From the Site Permissions page, you can access the current permission levels available for your site.. To ensure that you keep all the desired permissions, make a copy of the default per
Trang 1PERmISSION LEvELS
Permission levels are the sets of permissions that administrators use to grant users access to site content Depending upon the access a user or group of users require, an administrator can use the out-of-the-box permission levels or create one that will fulfi ll the user access requirements
Unlike permissions, permission levels are manageable from the site where they are being used From the Site Permissions page, you can access the current permission levels available for your site
It is here you can create your own permission levels, delete existing permission levels, and modify existing permission levels
There are a few “best practices” when it comes to managing permission levels:
It is not a good idea to modify a default permission level If a default
➤
➤
permission level is not confi gured the way you like, you can create a new permission level.
When you create a new permission level, you are often only changing one
➤
➤
or more permissions assigned to a default permission level To ensure that you keep all the desired permissions, make a copy of the default permission level and then edit the permissions for the copied permission level.
It is not recommended to delete a default permission level If you don’t
➤
➤
think you need it, there is no harm in keeping it If you need it down the road, you won’t have to create it from scratch and risk not confi guring it the same way it was originally.
By default, a set of permission levels is available when a new site is created This set of
permis-sions will depend upon the site template that was used to create the site For team sites there are six default permission levels:
Full Control
➤
➤ — Users and groups with this permission level will have access to everything on the site and can perform any site administrative tasks This shouldn’t be confused with site collection administrators Users and groups with Full Control permissions cannot perform site collection administrative tasks
Design
➤
➤ — Can view, add, update, delete, approve, and customize A step up from Contribute, this permission also allows users to customize the site and its pages Additionally, this group can approve items that are in containers with Content Approval enabled For the most part, users and groups with this permission level can do anything on the securable object except for administrative tasks
Contribute
➤
➤ — Can view, add, update, and delete list items and documents This is the stan-dard permission level used to grant users access to content and containers when they need to add, edit, and delete content
Trang 2Read
➤
➤ — Can view pages and list items and download documents This is the standard per-mission level for users and groups you want to access content, but not have the perper-missions
to add, edit, or delete content
Limited Access
➤
➤ — Can view specific lists, document libraries, list items, folders, or documents when given permissions This permission level cannot be assigned Instead, it is the result of customizing permissions for a securable object In essence, when you see this permission level for a user or group, the users have access to a securable object in the current container, but not to all the securable objects in the container
View Only
➤
➤ — Can view pages, list items, and documents Document types with server-side file handlers can be viewed in the browser but not downloaded The key concept here is that users and groups with this permission level can’t download copies of documents with server-side file handlers
Figure 8-5 shows the permission levels for team sites
FIguRE 8-5
To see all of the default permission levels, you have to create a site based on a Publishing site tem-plate Only the Publishing site template deploys the total set of permission levels These include the permission levels available with the team site as well as those in the following list:
Restricted Read
➤
➤ — View pages and documents For Publishing sites only This permission level is similar to the Read permission level, but it only has four of the eleven Read permis-sion level permispermis-sions Key distinctions are that users with this permispermis-sion level will not be able to create alerts, browse user information, or use client integration
View Only
➤
➤ — View pages, list items, and documents If the document has a server-side file handler available, users can only view the document by using that file handler Again, this
Trang 3permission level is based on the Read permission, but it doesn’t have all the same permissions
A few key distinctions are that users with this permission level will not be able to open list and document library items, browse user information, or use client integration
Approve
➤
➤ — Edit and approve pages, list items, and documents For Publishing sites only This permission level is designed to work with the Publishing Approval workflow template Users and groups with this permission level will be able to edit and approve items submitted, and leverage the Publishing Approval workflow They will also be able to approve items in lists and document libraries that have Content Approval enabled
Manage Hierarchy
➤
➤ — Create sites; edit pages, list items, and documents For Publishing sites only Similar to the Design permission, this permission level allows users to edit the design and components that make up the site This permission level does not include all the permis-sions that users with the Design permission level have A key difference is that users with the Manage Hierarchy permission level cannot approve items leveraging the Publishing Approval workflow or Content Approval features
Figure 8-6 shows the default Publishing permission levels when using the Publishing template
FIguRE 8-6
