When the permission level is removed, any users or groups that are leveraging this permis-sion level for access will be removed from the Site Permispermis-sions page.. SEcuRItY gROuPS
Trang 1The following procedure will walk you through editing a permission level that exists on a site based
on the Team site template:
1 Follow the steps in the earlier instructions to navigate to the Permissions Level page
2 Click the permission level you want to edit If you select the Full Control or Limited Access permission levels, you will notice that all of the permissions are grayed out You will not be able to edit these permission levels If you select a permission level other than these two, you can deselect current permissions and/or add permissions
3 When fi nished, click Submit This will save the changes you have made Note that this change will affect this entire site collection
deleting a Permission Level
In the event that you no longer wish a permission level to be available, you can remove it from the Permission Levels page:
1 Follow the steps in the earlier instructions to navigate to the Permissions Level page
2 Select the permission level you want to delete For this example, the Custom Permission Level
1 will be deleted Select this permission level and click Delete Selected Permission Levels As the option states, you can delete more than one permission level at a time if you so choose
3 Once you click Delete Selected Permission
Levels, a pop-up window will appear asking
you to confi rm the deletion of the selected
per-mission level (see Figure 8-11) Click OK
4 The selected permission level will be deleted and
will no longer be available from the Permission
Levels page
When you delete a permission level it will no longer be available When the
permission level is removed, any users or groups that are leveraging this
permis-sion level for access will be removed from the Site Permispermis-sions page In order for
these users or groups to have access again, you must grant them one of the
avail-able permission levels.
SEcuRItY gROuPS
So far this chapter has covered the individual permissions that make up permission levels and how these permission levels are used to grant users and groups access to SharePoint content Now it is time to discuss the users and groups that will be assigned the previously stated permission levels
FIguRE 8-11
Trang 2212 ❘ chAPtER 8 secUriNg aNd maNagiNg site coNteNt
SharePoint Security groups
SharePoint security groups are groups of users that are created from within the browser and can be used within a given site collection By default, SharePoint creates security groups (site groups) when
a new site collection is created The groups that are created vary according to the template that is used The following are the site groups that may be created:
Site Collection Administrators
➤
➤ — This group is created for all site collection templates It has Full Control permissions and can do anything on this site collection These permissions cannot be overridden When a new site collection is created, the creator has to specify a value for the primary site collection administrator, and he/she will have the option to enter
a user for the secondary site collection administrator These specified users are added to the Site Collection Administrators group and will be able to perform the administrative tasks associated with the site collection These options are available from the Site Settings menu
on the top-level site collection (see Figure 8-12) These users will also be the only users who can view the members of the Site Collection Administrators group The Site Collection Administrators group is also accessible from the Site Permissions page of the top-level site, as shown in Figure 8-13
FIguRE 8-12
Trang 3FIguRE 8-13
[Site collection name] Owners
➤
➤ — This group is created for all site collection templates; by default, members of this group will have Full Control
[Site collection name] Members
➤
➤ — This group is created for all site collection templates; by default, members of this group will have Contribute access
[Site collection name] Visitors
➤
➤ — This group is created for all site collection templates; by default, members of this group will have Read access
Viewers
➤
➤ — This group has View Only access, and is created for Collaboration and Meeting site templates
Approvers
➤
➤ — This group has Approval access, and is created for Enterprise site templates and Publishing site templates
Designers
➤
➤ — This group has Design access, and is created for Enterprise site templates and Publishing site templates
Hierarchy Managers
➤
➤ — This group has Manage Hierarchy access, and is created for
Enterprise site templates and Publishing site templates
Restricted Readers
➤
➤ — This group has Restricted Read access, and is created for Enterprise site templates and Publishing site templates
Configuring Permissions During site Creation
When you create a new site, within an existing site collection, you select your template and then you enter a name, URL, and description for your site To configure permissions during site creation, from the Create screen click the More Options button The Permissions options will appear, as shown in Figure 8-14 The default value is to Use same permissions as parent site — that is, inherit permissions from the parent site This means that access to the new site is the same as that used on the parent one No new groups will be created
Trang 4214 ❘ chAPtER 8 secUriNg aNd maNagiNg site coNteNt
If you select Use unique permissions (as shown in Figure 8-14) and click Create, you will be prompted
to configure three new user access groups: [New site name] Owners, [New site name] Members, and [New site name] Visitors (see Figure 8-15) This creates a customized security structure and only
users who are members of these groups will have access to the site
FIguRE 8-14
FIguRE 8-15
Trang 5The available default permissions will vary with the version of SharePoint 2010
you are running SharePoint Foundation 2010 does not have all the same
per-missions that SharePoint Server 2010 has.
