In a sign that Social Computing is beginning to take off with SharePoint, I see an increased number of My Site type questions. One common question goes something like this:
"I am an administrator and I need to be able to access every My Site. How do I do that?"
The trick here is that each My Site is its own site collection. SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator. Normally, she already has access to configure security in the "main" site collections and may not realize that this doesn’t automatically work for My Sites.
Site collections collectively live inside a larger container, which is the web application. Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application. This blog entry describes one of my personal experiences with web application policies. I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.
Web application policies can be dangerous and I suggest that they be used sparingly. If I were an admin (and thank goodness I am not), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs. I would not configure this kind of thing for the regular farm admin or individual site collection admins. It will tend to hide potential problems because the web app role overrides any lower level security settings.
Follow me on Twitter at http://www.twitter.com/pagalvin