locked
Delegation of all IIS rights, just not full Windows admin rights RRS feed

  • Question

  • User624714853 posted
    Scenario:

    I have multiple web servers that need to have developers/implementers (5-15 people with unique logins) with access to add/change/delete IIS virtual directories and applications. I would love to have them stop being members of local admin on the box and only give them IIS admin rights.

    I was very excited to read about the Delegation of permissions in IIS. I've been playing around with it and think I've bumped into a limitation I've read in 2 posts.

    I used the legacy Power Users group and assigned "IIS Manager Permissions" to it. I also assigned some file permissions that would be required in the application folder root. I also gave it rights to edit the ApplicationHost.config file as noted in the "Mark Folders as Applications" Rule inside of 'Management Service Delegation'.

    I've tried multiple settings for the 'createApp' Rule that is created with "Mark Folders as Applications" Rule and I can't find anything that gives the "right-click" functionality in the IIS Manager GUI for non-admins.

    Is this just impossible. and I must continue to grant full admin rights to the server for this feature?
    Monday, November 9, 2009 3:21 PM

Answers

  • User178678205 posted

    There is a Feature Request forum: http://forums.iis.net/1080.aspx for submitting these kinds of requests (posting a request there will make it more visible to the IIS team as a whole). We really appreciate your feedback and I hope that IIS will meet your needs better in the future!

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, November 13, 2009 12:47 PM

All replies

  • User-2064283741 posted

    Really you need to look at your policies and I can think of no reason to allow a dev access to create IIS directories, etc. Route all changes through an administartor as best practice. Dev know nothing about admin don't give them access.

    To attempt to answer your question does the limitation occur for groups or for individual users. 

    Monday, November 9, 2009 5:10 PM
  • User624714853 posted
    Rovastar,

    Thanks for the reply. That particular battle is one that I've lost repeatedly. Our dev/imp team has far better than average knowledge.

    These limitations would be best defined to a group level so that I can leverage that instead of adding/removing users as there is turnover.
    What I have at the moment would be sufficient to segregate the lowest level of access to the server - for tech support folks to view items... but I still prefer to remove Windows admin rights from as many as possible.
    Monday, November 9, 2009 5:21 PM
  • User989702501 posted

    There are certain limitation with application and site level permissions. What exactly you trying to grant ?

    Tuesday, November 10, 2009 2:22 AM
  • User624714853 posted

    I want the ability of non-Windows admins to be able to take a folder and create an application, by right-clicking in the IIS Manager GUI

    Tuesday, November 10, 2009 2:41 PM
  • User989702501 posted

    That will be server administrator roles... in order to create application I think you need server admin, not site or app level.

    and I'm kinda forgot already... you only can uses IIS Manager user for site / app admin. For server administrator, you needs to be Windows admin :)  there is no workaround as i know off now..

    Wednesday, November 11, 2009 3:36 AM
  • User178678205 posted

    There is a way to allow a non-Admin IIS user to have that right-click mark as application type functionality!

    You are already using Management Service Delegation, so you must already have the Web Deployment Tool installed. If you have this on the client box as well, and the right rules, a client connecting to your server can right click a folder and will get the Deploy > Convert to Application option.

    You noted that "I also gave it rights to edit the ApplicationHost.config file as noted in the "Mark Folders as Applications" Rule inside of 'Management Service Delegation'."  You don't have to give these users permission to edit applicationHost.config - you can just set the run-As identity of this rule to a user who does have edit permission. Something like:

                        <rule providers="CreateApp" actions="*" path="{userScope}" pathType="PathPrefix">

                            <runAs identityType="SpecificUser" userName="Administrator" password="[enc:RsaProtectedConfigurationProvider:jAAAAAECAAADZgAAAKQAABT/UAu1JnvFM5uL3UMN9f/UMutc2c8TWYCZK64A6MKdq+1U5XivHpOhr6JdHMqTH0w9KE21MaxUKBSKxJ2s/EJJvpzeceeHUgyHFXFD+WmgZZPNau8M1CecCGW+uvVqsU99G3EIQj35YDqZ3aX6Katcs2CVtpzcAFl0pPGS7uTZ0salcuycP4zQiHMf6Z7W+MAOVoBMrbENaLflA1cn6pw=:enc]" />

                            <permissions>

                                <user name="*" isRole="false" accessType="Allow" />

                            </permissions>

                        </rule>

    Note that there is also a Deploy > Delete Application and Content option (if right-clicking an application) or a Deploy > Delete Folder and Content (if right-clicking a folder) which allows a remote user to delete folders and application - these require that the delegation rules to create application and deploy content are in place. Note that this will only work on the level below the connection (i.e. if you are connected to a site, you can only mark folders under the site as apps/delete them).

