Adding New SSP Administrators
Delegating administration duties for a SharePoint Shared Service Provider (SSP) separates duties while keeping the environment secure and practicing the principle of least privilege. The process to grant access to other administrators might not be so obvious at first because you do not assign all SSP permissions in the Site Permissions section using SharePoint groups as one might expect.
When you add a new user account to the SSP site, even if you grant them Full Control permissions or add them as a Site Collection Administrator, initially they will experience access denied error messages when they click on any of the following links:
- User profiles and properties
- Profile services policies
- My Site settings
- Personalization services permissions
- Audiences
- Import application definition
- Business Data Catalog permissions
These sections need to have permissions explicitly set. Initially, the setup account will have full access to the SSP, so use that account to grant rights to new SSP administrators you wish to delegate SSP administrative duties to.
Notice the items highlighted in bold in the list above. These are where you assign the remaining SSP permissions. Adding new SSP administrators to the "Personalization services permissions" section and granting appropriate rights will grant rights related to the first five links in the list above. Repeating the process in the "Business Data Catalog permissions" section will grant rights related to the last two links.
At this point, the new SSP administrator has all the appropriate access permissions they need to administrate the SSP.