Restrict or enable access to a service application (SharePoint Server 2010)
Applies to: SharePoint Server 2010, SharePoint Foundation 2010
In Microsoft SharePoint Server 2010, you can restrict the access to a service application so that the service application is available to only specified Web applications.
By default, all service applications on the local farm are available to all Web applications on the local farm. However, you can restrict access to a service application so that it is available to only specified Web applications. This can be a useful strategy if you host multiple customers on the same farm, and you want to isolate one customer's service applications from another customer’s Web application.
If you restrict access to a service application and you later decide that you want to make it available to the whole farm, you can remove the restriction.
This article describes how to restrict access to a service application by adding and removing service accounts. It also describes how to reestablish local farm-wide access to a service application.
Important
We strongly recommend that you plan the security and services infrastructure before you restrict access to service applications.
For information about how to plan the services architecture in SharePoint Server 2010, see the following articles:
In this article:
Restricting access to a service application
You can restrict access to a service application by removing service accounts from the service application. Conversely, you can allow access to a service application by adding service accounts to the service application. You can perform these tasks by using Central Administration or by using Windows PowerShell 2.0.
To restrict access to a service application, you must perform the following tasks:
Add a specific service account to the service application.
Remove the local farm ID from the service application.
Note
The procedures in this article describe how to restrict or restore access to a service application. However, you can follow the steps provided in the procedures to add any service account to any service application, or to remove any service account from any service application.
For example, the procedure To restore local farm-wide access to a service application by using Central Administration explicitly describes how to add the local farm ID to a service application. However, you can use the same procedure to add any other service account to a service application. To do this, you provide the appropriate service account instead of the local farm ID.
Because the local farm ID provides local farm-wide access to the service application by default, it is redundant to also grant explicit local Web application permissions to a service application unless you also remove the local farm ID.
To grant permissions to a service application, you must retrieve and supply the appropriate service account. For a Web application, this account is also known as an application pool identity account.
After you grant permissions to a service account and remove the local farm ID from a service application, only Web applications that are managed by the assigned service account can access the service application. You can assign multiple Web applications (that have different managing service accounts) to the same service application by repeating these procedures and adding the various Web application service accounts to the service application.
Warning
If you remove the local farm ID from a service application and do not assign any other service account to that service application, the service application becomes unavailable to all Web applications.
In this section:
Restrict access to a service application by using Central Administration
Restrict access to a service application by using Windows PowerShell
Restrict access to a service application by using Central Administration
To restrict access to a service application by using Central Administration, you must perform the following steps:
Retrieve the Web application service account.
Add the Web application service account to the service application.
Remove the local farm ID from the service application.
Procedures in this section:
To retrieve a Web application service account by using Central Administration
To grant and remove permissions for service accounts to access a service application by using Central Administration
To retrieve a Web application service account by using Central Administration
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
On the Central Administration Home page, in the Security section, click Configure service accounts.
On the Service Accounts page, select the Web application name from the first drop-down list.
The service account is shown in the Select an account for this component list. Record the service account name because you will use it in the next procedure.
Click Cancel to exit the Service Accounts page without making any changes.
To grant and remove permissions for service accounts to access a service application by using Central Administration
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.
On the Central Administration Home page, in the Application Management section, click Manage service applications.
On the Manage Service Applications page, click the row that contains the service application for which you want to assign permissions. The ribbon becomes available.
On the ribbon, click Permissions.
In the Connection Permissions dialog box, type the service account name that you retrieved in the previous procedure, and then click Add.
Make sure that the newly-added service account name is selected in the middle pane, and then click the appropriate check box in the bottom pane to supply the required permission level.
In the middle pane, click Local Farm, and then click Remove.
Verify that the Connection Permissions page now lists only the service account that you want to access the service application, and that the service account has the required permissions on the service application. Click OK to change the permissions, or click Cancel to end the operation without making changes.
You can grant and remove permissions for any service account by using this procedure.
