Managing Site Security
Management of the security for
a site is the responsibility of the site owner. The site owner is responsible
for assigning rights to users within their site. Rights can be assigned
directly to an Active Directory user or group, or they can be assigned through
a SharePoint group containing Active Directory users or groups.
Security must be configured
for all top-level sites. By default, when a new top-level site is created, the
user who created it is the only person who has access to the site. If security
for a subsite is configured to be inherited from the parent site, security is
not managed for the subsite; instead, the security is based on the rights
assigned in the parent site. If security for the subsite is defined to be
unique, the user will be required to assign the appropriate rights to
individuals needing access to the site.
When creating your sites, it
is important to understand the security needs of the individuals who will be
using the sites and to assign users the appropriate security to allow them to
work with the materials within the site.
Managing SharePoint Groups
SharePoint groups contain
Active Directory user and group accounts and are used to assign rights
within SharePoint. SharePoint groups can be used throughout a site
hierarchy to assign rights to sites,
lists, and libraries as needed. By default, when a new top-level
site is created, three default site groups
are also created. Permission levels are a set of permissions
granted to a SharePoint group or Active Directory user or
group that provide a specific class or level of access within a
site.
SharePoint site groups can be created and customized to meet the
security needs within the
SharePoint environment.
Creating SharePoint Groups
Create a new SharePoint group as follows:
Navigate to a site where the
group will be used.
2. On the site’s home page, click the Site Permissions option from
the Site
Actions menu.
3. On the Permissions page, select the Create Group command from the
Permission Tools—Edit ribbon.
On the New Group page, enter
the following:
a. In the “Name and About Me Description” section, enter the name for
the new
SharePoint group. You can also
enter an optional About Me description. The About Me
information is presented next
to the name when the SharePoint group is presented.
b. In the Owner section, you can update the SharePoint group owner
information. The
owner has the right to update
the site’s group information. By default, the owner is
listed as the user creating
the SharePoint group.
c. In the Group Settings section, you can specify if only group
members or if everyone
has the ability to view group
membership information. You can also define if only the
group owner or if all group
members have the ability to edit the group membership.
d. In the Membership Requests section, you can specify if requests
can be made by users
to join or leave the group and
if requests should be automatically accepted. The e-mail
address that requests should
be sent to is also listed. By default, the e-mail address will
be set to the e-mail address
of the user creating the group.
e. If the current site does not inherit permissions from its parent
then in the Give Group
Permission to this Site
section, optionally select the permission level to grant the
group within the current site.
f. Once all of the necessary information has been entered, click the
Create button.
The new SharePoint group is
created, and you are taken to the People and Groups page.
Editing SharePoint Groups
To edit an existing SharePoint group, use the following steps:
1. On a site’s home page, click the Site Settings option from the
Site Actions
menu.
2. On the Site Settings page, in the Users and Permissions section,
click the
People and Groups link.
On the People and Groups page,
do one of the following:
a. Click the name of the group to edit in the Groups list located in
the right-hand
navigation area, click the
Settings link, and select the Group Settings option.
b. Alternatively, on this page, click the Groups header in the Groups
list to present all
groups, and click the Edit
link next to the desired group name.
On the Change Group Settings
page, you can update the following:
a. In the Name and About Me Description section, you can update the
group name or
About Me details.
b. In the Owner section, you can update the group owner.
c. In the Group Settings section, you can update who can view the
membership of the
group, so that either group
members or everyone has the right to view the group
membership information. You
can also update who can edit the membership of the
group, so that either only the
group owner or all group members have the ability to
update the group membership.
d. In the Membership Requests section, you can update if people can
request to join or
leave the group and if the
requests should be automatically accepted. You can also
update the e-mail address that
requests are sent to.
e. Once all information has been appropriately updated, click the OK
button.
The SharePoint group is appropriately
updated, and you are taken to the People and Groups page.
Deleting SharePoint Groups
Follow these steps to delete an existing SharePoint group:
1. Navigate to a site.
2. On the site’s home page, click the Site Settings option from the
Site Actions
menu.
3. On the Site Settings page, in the Users and Permissions section,
click the
People and Groups link.
4. On the People and Groups page, do one of the following:
a. Click the name of the group to edit in the Groups list located in
the right-hand
navigation area, click the
Settings link, and select the Group Settings option.
b. Alternatively, on this page, click the Groups header in the Groups
list to present all
groups, and click the Edit
link next to the desired group name.
5. On the Change Group Settings page, click the Delete button.
6. On the deletion confirmation screen, click the OK button.
The SharePoint group is
deleted, and you are taken to the People and Groups page.
Adding Users to SharePoint Groups
Add users to a SharePoint group as follows:
1. Navigate to a site where the group is used.
2. On the site’s home page, click the Site Settings option from the
Site Actions
menu.