    Basically, it sounds like the minimum permissions these users really need are the ACLs to their site or app folders. You can use the run-As setting and the Web Deployment tool to do the delete/mark as app work for you.

    Please let me know if you have any trouble getting this to work, or have any questions!

    Wednesday, November 11, 2009 11:52 AM
  • User624714853 posted

    Krolson,

    Thanks for the reply and assistance.  I don't understand all the pieces that you're describing here.  I do have MSDEPLOY installed on this box, so that I could migrate some IIS6 settings to it.

    Users need to be able to remote into the console (RDP), log in with their limited-access Windows account, open IIS Manager and perform these tasks.  They cannot use the Admin tools remotely.

    All of the folks doing this work *must* have windows logins to the box to be able to perform other tasks at the console.   We are not using "IIS Users" for this.  I'm not aware of a way to have those users be 'in synch' with windows passwords so this wouldn't work... if that's the method that you're describing?

     

    Wednesday, November 11, 2009 6:11 PM
  • User989702501 posted

    Cool, something new...

    Can you test out the workaround?

    Thursday, November 12, 2009 2:30 AM
  • User178678205 posted

    Paul,

    I'm sorry I misunderstood your earlier post, however, the MSDeploy rules could also be used for Windows accounts logging on locally.  This probably wasn't clear from my earlier post, but the MSDeploy management service delegation rules will work with both IIS User and Windows user accounts! It is even possible to add a Role/group to a rule, if that is something you have already configured. This means you could still use the approach of setting the run-As identity for the createApp rule and avoid giving admin priviledges to all the users. These users would then have to use MSDeploy through either the Inetmgr UI or on the cmd line to create their applications (they could not directly edit applicationHost.config).

    A non-Admin Windows user would be able to log onto the console, connect to their site/app using Inetmgr, and then use the MSDeploy options to import/export applications, convert folders to applications, and delete folders or applications. You can configure rules also to allow them other abilities, such as access to databases.

    If this approach sounds like something you'd be interested in trying out, I can give you a more in-depth step-by-step way to set this up.

    Sincerely,

    Kristina

     

     

    Thursday, November 12, 2009 11:53 AM
  • User624714853 posted

    This sounds like exactly what I want it to do.  Please, give me the steps to try!

    So far in my configuration attempts I have the "power user" able to log on, launch IIS Mgr (UAC requires them to re-enter password) and then they have to ID the server they want to connect to and supply UN/Password again.

    Once in the GUI they can't do these steps.

     

    Thursday, November 12, 2009 12:08 PM
  • User178678205 posted

    I wrote up some steps in a blog with screen shots (too lengthy to post that sort of thing in a post) that you can find here:

    http://blogs.iis.net/krolson/archive/2009/11/12/delegate-application-creation-for-non-admininistrator-accounts.aspx

    It sounds like currently you might not have the right rule setup (unusual users added or userScopes). Please let me know if you have any questions about this or if the user accounts are still unable to see the MSDeploy tasks.

    Hope this helps!

    [EDIT] Realized I wanted to ask: when logged in as local admin, do you see the Deploy tasks in inetmgr (i.e. do you ever see the Deploy tasks when you right click, or is it just that some user accounts can't see the tasks)?

    Thursday, November 12, 2009 1:49 PM
  • User624714853 posted

    Kristina.

    In answer to the edit - yes, I saw those tasks in inetmgr.

    Thank you so much for taking the time to write up the post!   I had completed all of the steps outlined except for setting the "Identity Type".  The default entry of "Specify User" didn't prompt me for anything or give up an error when I didn't set anything. 

    This time I selected "CurrentUser".   Because I had already granted the "POWER USERS" group access to edit the applicationHost.config file this appears to work.  Now my test user can deploy an application.

    When you add a user to the rule I understand that the purpose of the "is role" checkbox is to assign it to a windows group. (Your posting doesn't state that, so maybe I'm wrong?)

    I guess there must be more rules that I have to create to simulate a "full IIS admin" experience but I'm not sure what they all are.  One thing that I can't do immediately is remove the application.  In the section showing what the rules do, you mention "Note: other options would appear under Deploy if other rules were specified, such as Delete Folder and Content or Recycle."

    I looked inside the provider list and don't see those options and can't figure out where they would reside.

    Since my goal is to give these users the complete IIS admin experience, but restrict their ability to scorch the Windows server, do I need to enable all the rules and create some custom ones too?

