePoint search crawl account needs read access on all site collections.
  • You’ll have to provide Read access to all site collections to the “Auditors” group of your organization.
  • You may want to provide read access to all users for an Intranet web application.  
  • Your CIO wants to get full control to all site collections. 
  •  Your fellow farm administrator needs full control over all site collections on the SharePoint 2013 web application, etc.

Web application user policies are the comprehensive way to apply permission to all site collections in a web application. Web application policy either grant or deny permissions to a set of users. By default, a web application has these four permission policy levels predefined:

  • Full Control
  • Full Read
  • Deny Write
  • Deny All

The SharePoint web application policy is basically a mapping between Active Directory user or group and a specific Web Application level permission policy.

Permissions applied using web application User Policy supersedes all other permissions applied at the individual site collection level. E.g., if a user has read access to some site collections, granting the Full Control permission gives the user “Full Control” to all site collections within the entire web application. With web application-level permission policies, you can control and centrally manage access to all content in the web application without individually adding site collection administrators on each site.

Deny permission level takes precedence over any existing permissions applied. E.g., Applying Deny All to a user prevents any/all access to a web application and all its site collections. BTW, Deny policy at the web application level is the only way to block someone’s access to SharePoint.

To access the user policy for a web application using Central Administration:

  1. Open SharePoint 2016/2013/2010 Central Administration site as a Farm Administrator
  2. Click Application Management >> Select Manage Web Applications.
  3. Select your target web application >> Click the User Policy button from the ribbon.
    web application policy in sharepoint 2013
  4. This page lists all user policies created for the web application. Usually, you’ll find the search service application crawl account here with full read access user policy granted.
    web application user policy sharepoint 2016

How to add a new Web application user Policy?

To add a new policy, click the Add Users link. Then perform the following steps:

  1. From the Policy for Web Application dialog box, click on the “Add Users” link. 
  2. Select All Zones for the web application and click on Next (You can optionally select a single zone, such as the Internet, and limit the policy to the zone)
    sharepoint central administration policy for web application
  3. Enter one or more user account names or security groups. You can enter multiple users or security groups.
  4. Select the permission policy levels that you want to apply. You can add custom permission policy levels from “Permission Policy”.
  5. Optionally, select the “Account Operates As System” check box. If a user creates or modifies any item in this web application, the Created By and Modified by entries will be shown as System Account.
    Add user to web application user policy sharepoint 2016
  6. Click Finish to save your changes. This ensures consistent security permissions across site collections of a web application.

By providing a permissions policy at the web application level, we aim to control who has access to the content within the site collections associated with the web application.

Edit Existing User Policies:

To edit any of the existing policies:

  • Click on the corresponding “Display Name” value (or you can check the policy and click the Edit Permissions Of Selected Users link). 
  • In the edit policy dialog box, adjust any required settings, such as permissions, and click on Save once done.

To Delete a Web Application User Policy:

Simply select the policy, click the “Delete Selected Users” link, and confirm when prompted to remove a user policy.

As a best practice, use Active directory security groups in SharePoint web application user policies as adding individual users triggers SharePoint search crawl. As search crawl could be resource intensive, consider doing this in Off-business hours.

This procedure applies to all versions of SharePoint Server: SharePoint 2016, 2013, 2010, and 2007 too! To create a SharePoint web application user policy using PowerShell: SharePoint PowerShell to Add web application user policy

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

3 thoughts on “Configuring Web Application User Policy in SharePoint 2016

  • Does it makes any issue if I add the farm account (account which is used to configure sharepoint) is added to this. Actually my farm account was getting locked every time when the search full crawl happens and the found that the farm account is added in the policy option. When we removed that everything went normal. I don’t know how that solved the issue. Do you have any thought on that? Thank you.

  • Any idea what the limit is on the number of entries on this?

    • Technically there is no limit – AFAIK, However its not a good idea to have too many user policies!


Leave a Reply

Your email address will not be published. Required fields are marked *