Metalogix FileShare Migration Manager

Home > Articles

Method to grant account access to User Profile Service Application

Published 09/07 courtesy of SharePoint Solutions

In order to work with SharPoints User Profile Service Application beyond a read-only capacity, a user account must be granted appropriate access. Otherwise, youll encounter errors such as ActivityFeedPermissionDeniedException when attempting to perform operations such as ActivityEvent.CreateActivityEvent.

The following method with grant access to User Profile Service Application for a specified account name of the format DOMAINUser.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25private static void GrantPermissionsToUserProfileService(string accountName)
{
var upServiceproxy = SPFarm.Local.Services.Where(s => s.GetType().Name.Contains(UserProfileService)).FirstOrDefault();
if (upServiceproxy != null)
{
var upServiceApp = upServiceproxy.Applications.OfType<SPIisWebServiceApplication>().FirstOrDefault();
if (upServiceApp != null)
{
var mgr = SPClaimProviderManager.Local;

var security = upServiceApp.GetAccessControl();
var claim = mgr.ConvertIdentifierToClaim(accountName, SPIdentifierTypes.WindowsSamAccountName);
security.AddAccessRule(new SPAclAccessRule<SPIisWebServiceApplicationRights>(claim, SPIisWebServiceApplicationRights.FullControl));
upServiceApp.SetAccessControl(security);

var adminSecurity = upServiceApp.GetAdministrationAccessControl();
var adminClaim = mgr.ConvertIdentifierToClaim(accountName, SPIdentifierTypes.WindowsSamAccountName);
adminSecurity.AddAccessRule(new SPAclAccessRule<SPCentralAdministrationRights>(adminClaim, SPCentralAdministrationRights.FullControl));
upServiceApp.SetAdministrationAccessControl(adminSecurity);

upServiceApp.Uncache();
upServiceproxy.Uncache();
}
}
}

In the scenario where your applications execution context is an SPJobDefinition, your code will be running under the account identity of the SharePoint 2010 Timer service. In this previous article, I showed you how to write a method to determine the account identity of the timer service. Combining the two methods should allow you to create a custom SharePoint PowerShell cmdlet which will grant access before running your custom timer job to perform such functions as updating SharePoint user profiles.

Read more

Recent SharePoint Questions

more sharepoint questions

More Articles By

Develop Mobile Applications for SharePoint with Mobile Entree - CMSWire


Develop Mobile Applications for SharePoint with Mobile Entree
CMSWire, CA
By Barb Mosher | Jun 5, 2009 Seeing as how SharePoint (news, site) is so widely used within the enterprise today, it's…

Read more

Bamboos Year in Review: Marc OBrien Introduces the Bamboo Online Applications Division

Editor's note:  Last year we introduced the Bamboo Year in Review feature, kicking off with a note

Read more

Working with the Admin Links on your SharePoint Blog

While writing the final sentences of my post on how to create a SharePoint blog last week, I realized that I needed to circle back and spend some time…

Read more

More Articles Under "Articles"

How to get column names to wrap in #SharePoint new item forms (NewForm.aspx)

I was asked the other day if there might be a slick CSS method for getting long column names to wrap in a SharePoint list’s new item form (NewForm.aspx). The…

Read more

The My Links Web Part – It’s Not Just for My Sites #sharepoint

I’ve talked to a number of folks in recent months that have wanted to add the links stored in a user’s My Links list in their My Site to other…

Read more

SharePoint Workflow and InfoPath Training… Online! #sharepoint

For a couple of reasons, Mission: Automation – SharePoint Workflow and InfoPath is one of my favorite classes to teach.

  1. The student feedback is incredible. Everything in this class is…

    Read more

    Metalogix Selective Resore Manager Pro