Note
Restoring the local farm ID to the service application by using Central Administration requires an additional step that does not apply to other service accounts. For information about how to do this, see Restoring farm-level access to a service application later in this article.
Restricting access to a service application by using Windows PowerShell
All procedures in this section assume that you have the appropriate permissions and have opened the Windows PowerShell 2.0 command prompt window, as described in the procedure To initiate a Windows PowerShell session later in this section.
The process to restrict access to a service application by using Windows PowerShell 2.0 is more complex than performing the same task by using Central Administration. In Windows PowerShell 2.0, you will use some procedures to gather and store information for input into later procedures.
After you have started Windows PowerShell 2.0, the remaining steps to restrict access to a service application are as follows:
Retrieve the local farm ID.
Retrieve the Web application service account.
Create a new claims principal that contains the Web application service account.
Retrieve the security object of the service application.
Add the Web application service account to the security object of the service application.
Remove the local farm ID from the security object of the service application.
Assign the updated security object to the service application.
Display and review updated permissions
In this section:
To initiate a Windows PowerShell session
To retrieve the local farm ID by using Windows PowerShell
To retrieve a Web application service account and create a new claims principal by using Windows PowerShell
To retrieve the security object of the service application
To update the service application security object with the preferred permissions
To initiate a Windows PowerShell session
Verify that you meet the following minimum requirements: You are a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint Server 2010 is installed.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
To retrieve a Web application service account and create a new claims principal by using Windows PowerShell
At the Windows PowerShell 2.0 command prompt, type the following command to retrieve the service account (that is, the application pool identity account) of a Web application:
$webapp = Get-SPWebApplication <http://WebApplication> $webApp.ApplicationPool.UserName
Where <http://WebApplication> is the Web application URL.
The Web application service account name displays at the command prompt.
To create a new claims principal, type the following command:
$principal = New-SPClaimsPrincipal <ServiceAccount> -IdentityType WindowsSamAccountName
Where <ServiceAccount> is the user name (in the form of jane@contoso.com or contoso\jane) that was retrieved by running the previous command. The $principal variable will contain the new claims principal.
To retrieve the security object of the service application
To retrieve the security object of the service application, type the following commands. The $security variable will store the service application security object.
$spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>" $spguid = $spapp.id $security = Get-SPServiceApplicationSecurity $spguid
Where <ServiceApplicationDisplayName>is the display name of the service application.
Important
You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has exactly the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID. For example:
Get-SpServiceApplication
All service applications are listed.$spapp = Get-SpserviceApplication -Identity <GUID>
$spguid = $spapp.id
Where <GUID> is the GUID for the service application for which you want to update permissions.
To update the service application security object with the preferred permissions
The first step to update the service application security object is to add the new claims principal $principal to the service application security object $security. To do this, type the following command:
Grant-SPObjectSecurity $security $principal -Rights "<Rights>"
Where <Rights> is the permissions that you want to grant. Typically, this will be Full Control. The available permissions can vary between service applications.
Tip
If you do not want to grant Full Control permissions, and you do not know what permissions can be granted to the service application, you can run the following commands to return the available permissions strings:
$rightslist = Get-SPServiceApplicationSecurity $spapp
$rightslist.NamedAccessRights
To remove the local farm ID (that is stored in the $farmID variable) from the service application security object $security, type the following command:
Revoke-SPObjectSecurity $security $farmID
To assign the updated $security security object to the service application and confirm that the security object for the service application is appropriately updated, type the following commands:
Set-SPServiceApplicationSecurity $spapp -ObjectSecurity $security (Get-SPServiceApplicationSecurity $spapp).AccessRules
You can add or remove any service account to a service application by using these procedures.
Restore farm-wide access to a service application
You can restore farm-wide access to a service application by adding the local farm ID to the service application. You can do this by using Central Administration or by using Windows PowerShell 2.0 commands. However, you must use Windows PowerShell 2.0 to obtain the local farm ID.
