Operation requires user to be Service Application Administrator to be able to execute the code

Recently got a customer who was having a very simple code in an application page (in _layouts folder) to find the crawled properties, which are mapped to a managed property in Search Service Application (in SharePoint 2010) as given below:

    1: SPServiceContext context = SPServiceContext.GetContext(SPServiceApplicationProxyGroup.Default, SPSiteSubscriptionIdentifier.Default);
    2: SearchServiceApplicationProxy searchProxy = context.GetDefaultProxy(typeof(SearchServiceApplicationProxy)) as SearchServiceApplicationProxy;
    3: SearchServiceApplicationInfo ssai = searchProxy.GetSearchServiceApplicationInfo();
    4: SearchServiceApplication application = Microsoft.Office.Server.Search.Administration.SearchService.Service.SearchApplications.GetValue<SearchServiceApplication>(ssai.SearchServiceApplicationId);
    5: Schema sspSchema = new Schema(application);
    7: ManagedPropertyCollection managedProperties = sspSchema.AllManagedProperties;
    9: foreach (ManagedProperty managedProperty in managedProperties)
   10: {
   11:     string managedPropertyName = managedProperty.Name;
   13:     //check to see if the managed property is mapped to one of our crawled properties
   14:     foreach (CrawledProperty crawledProperty in managedProperty.GetMappedCrawledProperties(managedProperty.GetMappings().Count))
   15:     {
   16:         if (!mappings.ContainsKey(crawledProperty.Name))
   17:         {
   18:             //if it is and has not yet been added to the list of managed fields, add it
   19:             mappings.Add(crawledProperty.Name, managedPropertyName);
   21:         }
   22:     }
   23: }

Now when we hit the line 14 (ManagedProperty.GetMappings().Count), it always returns 0 (zero) as Mappings count. Now I am the Farm Administrator and the Service Account but still I am not able to pull in the data.

If I am logging into SharePoint Central Admin, I am able to see all the mappings from the SharePoint UI. So there must be something that SharePoint is doing which my custom application is not doing to get the data.

After searching on net for quite sometime and finding nothing, I started to dig into SharePoint’s source to see what is going on here and what is there behind the SharePoint’s UI, that makes it work.

Tracing the code and following its path, I figured out that you need to provide your account an Administrator access to Search Service Application.

Tried that and I added myself as Search Service Administrator under Central Administration Site -> Application Management -> Manage Service Applications -> Search Service Application and click on Administrators button in the ribbon and add myself to the list with Full Control. Once that was done, I was able to get the results properly without any issues.

But while adding myself to Search Service Application’s administrator, I noticed a line in the dialog box which said:

Specify the users who have rights to manage this service application. These users will be given access to the Central Administration site and will be able to manage settings related to this service application. Members of the Farm Administrators group always have rights to manage all service applications.

The line highlighted in RED, did not sound right. If I am already a Farm Administrator, I should have rights for this application. Then why I would need to add myself explicitly as Search Service Application administrator !!

This got me digging again and engaging my friendly escalation engineer onto it. After quite sometime studying the SharePoint’s code, a small line got our notice, which effectively said that (paraphrased):

If you are a Farm Administrator, you will have access to Search Service Application only from SharePoint’s Central Administration site. If you are not in Central Administration site, you would need to add yourself explicitly to the Search Service Application as administrator.

Basic message was, due to enhanced security in SharePoint 2010, you cannot execute this piece of code from a content web application (your team or publishing site) but ONLY from admin web application (aka SharePoint Central Administration website).

To validate this, I removed myself from Search Service Application’s administrator list. Now as my code was already there in _layouts folder, I accessed it using my Central Admin’s URL (http://sp2010a:2010/_layouts/testpage.aspx) instead of my application’s URL (http://sp2010a/_layouts/testpage.aspx) and IT WORKED !

So the root issue was visible now, that lead us to define our options in this case and we came up with the following 4 options for the customer:

  1. Access the page using the Central Admin application's URL (may not be feasible due to security issues)
  2. Add users as Search Service Administrators (again, may not be feasible due to security issues)
  3. Add the app pool account of content application as Search Service Administrator and use SPSecurity.RunWithElevatedPrivileges to run the code in App Pool's context (this could work, but again can cause security concerns)
  4. Host a web service on Central Admin site and access it from the Content application hosted layouts page (This would be the most preferred way to get it done)

Let me know if this helped you and which path did you choose.

Happy Coding… Smile