Tuesday, August 24, 2010

Cannot activate Document Sets feature in SharePoint 2010

A coworker attempted to activate the Document Sets feature within a SharePoint 2010 site collection. This action resulted in a blank page with the feature still inactive. Hmm… Permissions? But she is a site collection admin!

Having both site collection admin permissions and beyond, I tried it myself and got the same results. Diving into the log files (anyone else find that more informative in SP2010, or is that just me?) I found these lines:

  • Feature Activation: Activating Feature 'DocumentSet'
  • Calling 'FeatureActivated' method of SPFeatureReceiver for Feature 'DocumentSet'
  • DocumentSet FeatureActivating: start
  • DocumentSetTemplate ProvisionLists for 0x999990 on https://site : throws exception: Only a site collection administrator can add a work item.. Stacktrace:    at Microsoft.SharePoint.SPSite.AddWorkItem(Guid gWorkItemId, DateTime schdDateTime, Guid gWorkItemType, Guid gWebId, Guid gParentId, Int32 nItemId, Boolean fSetWebId, Guid gItemGuid, Guid gBatchId, Int32 nUserId, Byte[] rgbBinaryPayload, String strTextPayload, Guid gProcessingId, Boolean useExponentialRetryBackOff)     at Microsoft.SharePoint.SPSite.AddWorkItem(Guid gWorkItemId, DateTime schdDateTime, Guid gWorkItemType, Guid gWebId, Guid gParentId, Int32 nItemId, Boolean fSetWebId, Guid gItemGuid, Guid gBatchId, Int32 nUserId, Byte[] rgbBinaryPayload, String strTextPayload, Guid gProcessingId)     at Microsoft.O...   

Score one for the error handling – an error that was actually caught. But there was nothing really interesting about the information above, aside from the fact that it thought I was not a site collection admin – which I verified. Never know – someone else might have booted me from the group!

It was the next line of the log file, which continued the call stack output, that I found the answer:

  • ...ffice.DocumentManagement.DocumentSets.DocumentSetTemplate.<ProvisionLists>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.Office.DocumentManagement.DocumentSets.DocumentSetTemplate.ProvisionLists().


So the code that was failing was running in the context of the app pool user… interesting.


Resolution

Ensured the app pool identity account was a site collection admin. Document Sets feature then activated without a problem.

So my remaining questions are:

  1. Is it necessary to have the app pool identity be a site collection admin? Is that a best practice? Had this been a production system, I probably would have elevated to site collection admin, activated the feature, then removed the account from the site collection admin group.
  2. Why the heck is RunElevated needed in the activation code of a Site Collection feature?? Isn’t that a security risk – or at least a good extra validation that the current user has permissions to do what they are attempting to do?
 
© I caught you a delicious bass.
Back to top