Self Service Site Creation is a feature that has been part of SharePoint Technologies for a while now. There are many organizations however that are afraid to enable this because they do not realize this service can be limited to only authorized site creators. This feature of SharePoint 2010 allows an end user to create a site collection inside a given web application without the help of a SharePoint Administrator. By default however when this feature is turned on ALL users allowed on the SharePoint Web Application will be given the ability to create sites. There are many instances however where an organization needs to restrict the accessibility of this feature. In SharePoint 2010 this is done pretty easily via User Policies on a Web Application. The steps below outline how this can be done.
The first step in enabling the Self Service Site Creation feature is the turn this feature on for the web application(s) for which should be enabled.
1. Navigate to the Central Administration site.
2. Under Application Management select “Manage Web Applications”
3. Select the web application for which Self Service Site Creation should be enabled.
4. Enable Self Service Site Creation, in the ribbon select “Self Service Site Creation” the following dialog should now be visible.
5. Ensure the “On” radio button is selected and click “OK”.
Once the Self Service Site Creation feature is turned on it is enabled for ALL users. In the case where this permission needs to be restricted a custom web application user policy can be created to limit the users and/or groups which have access to this feature. The steps below outline how to configure this web application policy.
1. Disable Self Service for All Users, in the ribbon click “User Permissions” (this governs the general user permissions policy for the Web application) and uncheck the “Use Self Service Site Creation” option and click “OK”.
2. Create a new Permission Policy, in the ribbon click on “Permission Policy”, the following dialog should be visible, click “Add Permission Policy Level”
3. Name the Permission Policy, in the Name box type “Site Creators”. In the same dialog select the “Use Self Service Site Creation“ permission (this will enable several other required permissions needed). Click “Save”.
4. Enable user policy, in the ribbon, select “User Policy”, when the dialog below comes up select “Add Users”.
5. In the first step of the “Add Users” wizard selecte “All Zones” for the access zone and click “Next”
6. Select the users which should have permission to Self Service Site Creation, in the users textbox enter the names of the users whom should have permission to create sites using self service site creation. Then ensure the “Site Creators” (using whichever name was used in Step 3 above) is checked as these user’s Permission level. Click “Finish”.
The web application should now be configured and validation of the users allowed via policy should now be done.
There are a couple of APIs that can be used to create Site Collections from code (i.e. workflow, event receiver, web part, etc). They are the following:
· SPSite.SelfServiceCreateSite – This method requires that the Web Application have the Self Service Site Creation feature turned on. It will then allow a site collection to be created from code using the current user context or in the case of elevated privileges the Application Pool account.
· SPSite.Add (NOT RECCOMENDED) – This method requires that the account which executes the Add method have access to the SharePoint farm configuration DB. This limits the use of this method to the SharePoint Farm account. This also then means this account will need to be impersonated from any code which calls this method. Further limiting the use of this API to those components (i.e. Web Part, Workflow, etc) to be running inside Central Admin. If running outside central admin the user credentials (id/password) would need to be stored in a configuration file or hard-coded in the code, neither recommended. Both methods would also require this password be encrypted to protect from malicious use.
Given the above configuration the recommended way of automating the creation of sites from code is to create a site using the SPSite.SelfServiceCreateSite API (http://msdn.microsoft.com/en-us/library/ms439417.aspx ). This method gives the developer full control over the user permissions context for which the site should be created. It also enforces Web Application Policies to prevent unauthorized users from creating sites.
NOTE: This API is only valid when the Self Service Site Creation feature is turned on for the web application AND if the account used to call the API (i.e. the application pool account or end user) has permission via policy to create the site.
Hello, I am trying to restrict self service site creation and your article is exactly what I am looking for, thanks for posting it.
I configured one webapp exactly the way you described it, however it doesn't work for me!
Users granted get an access denied error when they submit the form for creating the site collection.
It seems that the policy doesn't have the priority on "Disable Self Service" in the user permission and then that operation is not allowed for them.
Is that setup actually working for you ? I guess yes, so did you maybe missed to document one step ?
Thanks in advance for any clue you could give me.
I had the same symptoms as Stephane Lafontaine.
It seams that the step 1 of "Configuring the Web Application User Policy" should not be done.
The "Users permissions" are not the permissions that all users have, but the permissions that users can be granted. So... It must be kept checked...
Thanks for the post!