C# 没有“管理用户配置文件”权限的 Sharepoint UserProfileManager
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/82788/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Sharepoint UserProfileManager without Manage User Profiles right
提问by Michael Stum
I have an issue that is driving me a bit nuts: Using a UserProfileManager as an non-authorized user.
我有一个问题让我有点抓狂:将 UserProfileManager 用作非授权用户。
The problem: The user does not have "Manage User Profiles" rights, but I still want to use the UserProfileManager. The idea of using SPSecurity.RunWithElevatedPrivileges does not seem to work, as the UserProfileManager authorizes against the SSP as it seems.
问题:用户没有“管理用户配置文件”权限,但我仍然想使用 UserProfileManager。使用 SPSecurity.RunWithElevatedPrivileges 的想法似乎不起作用,因为 UserProfileManager 似乎对 SSP 进行了授权。
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(inputWeb.Site.ID))
{
ServerContext ctx = ServerContext.GetContext(site);
UserProfileManager upm = new UserProfileManager(ctx,true);
UserProfile u = upm.GetUserProfile(userLogin);
DepartmentName = u["Department"].Value as string;
}
});
This still fails on the "new UserProfileManager" line, with the "You must have manage user profiles administrator rights to use administrator mode" exception.
这在“new UserProfileManager”行上仍然失败,“您必须具有管理用户配置文件的管理员权限才能使用管理员模式”异常。
As far as I userstood, RunWithElevatedPrivileges reverts to the AppPool Identity. WindowsIdentity.GetCurrent().Name returns "NT AUTHORITY\network service", and I have given that account Manage User Profiles rights - no luck.
就我的用户而言,RunWithElevatedPrivileges 恢复到 AppPool 标识。WindowsIdentity.GetCurrent().Name 返回“NT AUTHORITY\network service”,并且我已授予该帐户“管理用户配置文件”权限 - 不走运。
site.RootWeb.CurrentUser.LoginName returns SHAREPOINT\system for the site created within RunWithElevatedPrivileges, which is not a valid Windows Account ofc.
site.RootWeb.CurrentUser.LoginName 为在 RunWithElevatedPrivileges 中创建的站点返回 SHAREPOINT\system,该站点不是有效的 Windows 帐户 ofc。
Is there even a way to do that? I do not want to give all users "Manage User Profiles" rights, but I just want to get some data from the user profiles (Department, Country, Direct Reports). Any ideas?
有没有办法做到这一点?我不想给所有用户“管理用户配置文件”的权限,但我只想从用户配置文件(部门、国家、直接报告)中获取一些数据。有任何想法吗?
采纳答案by senfo
The permission that needs set is actually found in the Shared Service Provider.
需要设置的权限其实是在Shared Service Provider里面找到的。
- Navigate to Central Admin
- Navigate to the Shared Service Provider
- Under User Profiles and My Sitesnavigate to Personalization services permissions .
- If the account doesn't already exist, add the account for which your sites App Domain is running under.
- Grant that user Manage user profilespermission.
- 导航到中央管理
- 导航到共享服务提供商
- 在用户配置文件和我的网站下导航到个性化服务权限。
- 如果该帐户尚不存在,请添加在其下运行您的站点应用程序域的帐户。
- 授予该用户管理用户配置文件权限。
I notice that you're running the application pool under the Network Service account. I implemented an identical feature on my site; however, the application pool was hosted under a Windows account. I'm not sure why this would make a difference, however.
我注意到您正在网络服务帐户下运行应用程序池。我在我的网站上实现了一个相同的功能;但是,应用程序池托管在 Windows 帐户下。但是,我不确定为什么这会有所作为。
回答by Jan Tielens
There are two ways I've actually managed to accomplish this:
我实际上有两种方法可以做到这一点:
- Put the code that uses the UserProfileManager behind a web services layer. The web service should use an application pool identity that has access to the User Profile services.
- Use the impersonation technique describe in the following article: http://www.dotnetjunkies.com/WebLog/victorv/archive/2005/06/30/128890.aspx
- 将使用 UserProfileManager 的代码放在 Web 服务层之后。Web 服务应使用有权访问用户配置文件服务的应用程序池标识。
- 使用以下文章中描述的模拟技术:http: //www.dotnetjunkies.com/WebLog/victorv/archive/2005/06/30/128890.aspx
回答by Michael Stum
Thanks for the Answers. One Caveat: if you run the Application Pool as "Network Service" instead of a Domain Account, you're screwed.
感谢您的回答。一个警告:如果您将应用程序池作为“网络服务”而不是域帐户运行,那么您就完蛋了。
But then again, it's recommended to use a domain account anyway (On a test server I used network service, but after changing it to a domain account it worked).
但话又说回来,还是建议使用域帐户(在测试服务器上我使用了网络服务,但将其更改为域帐户后就可以使用了)。
回答by Michael Stum
Here's the answer. Its a stupid Microsoft bug, and there is a hotfix. I'm downloading now to test it.
这是答案。它是一个愚蠢的微软错误,并且有一个修补程序。我现在下载来测试一下。
