Joel Oleson's Blog - SharePoint Land

Shared Service Providers (SSPs) What Are They... How to's On Delegation

Shared Services (SSPs) are great.  What are these services?  Search/indexing, my site hosting, profiles (company directory), Audiences (for Targeting content), Portal Usage Reporting (enhanced Usage reports), Excel Services, Business Data Catalog Configuration. 

If you didn't know about them or use them in SPS 2003, it doesn't matter.  By default we've made it easier for you to do the right thing.  Out of the box, the SSP will be easy to create and configure and be managed by either the IT Staff or a group with expertise in areas that you may want to delegate.  Examples include Search and Index management, or maybe your company people (profiles) directory  is currently managed by an HR technical team.  With the SSP being a separate site or web application (IIS Virtual Servers) from central admin and your content, you can configure permissions on your SSP administration.  The next piece to understand is consolidation, you can manage a single set of shared services for your farm, or even multiple farms.  What this means is you can configure your search and indexing once and consume these from multiple web applications unrestricted by server topology. This service oriented architecture makes your life easier by managing these set of services in one place.  You don't have to give someone the keys to the farm (Terminal Services or otherwise)  to manage these services.

Here's a quick set of facts around SSPs (Shared Service Providers)

• An SSP by default is a separate web app from the other web apps extended with SharePoint Technology
•  An SSP can be consolidated with the a SharePoint Tech content web application
• SSPs are for managing a set of service oriented architectures including, search/indexing, my site hosting, profiles (company directory), Audiences (for Targeting content), Portal Usage Reporting (enhanced Usage reports), Excel Services, Business Data Catalog Configuration
• SSPs can be run on Port 80 or the high ports
• SSP administration is available with Office SharePoint Server or Project Server
• SSP administration is not available with WSS
• The SSP administration interface is a Site
• You have to have at least 1 SSP (You actually can create sites, but many features won't work (like Excel published spreadsheets) until the SSP is created and configured)
• Consolidating SSPs allows you to scale to host more web applications
• Multi-tenet or isolated departments can have different SSPs (Great for Hosted)
• You can have an SSP on each content web application (similar to default in SPS 2003)
• When you create the SSP you automatically have a content source that indexes all sites within the farm

Delegation Scenarios:

Add Users or Groups with Read Permissions to the SSP Admin Site Collection then add rights based on the rights you want to give them.  Site Actions, Site Settings, People and Groups, New Users/Group

You want to delegate Administration of Search/Index Management and Excel:

Grant contributor rights on the SSP Admin site.  (Site Actions, Site Settings, People and Groups, New Users/Group)  This will give them Search, Audiences, User Profiles and My Sites and Excel.  This will not grant them rights to BDC.

Any SSP Contributor can manage Search & Excel; but specific rights have to granted to manage people or BDC.

You want to delegate People Management - Profile Import, My Site, Audience Management **
Grant rights via a special personalization services permissions link from the SSP Admin UI. Specific rights can be granted to different components.  http://server:port/ssp/admin/_layouts/ManageServicePermissions.aspx

Permission Levels: Create Personal Site, Use Personal Features, Manage User Profiles, Manage Audiences, Manage Permissions, Manage Usage Analytics.

You want to delegate permissions to BDC - Business Data catalog
You can grant permissions by going to the SSP administration page and clicking BDC permissions in the Business Data Catalog section

Permission Levels: View, Edit-Import application definitions, Manage Permissions, Selectable in Clients, Copy selected permissions to applications

Summary 

In summary, if you want to give certain business units rights to manage your services you can easily do so by giving them rights to administer the SSP site then give them explicit permissions to administer the BDC.  You can accomplish this without having to give them any rights to the central admin web application/console.

For example at Microsoft the Search Service Owner who manages the content sources and indexing does not and should not have other rights to the content on the MSWeb Portal, and as well rights to the central admin or server admin.  They can't TS to the box, but they can manage the index and crawls.

 ** My experience in beta 2 and B2TR shows me that the granularity here doesn't work as expected.  For example, in beta 2 if I have read rights, then add all permissions levels under people, I can access all areas except for BDC and Usage Analytics.  In my tests, when I add a user to manage profiles without adding them to any rights to the site, they get access denied on any pages.  There's a new role of viewer in B2TR and my experience was I could manage everything except BDC as a viewer.  This post is based on my B2TR experience and is subject to change with RTM.