Saturday, October 15, 2016

One reason why SPFarm.CurrentUserIsAdministrator() returns false for farm administrators

If you need to check whether current user is farm admin in Sharepoint you may use SPFarm.CurrentUserIsAdministrator method. However you may face with the problem that it returns false even for users which belong to farm admins group. Some posts mention that starting from Sharepoint 2010 if you want to call this method from content web application (not from central admin web application context) you need to use overridden version which receives boolean parameter allowContentApplicationAccess:

   1: SPFarm.CurrentUserIsAdministrator(true)

The problem is that even with this call it may still return false. In order to get correct return value you need to set SPWebService.RemoteAdministratorAccessDenied property to false which can be done e.g. by PowerShell:

   1: $contentService =
   2: [Microsoft.SharePoint.Administration.SPWebService]::ContentService
   3: $contentService.RemoteAdministratorAccessDenied = $false
   4: $contentService.Update()

After that it will be possible to use SPFarm.CurrentUserIsAdministrator() method and do other actions which are not allowed by default, e.g. update SPPersistedObject instances in config database. Be aware however that more power requires more responsibility and with such configuration you should be more careful with security configuration in order to not allow malicious users to harm your system.

No comments:

Post a Comment