When providing (Full Contol) access to SharePoint WebApplications using Powershell, it sometimes is a good idea to add the flag ‘System User’ to the account, because otherwise it will show up in the permission views for end-users such as the UserInfoList. In Powershell this can be done by setting the Policy attribute IsSystemUser to $True.
However, when using SAML Claims authentication this doesn’t work. I made a nice function to be able to add all types of users to the WebApplication policy during installion/configuration, but it failed whenever I issued the attribute IsSystemUser to $True for a TrustedIdentityProvider claims account.
The failure didn’t help me a lot.
PS C:\> $Policy.IsSystemUser = $True
Exception setting “IsSystemUser”: “i:05.t|adfs|administrator@wobl.it”
At line:1 char:1
+ $Policy.IsSystemUser = $True
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
+ FullyQualifiedErrorId : ExceptionWhenSetting
The code part I used was fairly simple and failed only when setting the ‘IsSystemUser’ to $True:
1 2 3 4 5 6 7 8 9 10 |
$UserName = "i:05.t|adfs|administrator@wobl.it" $DisplayName = "Wouter Bleeker as system user" $PolicyRoleName = "Full Control" [Microsoft.SharePoint.Administration.SPPolicyCollection]$Policies = $WebApp.Policies [Microsoft.SharePoint.Administration.SPPolicy]$Policy = $Policies.Add($UserName,$DisplayName) [Microsoft.SharePoint.Administration.SPPolicyRole]$PolicyRole = $WebApp.PolicyRoles | ?{$_.Name -eq $PolicyRoleName} $Policy.IsSystemUser = $True $Policy.PolicyRoleBindings.Add($PolicyRole) $WebApp.Update() |
It took me a while to figure out it was only happening when using SAML Claims accounts. No help from msdn on this.
The code in the Microsoft SharePoint dll reveals why it fails. It tries to do a SID lookup using the provided username. When a regular Windows claims account is used, it decodes the claims and sets the lookup text to the decoded Windows Account. It sure is a pitty they didn’t include a specific failure message or any documentation on this part. Also there doesn’t seem to be a failure text in the SharePoint code for the stated error ‘PolicyUserCannotSetAsSystem’.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
if (value == this.m_IsSystemUser) { return; } if (!this.m_Parent.Parent.Farm.CurrentUserIsAdministrator()) { throw new System.Security.SecurityException(SPResource.GetString("AccessDenied", new object[0])); } bool flag = false; if (this.m_Parent.m_ZoneId == -1) { string text = this.UserName; if (SPClaimEncodingManager.IsEncodedClaim(text)) { SPClaim sPClaim = SPClaimEncodingManager.DecodeClaim(text); if (SPOriginalIssuers.GetIssuerType(sPClaim.OriginalIssuer) == SPOriginalIssuerType.Windows) { text = sPClaim.Value; } } string text2; SPAdvApi32.SID_NAME_USE sID_NAME_USE; SPAdvApi32.LookupAccountName(text, out text2, out sID_NAME_USE); if (SPAdvApi32.SID_NAME_USE.SidTypeUser == sID_NAME_USE) { flag = true; } } if (!flag) { throw new SPException(SPResource.GetString("PolicyUserCannotSetAsSystem", new object[0])); } |