...But I Can't Add Anymore Privileges
I was left scratching my head the other day when asked to troubleshoot a Access Denied error from SharePoint. These are normally a dime a dozen, but what separated this one is that the given user was already a Site Collection administrator for that site collection. In fact he also has Full Control on the entire Web Application through Web Application Policy.
The Delinquent Pages
They were actually all layout pages, their URLs were:
- /_layouts/ProfMain.aspx (User profiles and properties)
- /_layouts/PersonalSites.aspx (Profile services policies)
- /_layouts/ManagePrivacyPolicy.aspx (My Site settings)
Once we got digging into these pages it became pretty obvious what the problem was. In each of these layout pages was an AdminCheck control which required the user to have the ManagePeople privilege.
<spswc:admincheck requiredright="ManagePeople" runat="server" />
If you look up the AdminCheck class you can find it in the MSDN, and discover that it is "reserved for internal use and not intended to be used in your code", so not a lot of great documentation there.
The rights that drive the AdminCheck control are from the Microsoft.SharePoint.Portal.Security.PortalRight enum, which are quite different than those that drive the more popular SPSecurityTrimmedControl. The SPSecurityTrimmedControl is set with rights from the Microsoft.SharePoint.SPBasePermissions enum. It's the SPBasePermissions that you find scattered throughout SPSites, SPWebs, SPLists, and SPItems.
The Shorter Story
As it turns out you add these privileges by using the Personalization services permissions link which is embarrassingly (for us) located in the same place as the layouts pages that were throwing the error. Using this page you can associate the appropriate Microsoft.SharePoint.Portal.Security.PortalRight rights that will allow a given user access to these pages. Simply head into the Personalization services permissions page and assign the appropriate privileges. We ended up adding the Manage User Profiles permission which gave us the appropriate rights and banished our angry Access Denied demons.
Hope that helps someone. I guess the moral of the story here is that there are other permissions besides SPBasePermissions in play within SharePoint. So there, you've been warned.