In this section:
To retrieve the local farm ID by using Windows Powershell
To restore local farm-wide access to a service application by using Central Administration
To restore local farm-wide access to a service application by using Windows Powershell
To retrieve the local farm ID by using Windows PowerShell
This procedure starts after step 4 of the To initiate a Windows PowerShell session procedure.
The following command retrieves the local farm ID, stores it in the $farmID variable, and displays the ID at the command prompt:
$farmID = Get-SPFarm | select id
If you want to restore farm-wide access by using Central Administration, copy this value into the clipboard for use in the following procedure.
If you want to restore farm-wide access to the service application by using Windows PowerShell 2.0, type the following additional commands at the Windows PowerShell 2.0 command prompt. You will use the retrieved information in the following procedure.
$claimProvider = (Get-SPClaimProvider System).ClaimProvider $principal = New-SPClaimsPrincipal -ClaimType "https://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid
To restore local farm-wide access to a service application by using Central Administration
Perform steps 1 through 3 of the procedure To grant and remove permissions for service accounts to access a service application by using Central Administration.
In the Connection Permissions dialog box, copy the local farm ID that you retrieved in the previous procedure, and then click Add.
Make sure that the local farm ID is selected in the middle pane. Click the Full Control check box in the bottom pane.
Click OK to restore farm-wide access to the service application, or click Cancel to end the operation without making changes.
To restore local farm-wide access to a service application by using Windows PowerShell
This procedure starts after Step 2 of the procedure To retrieve the local farm ID by using Windows Powershell .
To restore the retrieved local farm ID to the service application security object $security, type the following commands:
$spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>" $spguid = $spapp.id $security = Get-SPServiceApplicationSecurity $spguid Grant-SPObjectSecurity -Identity $security -Principal $farmID -Rights "Full Control" Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
Where <ServiceApplicationDisplayName>is the display name of the service application.
Important
You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has exactly the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID.
Windows PowerShell code examples
In the following example, the administrator wants to restrict access to the "Contoso BDC" service application to the http://contoso/hawaii Web application, which is managed by the service account "contoso\jane". By adding "contoso\jane" and removing the local farm service account from the service application, "Contoso BDC" is restricted to only those Web applications that are managed by the service account "contoso\jane" - in this case, http://contoso/hawaii.
$farmid = Get-SPFarm | select id
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType "https://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid
webapp = get-spwebapplication http://contoso
$webapp.applicationpool
$principal = New-SPClaimsPrincipal contoso/jane -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso BDC"
$spguid = $spapp.id
$security = Get-SPServiceApplicationSecurity $spguid
Grant-SPObjectSecurity $security $principal -Rights "Full Control"
Revoke-SPObjectSecurity $security $farmaccount
Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
(Get-SPServiceApplicationSecurity $spguid).AccessRules
In the following example, access to the service application "Contoso BDC" is restored to all Web applications in the local farm.
$farmid = Get-SPFarm | select id
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType "https://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid
$spapp = Get-SPServiceApplication -Name "Contoso BDC"
$spguid = $spapp.id
$security = Get-SPServiceApplicationSecurity $spguid
Grant-SPObjectSecurity -Identity $security -Principal $farmaccount -Rights "Full Control"
Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
(Get-SPServiceApplicationSecurity $spguid).AccessRules
See Also
Reference
Get-SPWebApplication
New-SPClaimsPrincipal
Get-SPServiceApplication
Get-SPServiceApplicationSecurity
Grant-SPObjectSecurity
Revoke-SPObjectSecurity
Set-SPServiceApplicationSecurity
Get-SPFarm
Get-SPClaimProvider
Concepts
Configure claims authentication (SharePoint Server 2010)
Add or remove a service application connection to a Web application (SharePoint Server 2010)
Other Resources
Add or remove a service application connection to a Web application (SharePoint Foundation 2010)
Resource Center: Security and Authentication for SharePoint Server 2010