locked
Need Windows Service Permission for SharePoint Users RRS feed

  • Question

  • I need my windows service to read/write documents in sharepoint. Different sharepoint users will setup a
    schedule to process documents in sharepoint.  The service will continue to process the documents according to
    the schedule.  What is the best practice for giving this service the permission that it needs to access this user's
    documents?  The service should be able to access any of the documents that user could access, but not any others.
    Also, I prefer that I don't have to store the user's username/password.
    Monday, August 3, 2009 4:10 PM

Answers

  • You need your service to impersonate as that user.  It's the only way to ensure you have the right security premissions.

    If you are just going to access documents in sharepoint, you can elevate permissions.  When you create the SPSite object, it has a constructor form that lets you pass in a user token.  So if you have the SPUser object, you can get its UserToken.  If you don't have that, you can use EnsureUser to get it.  But remember EnsureUser is also a privileged operation so it must also be done in elevated privileges.

    If the service needs to access the file system and not use SharePoint API as the user, you'll need to change the thread of execution to impersonate or spin off a worker thread as that user.  This is harder than using the SharePoint API.  Lets hope you just need the API way.

    Either way, you don't have to store the username/password.
    • Marked as answer by squebler Monday, August 3, 2009 7:04 PM
    Monday, August 3, 2009 6:09 PM

All replies

  • You need your service to impersonate as that user.  It's the only way to ensure you have the right security premissions.

    If you are just going to access documents in sharepoint, you can elevate permissions.  When you create the SPSite object, it has a constructor form that lets you pass in a user token.  So if you have the SPUser object, you can get its UserToken.  If you don't have that, you can use EnsureUser to get it.  But remember EnsureUser is also a privileged operation so it must also be done in elevated privileges.

    If the service needs to access the file system and not use SharePoint API as the user, you'll need to change the thread of execution to impersonate or spin off a worker thread as that user.  This is harder than using the SharePoint API.  Lets hope you just need the API way.

    Either way, you don't have to store the username/password.
    • Marked as answer by squebler Monday, August 3, 2009 7:04 PM
    Monday, August 3, 2009 6:09 PM
  • Thank you, Brian.  I think this is exactly what I was looking for.
    Monday, August 3, 2009 7:04 PM