adding a sharePoint security Group
In addition to site groups and groups that are created when a new site is created using unique per-missions, you can create your own SharePoint security groups, assuming you have suffi cient permis-sions This group will be usable within the entire site collection, not just within the site in which
it was created When you assign a permission level to the group, that access applies to the current securable object and all child securable objects
This is an area where people are easily confused When you create a SharePoint
group, you can specify the group’s permission level or you can leave it blank
If you leave it blank, you can always confi gure the group’s access to another
securable object If you confi gure the group’s access, the access will only be for
that securable object and any securable objects that inherit permissions from the
parent Once the SharePoint security group is created, you can navigate to any
securable object’s permission settings page and add access for the group.
To add a SharePoint security group, follow these steps:
1 Navigate to the People and Groups page in any site within your site collection by clicking Site Actions ➪➤Site Settings
2 Under the Users and Permission header, click People and Groups By default, the page will display the fi rst SharePoint group that is listed in the Current Navigation under Groups To see all groups within the site collection, click on the link for Groups (see Figure 8-16) to open the All Groups page
FIguRE 8-16
Trang 6216 ❘ chAPtER 8 secUriNg aNd maNagiNg site coNteNt
3 Click the New drop-down menu and select New Group, as shown in Figure 8-17
FIguRE 8-17
4 Enter a name and description for the new group For this example the name will be New Group 1, with no description Specify the Group Owner (only one user can be the group owner) Typically, the only people who can view the membership of the group are the mem-bers of that group Additionally, only the Group Owner can edit the memmem-bership of the group For obvious reasons, it is not a good idea to give several users this capability You can also configure if and how you want to receive membership requests
5 Click Create Your group will now be created
Deleting a sharePoint security Group
Deleting a SharePoint security group is simple:
1 Navigate to the All Groups page (see steps 1 and 2 of the preceding “Adding a SharePoint Security Group” procedure)
2 When viewing the available groups, click the Edit icon for the desired security group
3 Scroll down and click Delete
Managing sharePoint security Groups in Current navigation
To manage SharePoint security groups, follow these steps:
1 Navigate to the People and Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure) This procedure describes how to edit the groups displayed here
2 Select Settings ➪➤Edit Group Quick Launch, as shown in Figure 8-18
Trang 7FIguRE 8-18
3 Enter or remove one or more security groups from the displayed groups
adding Users to sharePoint security Groups
To add users to SharePoint security groups, follow these steps:
1 Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure)
2 Select a group by clicking on the name of the group
3 Click the New drop-down menu and select Add Users
4 Enter the user’s name and validate
5 Select whether or not you want to have an e-mail sent to the user informing them of their new access
6 Click OK
Deleting Users from sharePoint security Groups
To delete users from SharePoint security groups, follow these steps:
1 Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security Group” procedure)
2 Select a group by clicking on the name of the group
3 Select the users you want to remove
4 Click Remove Users From Group
Trang 8218 ❘ chAPtER 8 secUriNg aNd maNagiNg site coNteNt
The two preceding procedures are for adding and deleting users, but you can
follow the same steps to add an Active Directory group to a SharePoint group
In the people picker, specify the Active Directory group, rather than the name
of a user, and then validate the name You can search for an Active Directory
group the same way you search for a user.
