Elevating Permissions with SharePoint’s Web Services

English: A Master Lock brand padlock. Français...

English: A Master Lock brand padlock. Français : Cadenas de la marque Master Lock. (Photo credit: Wikipedia)

I get frequent questions about how to elevate permissions when working with the SharePoint Web Services. The answer on this one is really simple: you can’t.This has come up multiple times in the comments on the survey I’m doing about SPServices right now. Yes, right now! Please fill it out if you haven’t already, and help me make SPServices better.Think about this for just a minute. SharePoint’s Web Services allow anyone anywhere to do reads and writes to SharePoint list and libraries. But there’s far more: we can create sites or delete them, create or alter lists and libraries, read or update user profile information, and on and on.

Now think about the security implications of allowing elevated permissions, and you might quickly realize that it’s not such a great idea. If you work for a large company and have a Security Team or an Enterprise Architecture team, or any of the types of teams that look at the software you use with a critical eye, then you know that elevating permissions client-side with script would just scare the dickens out of them. Client-side code may or may not go through the rigorous QA and security checks that your governance dictates — I know that all of your managed code is regularly checked for security issues, right? — so the KISS principle is the right one here.

So, no, you can’t elevate permissions with the Web Services and therefore I can’t provide you that capability with SPServices. You need to manage the permissions as you do for users through the UI and make sure that any user who needs to accomplish something has the permissions to do so. I’m good with that, and you’ll have to be, too.

Oh, and please fill out the survey. Did I mention that?

14 Comments

  1. I completely agree.. if you could elevate privs nondiscriptly then we could not use the library.. VERY bad mojo…

    HOWEVER… yes…. you COULD elevate privs theoretically…

    Hear me out on this…

    1) You could wrap all SPServices methods again with $SPServicesElevated()
    2) If one of these elevated methods is executed, bring up a pop up window asking for the username and password for an account that has permissons
    3) Execute the Web services using the credentials of that user.

    I have never tried this in JavaScript but I’m assuming you have to be able to pass the credentials somehow… but I’m assuming…

    So.. yeah.. it COULD be done…
    Mark

    Reply
    • Mark:

      That might work, but you’re basically asking the user to log in as a different user. I’m also not sure how you’d pass those credentials. But if you could, and after you did the Web Service thing, you’d have to ask the user to enter their old credentials again.

      M.

      Reply
  2. I am NOT suggesting the user log in as another user.. I’m suggesting you PASS the credentials of another user (service account?) that has the correct privs to the web service… NOT log in as that user…

    You have to be able to pass credentials to the web service some how… I’ve just never done it in a JavaScript web service call.. do it in .NET all the time.

    It’s a Pandora’s box no doubt.. but an option.

    Reply
  3. Hi Marc,

    I’m trying to get the script to update a list I already set its access to Annonymous and its throwing an authentication dialog. Is there anywere in the script I have to change to have it update the list. I looked in your source and it seems the only other option I didnt have in my update list function was the batchmode.

    When logged in I can update the list if that would help.

    Thanks

    Reply
    • Curtis:

      Why don’t you post more detail about what you are doing and the code on the Codeplex discussions and we’ll see if we can’t help you out.

      M.

      Reply
  4. I want to Iterate through userprofile to get list of all users and their properties but I can not call getuserprofilecount using spservices.

    Is there any other approach to get list of all users with their properties from userprofile. By the way I am using office 365 so client side script or OOTB solutions only will work.

    Thanks
    Abhay

    Reply

Have a thought or opinion?