While walking another IT user through the SSP admin interface the other day I discovered that even though the user was a Farm Administrator that user was not able to get into certain pages within the SSP admin site (such as the profile properties page). Turns out that there’s additional permissions that must be granted via the "Personalization Service Permissions" page located under the "User Profiles and My Sites" section. As my goal is to make all changes necessary for our upgrade scriptable I ended up having to create a new command to give our admin group the appropriate permissions: gl-setsspacl. The challenge with this one is that the API to manipulate this information is not a public interface – almost everything is marked internal. I have no idea why this is the case – it’s really annoying (what should have been about 40 lines of code turned into about 110 lines because of all the reflection calls). I continue to be frustrated when trying to programmatically manipulate the SSP – why on earth they made so much internal is beyond me. The code to set the permissions is below (avert your eyes if you’re easily scared – using reflection is such a pain!):
And just to show how much simpler this would have been if the classes were marked as public:
The syntax of the command can be seen below:
C:\>stsadm -help gl-setsspacl stsadm -o gl-setsspacl Set the personalization services permissions for an SSP. Specify 'None' for rights to remove an existing user. Parameters: -sspname <SSP name> -rights <comma separated: All | None | CreatePersonalSite, ManageAnalytics, ManageAudiences, ManageUserProfiles, SetPermissions, UsePersonalFeatures> -user <DOMAIN\name>
Note that the user parameter can refer to a group or a user. Here’s an example of how to give a group all permissions:
stsadm -o gl-setsspacl -sspname SSP1 -rights All -user "domain\group1"
If you wish to remove a user or group then simply specify "None" for the rights. You can specify multiple rights by comma separating the values:
stsadm -o gl-setsspacl -sspname SSP1 -rights "UsePersonalFeatures, CreatePersonalSite" -user "domain\group1"