So, I’ve been asked about this subject several times (this being; how to give specific users full control over a web application.) The topic usually comes up when administrators or support personnel find themselves unable to access specific content in SharePoint, sometimes because they should not have access to the content (such as confidential HR documents, or the Clam Chowder Recipe at Monterey’s Fisherman’s Warf), and other times because an unknowing user with way too many privileges accidentally removes the administrators permissions from the site collection (this behavior is by no means a bug or limitation of the system, it is by design.) Either way there is an easy fix and way to get around this restriction: Policy for Web Application.

Policy for Web Application is a link located in Central Administration > Application Management under the Application Security section. It essentially allows farm administrators to create security policies allowing them to override standard SharePoint permissions for all sites in a web application, for any or all web application zones, regardless of what permission are given (or denied) at the site collections or sites.

You will find that some accounts are automatically given rights, typically the NT AUTHORITY\LOCAL SERVICE and the Search Crawling/Content Access Account. Be careful not to remove these. The Search Crawling account will automatically be given Full Read access, it needs it to properly crawl content.

A brief how to can be found at: http://technet.microsoft.com/en-us/library/cc179366.aspx

Advertisements