It is common understanding that when you add a user into a Farm Administrator group via Central Admin, then it can access everything in the Central Admin and perform all operations. If you are thinking the same way then it is not correct. As a member of a Farm Administrator group, you can perform only certain operations which don’t require access on the SharePoint Server’s Infrastructure. You can view a lot of things but still not completely.
As an example, if you want to create the Web Application (this is required to create Site & App Pool in IIS, Create a Content Database, Update the Config Database, Create a Couple of Timer Jobs, and Reset IIS) with the Farm Administrator account then either you will get Access Denied or it will prompt you for the SharePoint Farm Admin Credential. There are many options which you can't perform.
In order to get full control on the Central Admin and PowerShell, your user account requires the following permissions.
- Part of Local Administrator group on all servers in the Farm
- Farm Administration SharePoint Group
- SharePoint_Shell_Access to run the SharePoint PowerShell.
Here is a table which will tell you what you can and can't do as a member of SharePoint Farm Administrator Group Only.