Method to grant account access to User Profile Service Application -- SharePoint Solutions Team Blog

In order to work with SharPoint's User Profile Service Application beyond a read-only capacity, a user account must be granted appropriate access. Otherwise, you'll encounter errors such as ActivityFeedPermissionDeniedException when attempting to perform operations such as ActivityEvent.CreateActivityEvent.

The following method will grant access to User Profile Service Application for a specified account name of the format DOMAIN\User.

private static void GrantPermissionsToUserProfileService(string accountName)
{
var upServiceproxy = SPFarm.Local.Services.Where(s => s.GetType().Name.Contains("UserProfileService")).FirstOrDefault();
if (upServiceproxy != null)
{
  var upServiceApp = upServiceproxy.Applications.OfType<SPIisWebServiceApplication>().FirstOrDefault();
  if (upServiceApp != null)
  {
      var mgr = SPClaimProviderManager.Local;

      var security = upServiceApp.GetAccessControl();
      var claim = mgr.ConvertIdentifierToClaim(accountName, SPIdentifierTypes.WindowsSamAccountName);
      security.AddAccessRule(new SPAclAccessRule<SPIisWebServiceApplicationRights>(claim, SPIisWebServiceApplicationRights.FullControl));
      upServiceApp.SetAccessControl(security);

      var adminSecurity = upServiceApp.GetAdministrationAccessControl();
      var adminClaim = mgr.ConvertIdentifierToClaim(accountName, SPIdentifierTypes.WindowsSamAccountName);
      adminSecurity.AddAccessRule(new SPAclAccessRule<SPCentralAdministrationRights>(adminClaim, SPCentralAdministrationRights.FullControl));
      upServiceApp.SetAdministrationAccessControl(adminSecurity);

      upServiceApp.Uncache();
      upServiceproxy.Uncache();
  }
}
}

In the scenario where your application's execution context is a SPJobDefinition, your code will be running under the account identity of the SharePoint 2010 Timer service. In this previous article, I showed you how to write a method to determine the account identity of the timer service. Combining the two methods should allow you to create a custom SharePoint PowerShell cmdlet which will grant access before running your custom timer job to perform such functions as updating SharePoint user profiles.

5 comments:

Mike Bosch said...: Thanks for sharing.; 9/21/2011 1:23 AM
Mike Bosch said...: Thanks for sharing.; 9/21/2011 1:24 AM
Technical Tips said...: This information is very helpful.

Thank you!; 10/13/2011 2:18 AM
Carlos Santiago Aguilar said...: Thanks for sharing, but I have a problem when I'm trying to set the access control, I get "Access denied" message even if I use Administrator account. Can somebody help me with that issue?; 10/25/2011 11:53 PM
Mohitvash said...: Hi, Great post!!!
Carlos, I have also encountered with the same access denied issue while setting the access rule. Actually I was using this code in list event receiver class under ItemAdding event. This error was expacted as this code will run under the normal user credential and will use the server context based on the logged on user (not by farm administrator).
So finally I thought a bit then created a timer job which will run after a duration and will execute this code with admin privileges and finally got success :).

Hope its not too late for you to implement this approach.

Thanks
Mohit Vashishtha
http://mohitvash.wordpress.com; 1/17/2012 5:19 AM