Timer Job and RunWithElevatedPriviliges

Question

Hi All,

I am executing a job via my code which is wrapped with RunWithElevatedPriviliges. Code block below:

[SharePointPermission(SecurityAction.LinkDemand, ObjectModel = true)]
private static void ExecuteILPJob(string ilpJob,Guid listId,Guid siteId,Guid webId)
{
    SPSecurity.RunWithElevatedPrivileges(delegate
                                             {
                                                 using(SPSite curSite = new SPSite(siteId))
                                                 {
                                                     //delete our job
                                                     foreach (SPJobDefinition jobDefinition in curSite.WebApplication.JobDefinitions)
                                                     {
                                                         if (jobDefinition.Name == JobResetRoleInheritanceName)
                                                         {
                                                             jobDefinition.Delete();
                                                         }
                                                     }

                                                     //install our job
                                                     ILPRoleInheritanceJob resetItemRoleInheritanceJob = new ILPRoleInheritanceJob(JobResetRoleInheritanceName, curSite.WebApplication);

                                                     SPMinuteSchedule jobSchedule = new SPMinuteSchedule();
                                                     jobSchedule.BeginSecond = 0;
                                                     jobSchedule.EndSecond = 30;
                                                     jobSchedule.Interval = 1;

                                                     resetItemRoleInheritanceJob.Properties.Add("ILP_Job", ilpJob);
                                                     resetItemRoleInheritanceJob.Properties.Add("ILP_SiteId", siteId);
                                                     resetItemRoleInheritanceJob.Properties.Add("ILP_WebId", webId);
                                                     resetItemRoleInheritanceJob.Properties.Add("ILP_ListId", listId);

                                                     resetItemRoleInheritanceJob.Schedule = jobSchedule;

                                                     resetItemRoleInheritanceJob.Update();
                                                 }
                                             });
}

This block of code works very well in some cases and sometimes it throws error. Below is the error message I get:

System.Security.SecurityException: Access denied. 
   at Microsoft.SharePoint.Administration.SPPersistedObject.Update() 
   at Microsoft.SharePoint.Administration.SPJobDefinition.Update() 
   at Chaks.SharePoint.Docs.ILP.ItemLevelPermissions.<>c__DisplayClass7.<ExecuteILPJob>b__6() 
   at Microsoft.SharePoint.SPSecurity.CodeToRunElevatedWrapper(Object state) 
   at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2() 
   at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) 
   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) 
   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) 
   at Chaks.SharePoint.Docs.ILP.ItemLevelPermissions.ExecuteILPJob(String ilpJob, Guid listId, Guid siteId, Guid webId) 
   at Chaks.SharePoint.Docs.ILP.ItemLevelPermissions.EnableItemLevelPermissions(SPList list, ItemLevelPermissionSettings settings) 
   at Chaks.SharePoint.Docs.ILP.ILPSettings.BtnSave_Click(Object sender, EventArgs e) 
The Zone of the assembly that failed was: 
MyComputer   at Chaks.SharePoint.Docs.ILP.ILPSettings.BtnSave_Click(Object sender, EventArgs e) 
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e) 
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) 
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) 
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 

Why do I get Access Denied even if I have wrapped in RunWithElevatedPriviliges? And also I am testing this code as an admin .

Any ideas, suggestions?

Thanks.

---

Regards,
Chakkaradeep
SharePoint Developer - MCTS SharePoint Dev, WSS Dev

Intergen: http://www.intergen.co.nz
Twitter: http://twitter.com/chakkaradeep
Blog: http://www.chakkaradeep.com

Answer 1

Ok, it looks like the issue is with SPWebApplication!

From here ,

RunWithElevatedPrivileges only provides full access to the content database for the current web application. In other words, you can modify read-only lists, write SPWeb properties, etc. But you can't make changes to the SPWebApplication because it is persisted to the configuration database.

Any ideas how I am supposed to update the timer job then?

---

Regards,
Chakkaradeep
SharePoint Developer - MCTS SharePoint Dev, WSS Dev

Intergen: http://www.intergen.co.nz
Twitter: http://twitter.com/chakkaradeep
Blog: http://www.chakkaradeep.com

Answer 2

Well, changed my web application's app pool account to the value of Central Administrator's app pool account and everything seems ok now!

This post helped me identify the problem:

In my code to set the web application property value, I was using RunWithElevatedPrivileges to ensure I had rights. However, what I didn't realize is that elevating privileges gives you full access to the content database, but not to the configuration database. SPWebApplication's property bag is stored in the configuration database, not the content database. That was one piece to the puzzle.

The other piece to the puzzle was how I had my development machine setup. I was using the same account on both the Central Administration application pool and the application pool used to run regular the web applications. So in essence, I was implicitly granting my code rights to write to the configuration database.

How do we make sure everybody will have set up like this? Or is there any other way we could solve this?

---

Regards,
Chakkaradeep
SharePoint Developer - MCTS SharePoint Dev, WSS Dev

Intergen: http://www.intergen.co.nz
Twitter: http://twitter.com/chakkaradeep
Blog: http://www.chakkaradeep.com

Answer 3

When you are modifying timer jobs you are going against the SharePoint configuration database. The best way to assure that your code will execute without an access denied error is to assure that the user you are opening the SPSite object with belongs to the wss_content_application_pools database role for the SharePoint configuration database. This role grants execute permissions to all the stored procedures. So you can look up this user in the SPWeb.Users collection and then open the SPSite with the SPUser.Token and then modify the timer job definitions.

---

certdev.com

Answer 4

Hi Steve,

Thanks for the reply :)

But my worry is - I have this code in my tool and this tool is going to be used by many others. I would have no idea how each and every SharePoint environment is configured. In that case, how do we approach this issue? Is there any best-practice or the best-practice itself is to not use this in RunWithElevatedPriviliges context?

Thanks.

---

Regards,
Chakkaradeep
SharePoint Developer - MCTS SharePoint Dev, WSS Dev

Intergen: http://www.intergen.co.nz
Twitter: http://twitter.com/chakkaradeep
Blog: http://www.chakkaradeep.com

Answer 5

As you can see from Steve’s reply,  your code need to access the config db you will have to elevate the permission. Since you cannot foresee the context of the SharePoint evironment your application will be executed, you will have to list what this application can do can cannot do in the user manual.

---

Keep It Simple and Stupid.