Allow Owners access to FBA User Management

May 5, 2011 at 8:23 PM

Hello,

Is it possible to allow site owners the ability to manage fba users?

Coordinator
May 6, 2011 at 3:39 AM

Good call.  I'll adjust the permissions in the next release.

May 6, 2011 at 4:28 PM

I'm not sure that everyone would want this, however many environments set the site collection admin to a service account or similar. Setting the site collection admin to an Owner allows the user to manage many advanced sharepoint settings such as enabling and disabling features, which some organizations will not allow.

Coordinator
May 6, 2011 at 4:57 PM

I'm going to look into matching it to users who have permission to change group members.

Coordinator
May 9, 2011 at 8:19 AM

I gave it some thought and decided to leave it as manageable only by the site collection administrators - the reason being is that these pages allow the user to edit/create/delete all of the users for all site collections in the web application, as the membership database is shared throughout the web application.

May 23, 2011 at 11:20 PM

So there is no current support for non site-collection administrators to use the management tools then?

Coordinator
May 24, 2011 at 3:44 AM

That's right.  You would have to be a site collection administrator to use the built in tools to create/edit/delete users and groups.  You can still assign the users to groups using the standard SharePoint pages and permissions. And standard users can still use the web parts to register, recover their password and change their password.

Sep 17, 2011 at 7:14 PM

I understand the reason behind this choice. But can you point me in the correct direction if I wanted to code this myself? What do I need to change in the code or is this difficult to explain?

Thanks,

Peter

Coordinator
Sep 17, 2011 at 9:57 PM

If you just want to remove the requirement for admin access, it's a very easy change.  Each of the pages is in Layouts/FBA/Management.  If you look in the .aspx.cs files you'll find:

protected override bool RequireSiteAdministrator
        {
            get { return true; }
        }
Just change it to return false (or delete the code altogether).

Sep 19, 2011 at 2:50 PM

Ok, perfect. Thanks!

Sep 21, 2011 at 6:32 PM

I've tried this but I get an error when I click on the "FBA User Management" link: "Exception message: List 'User Information List' does not exist at site with URL ". The other links are ok.

I think it's a permission problem, but do you have an idea?

Coordinator
Sep 21, 2011 at 6:46 PM

Right - the data comes from the User Information List - http://www.zimmergren.net/archive/2008/06/25/sharepoints-hidden-user-list-user-information-list.aspx - it's only accessible by administrator's, and i'm not sure if there's a way to change those permissions.

The code that accesses the User Information List is in Code\Data\FBAUsersView.cs

You might be able to get around it by using "RunWithElevatedPrivileges"

or by trying what's suggested in this link:

http://spblog.oasisskinandbody.co.za/2011/05/quick-and-dirty-user-information-list.html

Jul 3, 2012 at 1:15 PM

Hi,

could happily assign this now (July 2012) to site owners by setting in FBAMenus -> Elements.xml  RequireSiteAdministrator = FALSE

plus in Layouts/FBA/Management in the .aspx.cs files

protected override bool RequireSiteAdministrator
        {
            get { return true; }
        }

btw - thanks for the nice and valuable tool!

Jul 31, 2012 at 1:35 PM

is it possible to "hide" the navigation on those pages so that you could (with the help of the Ribbon Hider software) present the page to folks who have the job of vetting/approving membeships...but not allow them to do any navigating to the main settings page? That way they could use a page link to approve folks and never be able to navigate to places they dont need to be...even though they could still type in the url of those page.

Coordinator
Jul 31, 2012 at 2:10 PM

Unfortunately, at the moment those menu items will always be available to site collection administrators (unless you edit FBAMenus\elements.xml - either via the code and recompiling, or simply opening the wsp).

If you are using the membership review list to approve members, you can simply give access to that list to anybody on the site (they don't have to be site collection admins if you're using version 1.3). You can give them a link to the list, or even easier - they can set up an alert on the list and will be notified when a new user registers.

Aug 1, 2012 at 1:57 PM

I tried accessing the User Management page and could not unless the user has Site Collection Administrator permission...the Approval list works...but that still means a sys admin must intervene and assign sp group membership...it would be really great if we could assign permissions to do this task...w/o being site collection admin...i forsee a few thousand folks self registering causing a bottleneck at the group membership assignment phase...my scenario is a public facing site for self registration/password recovery...after they are approved in that site we need to add them to the sp groups of a different FBA site (using the same aspnetdb) to get the real work done...great product tho!!!

Coordinator
Aug 1, 2012 at 2:58 PM

Yeah, currently only the Membership Review List, for approving or denying memberships, is the only page where permissions can be assigned. User and Role management require Site Collection Admin privileges (without changing the code). Put a feature request in the issue tracker and i'll consider it for a future release.

Oct 30, 2012 at 12:03 PM
Edited Oct 30, 2012 at 12:05 PM

Hello!

I would like to modify the code to run with Site owner privileges. (modify name, e-mail, password). I can modify the group membership now (on that groups, that applied to this site).

The problem is on this line:  spuser.Update();  The error is Access Denied.

I try this, but the same error:

SPSecurity.RunWithElevatedPrivileges(delegate() { spuser.Update(); };

Try to use this on the firs line in OnSubmit function, but same.

Can you help me, what vill be the solution?

Thanks,
Istvan

ps: this is a great code, thanks

Coordinator
Oct 30, 2012 at 12:47 PM

RunWithElevatedPrivileges is how you do it - the problem is that all of the SharePoint objects have to be created within the context of RunWithElevatedPrivileges.  So you can't just call spuser.Update() from there, you have to get the context of SPWeb/Site from there, get the spuser from that SPWeb/SPSite and then make your updates.  Search for RunWithElevatedPrivileges in the code and you'll see what I mean.

Oct 31, 2012 at 8:47 AM

Thanks, That was my last idea. It's work.

Can I attach a source code here? I would be glad if you took a few glances at the new source code.

Thanks,

Istvan

Coordinator
Oct 31, 2012 at 12:22 PM

Yes, please feel free to post any source code.