Tuesday, March 10, 2009

SharePoint Access Denied on SPWebApplication

I've been working on a SharePoint solution that needed to write properties to the current web application. Everything worked just fine on my development machine. But on some of our test machines, I found the following message in the SharePoint logs:

The SPPersistedObject, SPWebApplication Name=Default Web Site Parent=SPWebService, could not be updated because the current user is not a Farm Administrator.

System.Security.SecurityException: Access denied.

This turns out to be correct behavior, but it took a while to understand what was going on and how to setup my development machine to reproduce the problem.

In my code to set the web application property value, I was using RunWithElevatedPrivileges to ensure I had rights. However, what I didn't realize is that elevating privileges gives you full access to the content database, but not to the configuration database. SPWebApplication's property bag is stored in the configuration database, not the content database. That was one piece to the puzzle.

The other piece to the puzzle was how I had my development machine setup. I was using the same account on both the Central Administration application pool and the application pool used to run regular the web applications. So in essence, I was implicitly granting my code rights to write to the configuration database.

When I modified the application pools to use two different accounts, I was able to reproduce this problem on my development machine.

Here is a summary:

  • RunWithElevatedPrivileges only provides full access to the content database for the current web application. In other words, you can modify read-only lists, write SPWeb properties, etc. But you can't make changes to the SPWebApplication because it is persisted to the configuration database.
  • Always make sure your application pools for normal web applications are using a different account than the Central Administration application pool. This is recommended practice for production machines, but you should also setup your development and test machines this way to catch problems early.

5 Comments:

At 6/16/09 11:29 AM, Anonymous Mahesh said...

I am also facing a similar issue.
I have a site collection level feature, when I try to activate this feature I get access denied message. But the same feature gets activated in a another web application. Both the web apps use the same Application pool account.

 
At 7/15/09 12:52 PM, Anonymous Mahesh said...

The reason for this was very strange. I had turned of site permission for creating sub sites and that was the reason I was not able to turn on few features, once I enabled sub site creation permission through CA, i was able to activate the features.

 
At 7/29/09 5:09 AM, Anonymous Ebralph said...

Here is a link to a blog which goes into a bit more detail: http://hristopavlov.wordpress.com/2009/01/

 
At 12/1/09 9:33 PM, Anonymous Anonymous said...

Would have been goot to say what you actually did to solve it though, all you've done is describe the problem.

 
At 2/17/10 1:26 PM, Anonymous Tomas said...

Thanks, this was helpful information.

 

Post a Comment

Links to this post:

Create a Link

<< Home