So recently I had a customer ask how the administration permissions worked within the User Profile Service Application, because they had concerns about how much permissions they had to give to a service account for a 3rd party application. So they wanted to understand how those permissions worked and what they would get access to, and here is what I figured out.
First of all one thing you have to realize is that none of these permissions will provide the user with permissions on any SQL databases or any other object in SharePoint. The permission is thru the Service Application itself.
The user will also get a security trimmed view of Central Admin, they will only be able to see the User Profile Service Application itself. And if they try to access anything that is beyond there permissions they will get an Access Denied.
The permissions (Manager Profiles, Manage Audiences, Manage Permissions, Retrieve People Data for Search Crawlers, and Manage Social Data) are all feature permissions.
But no matter what we still want to follow least-privilege architecture even within the Service Application, so make sure you only give Feature admins and Service application admins the least level of permissions that they require to perform there job.
Manage Profiles - This level will give a user account the ability to Add, Delete, or Edit permissions thru the User Profile Application.
Manage Audiences - This level will give a user account the ability to Create, Delete, or Schedule audiences.
Manage Permissions - This level will give a user the ability to Add, Remove or Edit a users permission to the UPA and Social features.
Retrieve People Data for Search Crawlers - This level will give a user the ability to read profiles and there properties
Manage Social Data - This level will give a user the ability to manage social tags and notes for all users.
Full Control - This level will give a user the ability to configure the Service Application and all the pieces of it.
Assign administration of a User Profile service application (SharePoint Server 2010)
Assign administration of User Profile service features (SharePoint Server 2010)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.