Nov 02 2016 06:51 AM - edited Nov 02 2016 07:11 AM
Hello, PnP Provisioning experts,
SITUATION SPECIFICS
TARGET: newly created sub site in SP2013
IS SHAREPOINT ADD-IN? No
CODE CONTAINER: C# in a custom .NET 4.6.2 Console App
AUTHENTICATION: clientContext.Credentials = CredentialCache.DefaultNetworkCredentials (running the Console App as the same domain account that is a site collection administrator)
NUGET PACKAGE: SharePointPnPCore2013 v2.8.1610.1 (latest one at the time of this writing)
When ApplyProvisioningTemplate() is called, it successfully applies a saved .pnp site template to an existing sub site with the situation specifics above (no problem).
ISSUE
When ApplyProvisioningTemplate() is called when a saved .pnp site template has custom managed metadata site columns in it, an exception is thrown (note: full stack trace at the end of this message):
Access denied. You do not have permission to perform this action or access this resource.
The ProgressDelegate messages stopped on "Term Groups":
Regional Settings
Supported UI Languages
Features
Term Groups
That gave me the immediate idea that this account does not have enough permission on the Managed Metadata service to read things inside it . So…In Central Admin, I added the (Test User) domain account I’m running the console app under to the Managed Metadata Service and gave it “Read Access to Term Store
permission.
After doing that, immediately re-ran the Console App, but same exact error. :(
What am I missing? It shouldn’t need write permission, since the termsets and term groups are already in the farm, correct? Does it need more permissions than that?
Should I be configuring something else in Central Admin to give correct permissions to this account to access the Managed Metadata Service? If so, where?
Any other ideas of things to try? Anything else I'm missing?
Customer is looking for least privilege farm onfiguration above all else.
Thanks for any and all help.
Exception details:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException was unhandled by user code
HResult=-2146233088
Message=Access denied. You do not have permission to perform this action or access this resource.
ServerErrorCode=-2147024891
ServerErrorTraceCorrelationId=e575b39d-be11-5018-add7-0c0c29dd4875
ServerErrorTypeName=System.UnauthorizedAccessException
ServerStackTrace=""
Source=Microsoft.SharePoint.Client.Runtime
StackTrace:
at Microsoft.SharePoint.Client.ClientRequest.ProcessResponseStream(Stream responseStream)
at Microsoft.SharePoint.Client.ClientRequest.ProcessResponse()
at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)
at Microsoft.SharePoint.Client.ClientRequest.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientRuntimeContext.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryImplementation(ClientRuntimeContext clientContext, Int32 retryCount, Int32 delay)
at Microsoft.SharePoint.Client.ClientContextExtensions.ExecuteQueryRetry(ClientRuntimeContext clientContext, Int32 retryCount, Int32 delay)
at OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.ObjectTermGroups.ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
at OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.ApplyRemoteTemplate(Web web, ProvisioningTemplate template, ProvisioningTemplateApplyingInformation provisioningInfo)
at Microsoft.SharePoint.Client.WebExtensions.ApplyProvisioningTemplate(Web web, ProvisioningTemplate template, ProvisioningTemplateApplyingInformation applyingInformation)
Nov 07 2016 05:58 AM
Hi Alex,
To rule out the issue with pnp permission vs actual permission can you create (as an admin) a test list/library with managed metadata column and then create an item (as test user)? Goal is to check access to the term set via UI.
If this works then the call being made is requiring more permissions than the "read only" despite the read only requirement in this case behind the scene.
Regards,
Jasjit
PS: Out of cusriosity does it work when you give it full permissions?
Nov 07 2016 07:12 AM
You will need to be a term store administrator
Nov 08 2016 05:08 AM
Hi Alex,
If you are not using add-in authentication, you don't need any additional configuration to read data from MMS.
It seems that provisioning engine tries to modify something in MMS. If you apply template to the same site collection where template was extracted from it should not do any changes, so it may be a bug. If you apply template to different site collection, it may try to replicate site collection term group, so you need write permissions in this case.
__
Br, Ivan
Nov 08 2016 12:48 PM
Jasjit, Pieter, and Ivan - Thanks so much so replying and helping so far!
To rule out the issue with pnp permission vs actual permission can you create (as an admin) a test list/library with managed metadata column and then create an item (as test user)? Goal is to check access to the term set via UI.
If this works then the call being made is requiring more permissions than the "read only" despite the read only requirement in this case behind the scene.
I tried this. Code works fine as farm administrator and through UI as farm administrator.
PS: Out of cusriosity does it work when you give it full permissions?
No, still same error. I tried all permission levels. See below...
You will need to be a term store administrator
Yes, this appears to be my guess. Didn't get test this yet. Really strange that the PnP and CSOM code needs that high level of permission just to apply a site template to a sub site. Really looking to see if there's any other way other than granting that high of level of permission to that account.
If you are not using add-in authentication, you don't need any additional configuration to read data from MMS.
Correct I'm not using add-in authentication. I'm using NTLM/Kerberos. I agree in theory that I "shouldn't" need any additional configuration to read data from MMS... however PnP Provisioning engine seems to be trying to write there (even though it's in the same farm and the term groups, term sets, and terms are already there in MMS).
It seems that provisioning engine tries to modify something in MMS. If you apply template to the same site collection where template was extracted from it should not do any changes, so it may be a bug. If you apply template to different site collection, it may try to replicate site collection term group, so you need write permissions in this case.
Yep understood agree with it in theory that's what it should be doing... the relationship between site collection term groups and the MMS term groups are not as clear to me. Everything is already in MMS and perfect, yet, PnP provisioning engine is still trying to write there.
Really weird.
If anyone has any other ideas (or runs other tests that I haven't tried yet), let me know. I have elected to temporarily disabled the ability for the site template to apply term groups to the newly created site and things are working as of now. However, I suspect I will need it turned on and working in the future. Thanks for any additional research/repro in advance...
Nov 08 2016 12:52 PM
Nov 08 2016 12:58 PM
That explains it for sure - Thanks !
Nov 09 2016 04:26 AM
@Pieter Veenstra - thanks Pieter