3. On the Site Settings page, in the Users and Permissions section,
click the
People and Groups link.
4. On the People and Groups page, do one of the following: click the
name of the
group from the Groups list, or
click the Groups header and then the name of
the group.
5. On the People and Groups page, the group membership will be
displayed for
the selected group. You can
click the arrow next to the New link to present the
New menu.
6. Select the Add Users option from the New menu.
7. On the Grant Permissions screen, enter the following:
a. In the Select Users section, enter the Active Directory users and
groups to be added to
the SharePoint group. You can
then click the check name icon next to the entry field to
confirm that the entered
information corresponds to a valid user or group account.
Alternatively, you can click
the address book icon to select the users from the Active
Directory address book search
window.
b. Once all users have been selected, click the OK button.
The users and groups are added
to the SharePoint group, and you are returned to the People and
Groups page.
Removing Users from a SharePoint Group
Use these steps to remove users from a SharePoint group:
1. Navigate to a site where the group is used.
2. On the site’s home page, click the Site Settings option from the
Site Actions
menu.
3. On the Site Settings page, in the Users and Permissions section,
click the
People and Groups link.
4. On the People and Groups page, do one of the following: click the
name of the
group from the Groups list, or
click the Groups header and then the name of
the group.
5. On the People and Groups page, the group membership will be
displayed for the
selected group. You can check
the boxes in front of the users you wish to remove
from the group and click the
Actions link to present the Actions menu.
6. Select the Remove Users from Group option from the Actions menu.
7. Confirm the removal of the users from the SharePoint group by
clicking the
OK button.
The users are removed from the
SharePoint group, and the People and Groups page is updated to
reflect the change.
Viewing SharePoint Group Permissions
Since SharePoint groups can be used across sites, having the
ability to see all sites where a group has
been assigned permissions can be very valuable. To view a group’s
permissions assignments, use the
following procedure:
1. Navigate to a site.
2. On the site’s home page, click the Site Settings option from the
Site Actions
menu.
3. On the Site Settings page, in the Users and Permissions section,
click the
People and Groups link.
4. On the People and Groups page, click the name of the group in the
Groups list
located in the right-hand
navigation.
5. On the People and Groups page, the group membership will be
displayed for
the selected group. Select the
Settings link to view the Settings menu options.
6. Select the View Group Permissions option from the Settings menu.
The View Site Collection
Permissions window is presented; it displays the sites, lists, and libraries
where the group has been
assigned permissions and the permission levels assigned. You can click any
of the listed object names to
go to the default page of an item.
Changing Permission Inheritance for a Site
As we have discussed, when you create a subsite, you have the
ability to identify whether the subsite
should have its own unique permissions defined or whether it
should inherit permissions from its parent
site. After the site has been created, you have the ability to
change this setting if security requirements for
the subsite change. Change the permission inheritance settings for
a subsite as follows:
1. Navigate to the site in which you need to change permission
inheritance.
2. On the site’s home page, click the Site Settings option from the
Site Actions
menu.
3. On the Site Settings page, in the Users and Permissions section,
click the Site
Permissions link.
4. On the Permissions page, directly below the ribbon options is a
message
stating to current inheritance
status of the site.
5. Update the permission inheritance:
a. If the site is currently inheriting permissions, the inheritance
status will state “This
web site inherits permissions
from its parent.” To stop inheriting permissions, select
the Stop Inheriting
Permissions command from the Permission Tools—Edit ribbon,
and click OK on the
confirmation message box.
b. If the site currently has unique permissions, the inheritance
status will state “This web
site has unique permissions.”
To establish inheritance for the site, click the Inherit
Permissions command from the
Permission Tools—Edit ribbon and click OK on the
confirmation message box.
The site permission
inheritance settings are updated, and the Permissions screen is refreshed to
reflect the change.
Managing Permission Levels
As we discussed previously,
SharePoint groups and individual users can be assigned permissions
within SharePoint sites. When users are added, they are either
assigned to a SharePoint group or
granted rights through direct permission level assignments. We
discussed how to manage permission
level assignments to SharePoint groups as part of the “Managing
SharePoint Groups” section.
Permission levels are sets of permissions that are grouped
together to provide a specific level or
class of rights within a site. There are six default permission
levels available within SharePoint
Foundation:
Full control: This permission level includes
all available permissions and grants
the assigned users administrative-level access to the site and all
of the site’s
resources. This permission level cannot be changed or deleted from
SharePoint.
Design: The Design permission level
provides the ability to manage lists,
libraries, and pages within a SharePoint site and approve content.
Contribute: This permission level provides
the ability to manage content in a
site’s lists and libraries.
Read: The Read permission level provides read-only access to site
resources.