    Paul

    Thursday, November 12, 2009 3:46 PM
  • User178678205 posted

    One thing to note about these rules is that they are MSDeploy related: many MSDeploy tasks are available through the inetmgr UI, such as importing and exporting packages, converting folders to applications, deleting folders and applications, and recycling an application pool - but many other MSDeploy tasks will be uncommon, or only available using the command line.  I'm not sure what functionality you mean by "IIS Admin experience", but MSDeploy may not be able to fulfill that role by itself. 

    The common rules related to the tasks in the Right-Click menu include:

    1. A rule to add content and applications - this would enable the Delete options in the deploy menu

    The template for this rule (Deploy Applications with Content) should work using the defaults (assuming your physical ACLs are correct).

    Note: The option for Applications does not just remove the Application designation - it also physically deletes the folder. This application delete option also requires a createApp rule.

    2. A recycleApp rule - the enables the Recycle... option

    Note: this can be a dangerous rule if more than one user/application uses the same application pool - if you let a user recycle, they can disrupt those other users.

    Providers: recycleApp

    Actions: *

    Path Type: Path Prefix

    Path: {userScope}

    Run As: set Identity Type: to SpecificUser and specify credentials for someone who can recycle application pools, such as an Administrator.

    3. A createApp rule (as outlined in the blog noted above) - this enables the Convert to Application option

     

    Adding these rules (and appropriate ACLs) should also allow users to use the Import/Export features of MSDeploy, which can let users make packages of their sites/apps for back-up, migration, or versioning purposes. 

    (The Set Permissions for Applications rule [related to setting ACLs] and the Deploy Databases rule [related to granting access to SQL (or MySQL) databases] are also common for using import/export, but are not related to the specific tasks you mentioned).

    Thursday, November 12, 2009 4:53 PM
  • User624714853 posted

    Sorry, I'll take a step back and describe what I meant by "IIS Admin experience".  This is my first IIS7 server and I'm more familiar with the way that IIS6 controls things.  eg. In order to do IIS admin you have to be a local admin on the server.   All of my IIS servers currently have multiple local admins to achieve this, since we require the ability to audit logins per user.

    I'd like to be able to grant full IIS functionality to users who don't have local admin, but who can log on to the console using a windows login.

    A key function that I know people currently do is to add a folder to the tree, and then make it an application.  Sometimes they need to remove the application components from the existing folder, and then recreate it.   In the IIS7 gui this is the "REMOVE" feature that is missing for my "power user"

    I don't see how to do this with msdeploy, so am I out of luck in trying to achieve my goal of full IIS admin but limited windows admin?

    Thursday, November 12, 2009 6:00 PM
  • User178678205 posted

    Thank you for explaining a bit more what you are looking for.

    The rules mentioned above will make it possible to make folders intos applications.  They will also make it possible to delete those applications (including content). This is accessible with the right-click options.  I'm afraid MSDeploy doesn't support removing the application designation without deleting the content as well.

    With MSDeploy, you can also add folders, but this is not as straightforward as a simple copy - it would be considered an Import and would require a package (a zip file). Packages can be really powerful, because you can include many different kinds of information/settings - a package can be a full site or application including application pool, including a database script, including content, etc. - and these packages must be made using MSDeploy.  A package may also be a simple content folder which has been zipped - in this case you don't need MSDeploy to create the package, but can simply import the zipped file.

    It sounds like this might meet your needs, but might require some user education. There is an Import wizard which can be launched from inetmgr by choosing the Deploy>Import Application... task. This will require a user to specify the path to their zip content package and then the physical path where they want the content to be placed (this path should be under their site path so that it will be added in the tree view).  If your users want to use more complex packages, then they could try using the Export Application... task or MSDeploy command line to make packages as well.

    Friday, November 13, 2009 12:03 PM
  • User624714853 posted

    Thanks for the further description.  Since the functionality I described is a core requirement for a majority of the users who will be doing IIS admin it sounds like my only option is to make them Server Admins.   I can't see how I can justify the need to remove the application and content, and then re-add the content to make an application, in addition to the 3 logins required to get to the IIS Manager tool.

    I really like how much IIS has been segregated from the OS already.  I hope that in future releases of IIS and the webdeploy tool that this granularity is introduced.  I liken it to the way that folks can have SQL admin rights over a SQL server without needing to have full windows admin rights.  Is there a location that I can submit this as an enhancement request?

    Friday, November 13, 2009 12:27 PM
  • User178678205 posted

    There is a Feature Request forum: http://forums.iis.net/1080.aspx for submitting these kinds of requests (posting a request there will make it more visible to the IIS team as a whole). We really appreciate your feedback and I hope that IIS will meet your needs better in the future!

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, November 13, 2009 12:47 PM