To
restrict access to a service application, remove service accounts from the
service application. Conversely, to enable access to a service application, add
service accounts to the service application. You can perform these tasks by
using Central Administration or by using Windows PowerShell 3.0.
To
restrict access to a service application, you must complete the following tasks:
Add a specific service account to the
service application.
Remove the local farm ID from the service
application.
Because
the local farm ID provides local farm-wide access to the service application by
default, it is redundant to also grant explicit local web application
permissions to a service application unless you also remove the local farm ID.
To
grant permissions to a service application, you must retrieve and supply the
appropriate service account. For a web application, this account is also known
as an application pool identity account.
After
you grant permissions to a service account and remove the local farm ID from a
service application, only web applications that are managed by the assigned
service account can access the service application. You can assign multiple web
applications (that have different managing service accounts) to the same
service application by repeating these procedures and adding the various web
application service accounts to the service application.
Restrict
access to a service application by using Central Administration
To
restrict access to a service application by using the SharePoint Central
Administration website, follow these steps:
Retrieve the web application service
account.
Add the web application service account to
the service application.
Remove the local farm ID from the service
application.
To
retrieve a web application service account by using Central Administration
Verify that the user account that is performing
this procedure is a member of the Farm Administrators SharePoint group.
On the Central Administration Home page, in
the Security section, click Configure service accounts.
On the Service Accounts page, select the
web application name from the first drop-down list.
The service account is shown in the Select
an account for this component list. Record the service account name because
you'll use it in the next procedure.
Click Cancel to exit the Service Accounts
page without making any changes.
To
grant and remove permissions for service accounts to access a service
application by using Central Administration
Verify that the user account that is
performing this procedure is a member of the Farm Administrators SharePoint
group.
On
the Central Administration Home page, in the Application Management section,
click Manage service applications.
On the Manage Service Applications page,
click the row that contains the service application for which you want to
assign permissions.
The ribbon becomes available.
In the Sharing group of the ribbon, click
Permissions.
In the Connection Permissions dialog box,
type the service account name that you retrieved in the previous procedure, and
then click Add.
Ensure that the newly-added service account
name is selected in the middle pane, and then click the appropriate check box
in the bottom pane to supply the required permission level.
In the middle pane, click Local Farm, and
then click Remove.
Verify that the Connection Permissions page
now lists only the service account that you want to access the service
application, and that the service account has the required permissions on the
service application. Click OK to change the permissions, or click Cancel to end
the task without making changes.
