Managing Permissions of Service Applications through PowerShell

Recently I was configuring PerformancePoint for a client. I did it through Central Admin but I wanted it to script so that their administrator can easily create in other environment.

There a lot of posts available about how to create Service Application and add administrators through PowerShell but could not find any post that describe add users to “Permissions” section of Service Application. I have highlighted the section in below image.

In this post I will share some PowerShell script that I used to assign permissions for Service Application (i.e. PerformancePoint Service Application) but can be used for other type of Service App.

#Define couple of variables

$ServiceAppName = "PerformancePoint Service Application"

$ServiceAppAdminAccount = "domain\youradmin"

$ServiceAppPoolAccount = "domain\yourapppool"

#Getting Service Application instance
$ServiceApp = Get-SPServiceApplication | where{$_.Name -eq $ServiceAppName }

Write-Host "Adding Administrators..." -ForegroundColor Yellow

$principal = New-SPClaimsPrincipal $ServiceAppAdminAccount -IdentityType WindowsSamAccountName

$security = Get-SPServiceApplicationSecurity $ServiceApp –Admin

Grant-SPObjectSecurity $security $principal "Full Control"

Set-SPServiceApplicationSecurity -Identity $ServiceApp.Id -ObjectSecurity $security –Admin

Write-Host "Users '$ServiceAppAdminAccount' have been addd to 'Administrators' group of Service App" -ForegroundColor Green

Write-Host "Adding Service Account to Permissions group of Service App..." -ForegroundColor Yellow

$principal = New-SPClaimsPrincipal $ServiceAppPoolAccount -IdentityType WindowsSamAccountName

$security = Get-SPServiceApplicationSecurity $ServiceApp

Grant-SPObjectSecurity $security $principal "Full Control"

Set-SPServiceApplicationSecurity -Identity $ServiceApp.Id -ObjectSecurity $security

Write-Host "Users '$ServiceAppPoolAccount' have been addd to 'Permissions' group of Service App" -ForegroundColor Green

That's it.

Creating Secure Store Application using PowerShell for SharePoint 2010

Secure Store Application is enhanced version of SSO (in SharePoint 2007), which is use to store important information that can be used in the application. The information could be a connection string or user name or password.





It stores securely so you don't need to worry about the encryption and decryption. There are APIs to read values from it.





Yesterday one of my friend had some issue with creating Secure Store Application using PowerShell.





If you create an Secure Store Application from Central Admin, you can follow below steps to get it done:






Log on to Central Admin



Click Manage Service Applications



















Click Secure Store Servie
















Click New





















Supply all you details and click OK. To set your connection string, following step as shown in below image:













Now the Secure Store Application is ready for use. When you do automated testing for deployment you need some scripting to create all these for you.

















I am going to show you how we can get the same thing done using PowerShell script and we can use that script for deployment or creating staging or dev environment for projects.




$connectionStringField = New-SPSecureStoreApplicationField –Name “ConnectionString” -Type Generic –Masked:$false

$fields = $connectionStringField

$userClaim = New-SPClaimsPrincipal –Identity “youdomain\administrator” –IdentityType WindowsSamAccountName

$demoTargetApp = New-SPSecureStoreTargetApplication –Name “DemoApplicationID2” –FriendlyName “Demo Target Application 2” –ApplicationType Group




$app = New-SPSecureStoreApplication –ServiceContext http://uwsp2010dev-1 –TargetApplication $demoTargetApp –Fields $fields –Administrator $userClaim -CredentialsOwnerGroup $userClaim










Things to note is that you must pass CredentialsOwnerGroup, when you look in MSDN it says it is optional but its NOT.