An important thing to remember when working with these permission levels is that, for the most part, moving down the hierarchy of permission levels, levels will contain all the permissions of the permission levels that precede them Therefore, Full Control contains all the permissions of all the permission levels combined The Contribute permission will have all the permissions of Read, Restricted Read, View Only, and Limited Access
Trang 4creating a New Permission Level based on an Existing
Permission Level
Depending on your environment, you might find that the default permission levels aren’t adequate for the user access needs of your organization One of the most common issues is that the Contribute per-mission level allows users to have Delete Items perper-mission To remedy this problem, you can create a new Contribute Without Delete permission level and base this new permission level on the default Contribute permission level Rather than build a new permission from scratch, you can start with the Contribute permissions and then deselect the Delete Items permission and you will be good to
go The following procedure will walk you through this process:
1 Navigate to your top-level site
2 Click on Site Actions and select Site Permissions (or Site Actions and select Site Settings for the Publishing site options) Under Users and Permissions, click on Site Permissions
3 In the Ribbon, click on Permission Levels (see Figure 8-7)
FIguRE 8-7
4 Select the permission level that you want to use as a reference for your new permission level For this example, the Contribute permission level will be selected
5 Scroll down to the bottom of the page and click Copy Permission Level (see Figure 8-8)
6 You will be prompted to give the copied permission level a name, a description, and the desired permissions Since all that is needed is to remove the Delete Items permission, simply scroll down to that permission and deselect it
7 Scroll down to the bottom of the page and click Create This will create your new permission level Note that the permissions list in Figure 8-9 now includes Contribute Without Delete
Trang 5FIguRE 8-8
FIguRE 8-9
creating a Permission Level from Scratch
If the default permission levels don’t provide a good starting point for a permission level your envi-ronment requires, you have the option to create a permission level from scratch You start with a blank slate and select the desired permissions that will be needed
1 Follow steps 1-3 in the preceding set of instructions to navigate to the Permissions Level page
2 Click Add a Permission Level
Trang 63 Enter a name and description for your new permission level For this example, the name will
be Custom Permission Level 1, with no description
4 Select the permissions you want to be associated with the permission level and click Create You should now see your newly created permission level in the Permission Levels page, as shown in Figure 8-10
FIguRE 8-10
In step 4 of this procedure, you may notice that when you click on a
permis-sion, others are automatically selected Some of the permissions in SharePoint
are dependent upon others — selecting one automatically selects the others
For example, several other permissions are dependent on the View Items
per-mission Because many other permissions are related to performing actions on
items, it is prudent to fi rst be able to view the item Therefore, if you select the
Edit Items or Delete Items permissions, for example, SharePoint will
automati-cally select the View Items permission.
Editing an Existing Permission Level
As previously mentioned, sometimes the permissions that exist on your sites are not exactly what you are looking for Fortunately, you can edit these permission levels by selecting and deselecting the individual permissions that make up the permission level
Following Microsoft “Best Practices,” editing default permission levels is not
advised Instead, edit custom permission levels.
Trang 7The following procedure will walk you through editing a permission level that exists on a site based
on the Team site template:
1 Follow the steps in the earlier instructions to navigate to the Permissions Level page
2 Click the permission level you want to edit If you select the Full Control or Limited Access permission levels, you will notice that all of the permissions are grayed out You will not be able to edit these permission levels If you select a permission level other than these two, you can deselect current permissions and/or add permissions
3 When fi nished, click Submit This will save the changes you have made Note that this change will affect this entire site collection
deleting a Permission Level
In the event that you no longer wish a permission level to be available, you can remove it from the Permission Levels page:
1 Follow the steps in the earlier instructions to navigate to the Permissions Level page
2 Select the permission level you want to delete For this example, the Custom Permission Level
1 will be deleted Select this permission level and click Delete Selected Permission Levels As the option states, you can delete more than one permission level at a time if you so choose
3 Once you click Delete Selected Permission
Levels, a pop-up window will appear asking
you to confi rm the deletion of the selected
per-mission level (see Figure 8-11) Click OK
4 The selected permission level will be deleted and
will no longer be available from the Permission
Levels page
When you delete a permission level it will no longer be available When the
permission level is removed, any users or groups that are leveraging this
permis-sion level for access will be removed from the Site Permispermis-sions page In order for
these users or groups to have access again, you must grant them one of the
avail-able permission levels.
SEcuRItY gROuPS
So far this chapter has covered the individual permissions that make up permission levels and how these permission levels are used to grant users and groups access to SharePoint content Now it is time to discuss the users and groups that will be assigned the previously stated permission levels
FIguRE 8-11