SharePoint Calculator Service Part 8 – Delegated Administration

  • Article

In Part 7 of this series, we created a cmdlet to allow an SharePoint farm administrator to easily modify settings of our Calculator service application using PowerShell.

In this article, we’ll add support for delegated administration.

About Delegated Administration

One of the many cool new features of SharePoint 2010 is the ability to grant users the ability to manage a service application without giving them the keys to the entire farm (i.e., without making them a farm administrator).

For example, when a delegated administrator accesses the SharePoint Central Administration site, they see the following:

DelegatedCentralAdmin

Notice that the only link available is the “Manage service applications” link.

When a delegated administrator clicks the link with our current Calculator service implementation, they can’t view or manage our service application. They just see a blank list like this:

DelegatedServiceAppMgmtEmpty

That’s because our service application doesn’t support delegated administration yet. Let’s fix that.

Implementing Delegated Administration

To add support for delegated administration, we override the AccessibleByDelegatedAdminGroup method in the code-behind for our service application management aspx page. We return true if the current user should have access to the page; otherwise, false.

Not so coincidentally, our service application class has a protected method named CheckAdministrationAccess which will return the appropriate value based on the access granted by a server farm administrator.

So, we just need to hook the AccessibleByDelegatedAdminGroup method of our page up to the CheckAdministrationAccess method of our service application.

First, we implement the AccessibleByDelegatedAdminGroup method:

ManageApplicationPage.aspx.cs

  1. public class ManageApplicationPage : GlobalAdminPageBase
  2. {
  3.     protected override bool AccessibleByDelegatedAdminGroup
  4.     {
  5.         get
  6.         {
  7.             bool allowed = false;
  8.  
  9.             CalculatorServiceApplication serviceApplication = this.ServiceApplication;
  10.             if (null != serviceApplication)
  11.             {
  12.                 allowed = serviceApplication.CheckAdministrationPageAccess();
  13.             }
  14.  
  15.             return allowed;
  16.         }
  17.     }
  18. }

If you remember Part 6 of this series, we already implemented the ServiceApplication property which returns the Calculator service application object that the user wishes to manage from this page.

The AccessibleByDelegatedAdminGroup simply returns the result of calling the CheckAdministrationPageAccess method on the service application (line 12).

Now we just need to implement the CheckAdministrationPageAccess method on our service application:

CalculatorServiceApplication.c

  1. internal sealed class CalculatorServiceApplication : SPIisWebServiceApplication
  2. {
  3.     internal bool CheckAdministrationPageAccess()
  4.     {
  5.         return this.CheckAdministrationAccess(SPCentralAdministrationRights.Read);
  6.     }
  7. }

This method returns true if the current user has been granted “Read” administration access to the current service application; otherwise, it returns false.

That’s it!

Not much work, and we’ve enabled a SharePoint server farm administrator to delegate management of our Calculator service application to someone without having to make that person a farm administrator.

This feature may be overkill for our simple Calculator service example, but it is a much-requested feature for complex service applications like Search.

For example, it allows a farm administrator to appoint someone else to have full management control of a Search service application without the risk that this person may accidentally destroy the server farm by clicking the wrong links and changing server farm settings outside the Search service application.

Since it’s so easy to implement, I don’t see any reason why you shouldn’t support this scenario for your service applications.

How to use it

To add a delegated administrator for our Calculator service application, you must first be logged in to the SharePoint Central Administration site as a server farm administrator.

Select a Calculator service application from the Service Applications Management page in the Central Administration site and click the Administrators button in the ribbon:

DelegatedAdministratorsButton

Then, grant the desired delegated administrator(s) access to the service application:

DelegatedAdministratorAdd

NOTE: You may be wondering about the “Full Control” permission and whether or not other permissions are possible. The answer is yes, service implementers may customize the rights available to delegated administrators and enforce those rights in their service applications. That’s an advanced topic that we’ll cover in a future article.

After clicking OK, when the delegated administrator navigates to the Service Applications Management page, they’ll see something like the following:

DelegatedServiceAppMgmt

Note that only the “Manage” ribbon button is enabled. All of the other ribbon buttons are disabled because they are actions only available to server farm administrators.

Clicking the “Manage” button will allow the delegated administrator to manage the settings available for the Calculator service application:

DelegatedCalcServiceAppManagePage

And that’s how delegated administration works. Enjoy!