Active directory groups
In addition to using SharePoint security groups, you can also use Active Directory (AD) groups For security, you must use AD e-mail-enabled security groups Distribution lists cannot be used In order for an object to be used in security it must have a Security ID (SID) in Active Directory User accounts have SIDs, so they can be used Distribution lists do not have SIDs, which is why they can-not be used as security objects in SharePoint AD groups and individual users are granted permis-sions in similar fashion As such, their use is covered later in this chapter
SharePoint Security groups versus Active directory groups
Because you can use either SharePoint security groups or Active Directory groups, let’s discuss the benefi ts and downsides to using either option In most cases, it really depends on the environment and the governance policy in place
In most environments, the AD structure is much older than the SharePoint implementation and already setup If your SharePoint security structure needs match those of the current AD setup, then
it will be much easier to deploy AD groups, rather than recreate the same structure and add users
to SharePoint security groups If this is not the case, and your SharePoint site structure has com-pletely different user access confi guration needs, this is a picture-perfect example of when to choose SharePoint security groups over AD groups
Another thing to consider is the user who will be managing the security structure and user access With
AD, it is almost always an information technology specialist, who may or may not have SharePoint access With SharePoint, the site collection administrator or site owner may be an IT professional, but there is a good chance that it will be a manager or power user, who will not have AD access Most organizations avoid turning control of IT application security over to a non-IT professional In situ-ations where the site collection administrator and/or site owners are non-IT members, a combined approach is common One signifi cant drawback to AD groups is discoverability There is no way in SharePoint to see the members of an AD group, making it diffi cult or impossible to know who has access to something if AD groups are used
Special groups and Authentication Options
There might not always be a user or group that exactly fi ts the bill when you want to add permissions
at a large level If you need to provide access to a large group of people that is dynamic, you may need
to employ some special tactics to open your content to everyone that needs access
All Authenticated Users
➤
➤ — One AD group that can be very useful is the NT AUTHORITY\ Authenticated Users group This group represents any and all users who authenticate to your
Trang 9AD domain The advantage to using this group is that for environments that will be acces-sible by all your domain users, this guarantees access for all your users and is easy to manage The downside is that this group represents all your users, granting them all access Imagine
if this group were given access to secure content As such, this option should be used with caution This also includes trusted domains, not just the domain your SharePoint servers are
in If you are using a trusted domain for extranet users, for instance, they will all also have access to any content secured with NT AUTHORITY\Authenticated Users
NT AUTHORITY\Authenticated Users is an Active Directory group Use of
this group requires Windows Integrated Security.
Anonymous Access
➤
➤ — This authentication method allows any user(s) to access your SharePoint sites Primarily seen with Internet sites, this option is useful when the users who will be access-ing your content do not have correspondaccess-ing user accounts in your domain Anonymous Access can only be enabled at the web application level Once enabled, it can be available for all site collections and sites within the web application Since this is confi gurable at the site level, it is
up to the site collection and site administrators whether they want this enabled in their environ-ments Similar to using the NT AUTHORITY\Authenticate Users group, this option should
be used with caution Anonymous access can be confi gured from the Site Permissions page, as shown in Figures 8-19 and 8-20
Anonymous Access can only be confi gured at the site level once it is enabled in
Central Administration in the authentication settings.
FIguRE 8-19
Trang 10220 ❘ chAPtER 8 secUriNg aNd maNagiNg site coNteNt
FIguRE 8-20
gRANtINg PERmISSIONS
Giving users access can be achieved in three ways: You can grant access to SharePoint security groups,
to AD groups, or directly to users Fortunately, the same procedure is used for each option As previ-ously stated, you must grant access to the specific securable object For many environments, users will have different access for the various sites in the SharePoint environment
For the following procedures, you will follow the first two steps to start:
1 Navigate to the securable object In this example, the securable object will be a site
2 Select Site Actions ➪➤Site Permissions
granting Access to a top‑Level Site
To grant access to a top-level site, continue with the following steps:
1 Because this is at the top-level site, you do not have to worry about inheritance Select Site Actions ➪ Site Permissions
2 Click Grant Access
3 Enter the user name(s), AD group name, or SharePoint group name and validate
4 When granting permissions, you can add the desired user or AD group to an existing SharePoint group or you can give permission directly The drop-down menu of existing SharePoint groups also shows the corresponding permission level for each group Adding a new entry to this group gives that user the listed permission level If you select Grant users permission directly, the permission levels options will be displayed and you can select the desired access (see Figure 8-21)