SharePoint Site Collection Ownership Issues: Assigning Permissions to a Web Application
SharePoint is one technology that has its fair share of configuration points, and a common point of confusion is around site collection ownership. In this article, I’m going to look at the role of the site collection owner and explain why it might not be the best practice to let farm administrators assert their authority over site collections.
Should You List Farm Administrators as the Site Collection Owner?
A common question is whether farm administrators should also be listed as site collection owners. You might see this type of set up in smaller environments or new SharePoint implementations where the SharePoint farm administrators are also responsible for creating site collections.
During the creation of a site collection, SharePoint prompts us to create a primary and secondary owner of the new site collection. It makes sense that the person creating the site collection would want to maintain some degree of ownership and administrative access to the site collection. After all, this person typically needs to be able to answer questions about the site and features of SharePoint, so it seems a good place for them.
Site Collection Ownership and SharePoint Farm Administration Differences
Site collection owners actually possess a different set of roles and responsibilities than farm administrators. Traditionally, farm administrators are primarily responsible for the SharePoint features running the farm and the configuration of the web applications.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
To a certain extent, farm administrators are responsible for site collections, but their duties tend to only concern themselves with the initial setup and configuration of site collections. Once initial setup and configuration is complete, then it is up to site collection owners to take over the roles of using the site collection.
Should a farm administrator create a document library on a site collection? It certainly happens, but I argue that this approach allows the farm administrator to take on the role of the site collection owner. Stated differently, this approach really is one person fulfilling two separate roles.
Who Should Be Listed as the Site Collection Owner?
As a best practice, people who are responsible for the content and departments that own the sites should be listed as a site collection owner. It doesn’t matter whether this person is a department manager or a SharePoint expert, but this person should be the one who gets final say on user access to documents and files in in the site collection.
Keep in mind that site collection owners have special privileges in the site collection, which includes the ability to add users and manage permissions, as well as being able to create additional sites in the site collection.
When determining the best person for site collection ownership, the most significant thing I look for is not their technical ability to create or edit their SharePoint site, but their ability to respond to site access requests and quota notifications. This is important because site collection owners receive these notices. As an example, a high-level executive who does not have time to answer their own email usually does not make a good fit for a site collection owner.
While farm administrators are skilled enough to quickly handle granular account and permission requests, their knowledge of who needs access to departmental sites doesn’t scale in the case for large organizations.
How to Give Farm Administrators Access to Site Collections
It’s important to note that that there are only two site collection owner slots available in the site collection creation page. These slots must be delegated to users, not groups. Although we can add additional people with full-control permissions, we still have a site collection owner and backup owner that’s specified in the site collection settings.
If a farm administrator takes one of the site collection owner slots, then the site end users lose out on efficiency of having people that are able to approve and react to requests. With that said, farm administrators often have a need to administer not only the farm and SharePoint features on the macro scale, but also they need to be able to respond to individual site and site collection issues.
Thankfully, there are options for farm adminsitrators to quickly and easily grant access to not just a single site or site collection, but to all site collections within a web application.
This is done in Central Administration, and here’s how to do it.
- Log into Central Administration, click on Manage Web Applications under the Application Management heading.
- Select the web application that you want to grant access, and click User Policy.
The list of users that have been granted web application wide permissions are listed.
- Click Add Users.
- Select the zones in which to apply permissions. If your web application uses multiple zones, then you may have a reason to limit this permission to only one zone. In many cases, the broad permissions being applied can reasonably be set toAll Zones. Click Next.
- Enter the users that you wish to apply permissions and choose the permission levels to grant the users. In our case, we are selecting applying full control permission levels, while also keeping the “treat the account as system” checkbox unselected. Treating the account as a system account hides the actions in the logs by lumping their actions in with system, so it’s not what we’d want for a user or even an administrative user. Click Finish.
Now you can review the web application user policy again and verify the users that you’ve added.
At the next login attempt, the users that are in the user policy for the web application are granted access to all sites and site collections in the web application. No fine-grained policies at the list, site, or site collection can override the web application user policy.
Because we granted the farm administrators full control, they now have everything they need to make configuration changes to all site collections in the web application, and they won’t get nagged about site access requests when they don’t know the requester or whether they should be allowed to view the site.