Limited Access: This permission level is
designed to be combined with list or
library permissions to provide access to only specific lists or
libraries within a
site without granting rights to any other resources within the
site. This
permission level cannot be changed or deleted from SharePoint.
This
permission level cannot be manually set. This right is only
assigned by
SharePoint based on other rights configurations.
Permission levels can be assigned to an Active Directory user or
group as follows:
1. Navigate to the site where the permissions need to be assigned.
This should
be a site where permissions
are not being inherited from the site’s parent.
2. On the site’s home page, click the Site Permissions option from the
Site
Actions menu.
3. On the Permissions page, click the Grant Permissions command on
the
Permission Tools—Edit tab of
the ribbon.
4. In the Grant Permissions window, enter the following:
a. In the Select Users section, enter the Active Directory users and
groups to be added to
the permission level, and
click the check name icon to confirm that the entered
information corresponds to
valid users or groups. Alternatively, you can click the
address book icon to select
users from the Active Directory address book search.
b. In the Grant Permission section, select the Grant Users
Permissions Directly option,
and select the permission
levels to assign to the user.
c. Once the information has been entered, click the OK button.
The users are assigned the
selected permissions levels in the site, and you are returned to the
Permissions page.
Adding Permission Levels
To create your own combination of permissions to meet specific
site management needs, you can
create your own permission level sets as follows:
1. Navigate to a site having unique permission where you are the
administrator.
2. From the site’s home page, click the Site Permissions option from
the Site
Actions menu.
3. On the Permissions page, click the Permission Levels command on
the
Permission Tools—Edit ribbon.
4. If the current site is not the topmost site, a link will be
available under See
Also in the left navigation
area called Manage Permission Levels on Parent
Web Site. Click this link.
5. On the Permission Levels page, click the Add a Permission Level
link.
6. On the Add a Permission Level page, enter the following:
a. In the Name and Description section, enter the name for the new
permission level.
You can also enter an optional
description. The description is presented next to the
name when the permission level
is listed for selection.
b. In the Permissions section, check the check boxes in front of all
permissions that the
permission level should
include.
c. Once all of the necessary information has been entered, click the
Create button.
The new permission level is
created, and you are returned to the Permission Levels page.
Creating a New Permission Level as a Copy
of an Existing Permission Level
When there is the need for a new permission level that closely
mirrors an existing permission level,
you can make a copy of the existing item to use as a starting
point when creating the new permission
level. Create a new permission level as a copy of an existing
permission level as follows:
1. Navigate to a site having unique permission where you are the
administrator.
2. From the site’s home page, click the Site Permissions option from
the Site
Actions menu.
3. On the Permissions page, click the Permission Levels command on
the
Permission Tools—Edit ribbon.
4. If the current site is not the topmost site, a link will be
available under See
Also in the left navigation
area called Manage Permission Levels on Parent
Web Site. Click this link.
5. On the Permission Levels page, click the name of the permission
level to copy.
6. On the Edit Permission Level page, click the Copy Permission Level
button.
7. On the Copy Permission Level page, enter the following:
a. In the Name and Description section, enter the name for the new
permission level.
You can also enter an optional
description.
b. In the Permissions section, update the permissions set for the
permission level as
appropriate.
c. Once all of the necessary information has been entered and
updated, click the Create
button.
The new permission level is created, and you are returned to the
Permission Level page.
Editing Existing Permission Levels
You can also edit an existing permission level as follows:
1. Navigate to a site having unique permission where you are the
administrator.
2. From the site’s home page, click the Site Permissions option from
the Site
Actions menu.
3. On the Permissions page, click the Permission Levels command on
the
Permission Tools—Edit ribbon.
4. If the current site is not the topmost site, a link will be
available under See
Also in the left navigation
area called Manage Permission Levels on Parent
Web Site. Click this link.
5. On the Permission Levels page, click the name of the permission
level to
update.
6. On the Edit Permission Level page, update the following:
a. In the Name and Description section, you can edit the permission
level name and
optional description text.
b. In the Permissions section, update the permissions set for the
permission level as
appropriate
c. Once all of the necessary updates have been made, click the Submit
button.
The permission level is updated,
and you are returned to the Permission Level page.
Deleting Existing Permission Levels
To delete an existing permission level, use these steps:
1. Navigate to a site having unique permission where you are the
administrator.
2. From the site’s home page, click the Site Permissions option from
the Site
Actions menu.
3. On the Permissions page, click the Permission Levels command on
the
Permission Tools—Edit ribbon.
4. If the current site is not the topmost site, a link will be
available under See
Also in the left navigation
area called Manage Permission Levels on Parent
Web Site. Click this link.
5. On the Permission Level page, check the check box in front of the
permission
levels you want to delete, and
click the Delete Selected Permission Levels link.
6. On the delete confirmation screen, click the OK
button.
No comments:
Post a Comment