Grant Users Admin Access to all Site Collections per Web Application

  • Article

In SharePoint 2003, we had an option in the central admin to add users and/or domain groups to a group called "SharePoint Administrators".  This group was granted full control for all site collections within the farm.  Many customers took full advantage of this solution, in particular larger organizations that staff a helpdesk for their SharePoint environments.  Helpdesk personnel where able to work directly on in a site collection to help resolve user issues without having to be granted access to the site collection by a site administrator.  The flip side to this coin is information sensitivity. The users in the "SharePoint Administrators" group had free rain to browse site collections with minimal auditing.

In WSS 3.0 and MOSS 2007, we have incorporated a two-tier architecture for administrators.  We still have the concept of a "SharePoint Administrator" but we now call it a "Farm Administrator."  The Planning for Security Roles TechNet articles does a great job of outlining the permissions and capabilities users in the "Farm Administrator" role can do and not do.  In short, we we still provide helpdesk personal and administrators to access any site collection in the farm, however they now have to grant themselves access to the site collection before then can access it, which is recorded in the audit logs.

Now for those environments that do not have the auditing requirements designed into the "Farm Administrator" functionality and desire the functionality from SharePoint 2003, there is a way to grant individual users and/or domain groups access to all existing and future site collections in the farm. To do this, navigate to Central Admin > Application Management > Policy for Web Application.  This area will allow you to grant an individual user or group access to a specific web application (and zone).  The permission set you can grant someone is not extremely granular, but you have the option of granting Full Control, Read Only Access, Deny Write or Deny All, which I imagine works for most situations.