Granting permissions to the User Profile Service Application using PowerShell


In my previous article I explained how access permissions to the User Profile Service Application are required if you want to programmatically configure Navigation of a Publishing Site in SharePoint 2010. In the article I showed you how you can configure grant required permissions manually. There are however scenarios when you might need to configure those permissions in a structured and repeatable way. Find out how to grant permissions to the User Profile Service Application using PowerShell.

It’s all about having access

Previously I showed you how to avoid an exception being throw while configuring Navigation for a Publishing Site in SharePoint 2010. Because Navigation configuration requires internally the access to Audiences information, the account that you are using to execute the navigation configuration PowerShell script has to have sufficient permissions to access the User Profile Service Application where the Audiences information is stored.

As I explained previously you can configure those permissions by navigating to Central Administration and from the Application Management group clicking the Manage service applications link.

The ‘Manage service applications’ link highlighted in Central Administration

Next, from the list of available Service Applications, select the User Profile Service Application and in the Ribbon, from the Sharing group, click the Permissions button.

The 'Permissions' button highlighted in the Ribbon

Add the account that you are using to execute the navigation configuration PowerShell script (1) and give it Full Control permissions (2). Confirm your changes by clicking the OK button (3).

Granting permissions to access the User Profile Service Application to the administrator account

The interesting part is, that if you go back to the Permissions screen, you will see that the permissions to the User Profile Service Application are granted to an identity claim generated using the previously provided account and not the user object itself.

User Profile Service Application Permission screen showing an identity claim

This is an important detail that we have to take into account while building the PowerShell script.

Configuring User Profile Service Application permissions using PowerShell

You can configure User Profile Service Application permissions using the following PowerShell script:

param (
    $accountName
)

$claimType = "http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname"
$claimValue = $accountName
$claim = New-Object Microsoft.SharePoint.Administration.Claims.SPClaim($claimType, $claimValue, "http://www.w3.org/2001/XMLSchema#string", [Microsoft.SharePoint.Administration.Claims.SPOriginalIssuers]::Format("Windows"))
$claim.ToEncodedString()

$permission = [Microsoft.SharePoint.Administration.AccessControl.SPIisWebServiceApplicationRights]"FullControl"

$SPAclAccessRule = [Type]"Microsoft.SharePoint.Administration.AccessControl.SPAclAccessRule``1"
$specificSPAclAccessRule = $SPAclAccessRule.MakeGenericType([Type]"Microsoft.SharePoint.Administration.AccessControl.SPIisWebServiceApplicationRights")
$ctor = $SpecificSPAclAccessRule.GetConstructor(@([Type]"Microsoft.SharePoint.Administration.Claims.SPClaim",[Type]"Microsoft.SharePoint.Administration.AccessControl.SPIisWebServiceApplicationRights"))
$accessRule = $ctor.Invoke(@([Microsoft.SharePoint.Administration.Claims.SPClaim]$claim, $permission))

$ups = Get-SPServiceApplication | ? { $_.TypeName -eq 'User Profile Service Application' }
$accessControl = $ups.GetAccessControl()
$accessControl.AddAccessRule($accessRule)
$ups.SetAccessControl($accessControl)
$ups.Update()

First we generate the identity claim using the account name for which we want to grant access permissions (lines 5-8). Next we generate an access rule for the identity claim and the FullControl permission (lines 12-15). Finally we retrieve the User Profile Service Application (line 17) and we add the newly created access rule (lines 18 and 19). To persist the changes we have to replace the existing AccessControl object with the new one by calling the SPIisWebServiceApplication.SetAccessControl method (line 20) and update the User Profile Service Application object (line 21).

If you for example would like to grant access to the User Profile Service Application to the win2008\administrator account, you would execute the PowerShell script as follows:

.\Set-UpsConnectionPermission.ps1 "win2008\administrator"

This would grant the access permissions to the win2008\administrator account required to programmatically configure Navigation of a Publishing Site in SharePoint 2010.

Others found also helpful: