Have been wanting to try this for a while now and just now got some time to do it today. The Central Administration site is just a SharePoint site with libraries and links, so I was curious what would happen if you were added to the site as a simple reader. Here's the results:
As a reader and contributor, you do not gain access to Central administration and you will get the access denied error message. The real magic comes in being in a specifically names group, there are two groups in the SCA:
- Farm Administrators
- Delegated Administrators
Full Control, Contributor and Read permission levels have no role to play in the links on the SCA. What does matter is what group you reside in. Being a Farm Administrator allows you to do anything in the SCA. Being a Delegated lets you do a subset of actions, one of the items you cannot do is to create new Web Applications, but when it comes to the majority of other things, you can do them! The thing that I would be more insterested in how one would target the links in Quick Launch to specific people. IE, something like the following:
- Web Application manager
- Service Account Manager
- Service Application Manager (like a global service app manager role rather than manually apply to each one)
- Backup Restore Manager
- Content Deployment Manager
Service applications have a completed different architecture to them. Each service application can have an "Administrator" assigned to it. I found a great article that describes this process here:
However, this also doesn't have much in terms of granular controls. Its all or nothing for most of them. These need more granular controls setup for them. Security seems to be an afterthought in SharePoint, has been, probably always will be.
Chris