问题
I have an issue that is driving me a bit nuts: Using a UserProfileManager as an non-authorized user.
The problem: The user does not have "Manage User Profiles" rights, but I still want to use the UserProfileManager. The idea of using SPSecurity.RunWithElevatedPrivileges does not seem to work, as the UserProfileManager authorizes against the SSP as it seems.
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(inputWeb.Site.ID))
{
ServerContext ctx = ServerContext.GetContext(site);
UserProfileManager upm = new UserProfileManager(ctx,true);
UserProfile u = upm.GetUserProfile(userLogin);
DepartmentName = u["Department"].Value as string;
}
});
This still fails on the "new UserProfileManager" line, with the "You must have manage user profiles administrator rights to use administrator mode" exception.
As far as I userstood, RunWithElevatedPrivileges reverts to the AppPool Identity. WindowsIdentity.GetCurrent().Name returns "NT AUTHORITY\network service", and I have given that account Manage User Profiles rights - no luck.
site.RootWeb.CurrentUser.LoginName returns SHAREPOINT\system for the site created within RunWithElevatedPrivileges, which is not a valid Windows Account ofc.
Is there even a way to do that? I do not want to give all users "Manage User Profiles" rights, but I just want to get some data from the user profiles (Department, Country, Direct Reports). Any ideas?
回答1:
The permission that needs set is actually found in the Shared Service Provider.
- Navigate to Central Admin
- Navigate to the Shared Service Provider
- Under User Profiles and My Sites navigate to Personalization services permissions .
- If the account doesn't already exist, add the account for which your sites App Domain is running under.
- Grant that user Manage user profiles permission.
I notice that you're running the application pool under the Network Service account. I implemented an identical feature on my site; however, the application pool was hosted under a Windows account. I'm not sure why this would make a difference, however.
回答2:
There are two ways I've actually managed to accomplish this:
- Put the code that uses the UserProfileManager behind a web services layer. The web service should use an application pool identity that has access to the User Profile services.
- Use the impersonation technique describe in the following article: http://www.dotnetjunkies.com/WebLog/victorv/archive/2005/06/30/128890.aspx
回答3:
Thanks for the Answers. One Caveat: if you run the Application Pool as "Network Service" instead of a Domain Account, you're screwed.
But then again, it's recommended to use a domain account anyway (On a test server I used network service, but after changing it to a domain account it worked).
回答4:
Here's the answer. Its a stupid Microsoft bug, and there is a hotfix. I'm downloading now to test it.
http://support.microsoft.com/kb/952294/en-us
来源:https://stackoverflow.com/questions/82788/sharepoint-userprofilemanager-without-manage-user-profiles-right