Allow Owners access to FBA User Management


Is it possible to allow site owners the ability to manage fba users?

Good call.  I'll adjust the permissions in the next release.

I'm not sure that everyone would want this, however many environments set the site collection admin to a service account or similar. Setting the site collection admin to an Owner allows the user to manage many advanced sharepoint settings such as enabling and disabling features, which some organizations will not allow.

I'm going to look into matching it to users who have permission to change group members.

I gave it some thought and decided to leave it as manageable only by the site collection administrators - the reason being is that these pages allow the user to edit/create/delete all of the users for all site collections in the web application, as the membership database is shared throughout the web application.

So there is no current support for non site-collection administrators to use the management tools then?

That's right.  You would have to be a site collection administrator to use the built in tools to create/edit/delete users and groups.  You can still assign the users to groups using the standard SharePoint pages and permissions. And standard users can still use the web parts to register, recover their password and change their password.

I understand the reason behind this choice. But can you point me in the correct direction if I wanted to code this myself? What do I need to change in the code or is this difficult to explain?



If you just want to remove the requirement for admin access, it's a very easy change.  Each of the pages is in Layouts/FBA/Management.  If you look in the .aspx.cs files you'll find:

protected override bool RequireSiteAdministrator
            get { return true; }
Just change it to return false (or delete the code altogether).

Ok, perfect. Thanks!

I've tried this but I get an error when I click on the "FBA User Management" link: "Exception message: List 'User Information List' does not exist at site with URL ". The other links are ok.

I think it's a permission problem, but do you have an idea?

Right - the data comes from the User Information List - - it's only accessible by administrator's, and i'm not sure if there's a way to change those permissions.

The code that accesses the User Information List is in Code\Data\FBAUsersView.cs

You might be able to get around it by using "RunWithElevatedPrivileges"

or by trying what's suggested in this link:


could happily assign this now (July 2012) to site owners by setting in FBAMenus -> Elements.xml  RequireSiteAdministrator = FALSE

plus in Layouts/FBA/Management in the .aspx.cs files

protected override bool RequireSiteAdministrator
            get { return true; }

btw - thanks for the nice and valuable tool!

is it possible to "hide" the navigation on those pages so that you could (with the help of the Ribbon Hider software) present the page to folks who have the job of vetting/approving membeships...but not allow them to do any navigating to the main settings page? That way they could use a page link to approve folks and never be able to navigate to places they dont need to be...even though they could still type in the url of those page.

Unfortunately, at the moment those menu items will always be available to site collection administrators (unless you edit FBAMenus\elements.xml - either via the code and recompiling, or simply opening the wsp).

If you are using the membership review list to approve members, you can simply give access to that list to anybody on the site (they don't have to be site collection admins if you're using version 1.3). You can give them a link to the list, or even easier - they can set up an alert on the list and will be notified when a new user registers.

I tried accessing the User Management page and could not unless the user has Site Collection Administrator permission...the Approval list works...but that still means a sys admin must intervene and assign sp group would be really great if we could assign permissions to do this task...w/o being site collection admin...i forsee a few thousand folks self registering causing a bottleneck at the group membership assignment scenario is a public facing site for self registration/password recovery...after they are approved in that site we need to add them to the sp groups of a different FBA site (using the same aspnetdb) to get the real work done...great product tho!!!

Yeah, currently only the Membership Review List, for approving or denying memberships, is the only page where permissions can be assigned. User and Role management require Site Collection Admin privileges (without changing the code). Put a feature request in the issue tracker and i'll consider it for a future release.


I would like to modify the code to run with Site owner privileges. (modify name, e-mail, password). I can modify the group membership now (on that groups, that applied to this site).

The problem is on this line:  spuser.Update();  The error is Access Denied.

I try this, but the same error:

SPSecurity.RunWithElevatedPrivileges(delegate() { spuser.Update(); };

Try to use this on the firs line in OnSubmit function, but same.

Can you help me, what vill be the solution?


ps: this is a great code, thanks

RunWithElevatedPrivileges is how you do it - the problem is that all of the SharePoint objects have to be created within the context of RunWithElevatedPrivileges.  So you can't just call spuser.Update() from there, you have to get the context of SPWeb/Site from there, get the spuser from that SPWeb/SPSite and then make your updates.  Search for RunWithElevatedPrivileges in the code and you'll see what I mean.

Thanks, That was my last idea. It's work.

Can I attach a source code here? I would be glad if you took a few glances at the new source code.