SharePoint Security and Permission System Overview
SharePoint Permission and Security Mechanisms
From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, 
!
Additional Resources:
Farm Administrators
Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:
Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).
You can give Farm Administration rights to AD groups and AD users:
Additional Resources:
Authentication Providers
With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:
Additional Resources:
Web Application Level Permission Policies
With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:
Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.
Here is an example of adding a new web application level permission policy:
Additional Resources:
Web Application Level User Policies
User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).
Here is a screenshot of applying Manage Content -policy to Content Editors AD group:
Additional Resources:
Web Application Level Anonymous Policy
You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):
Additional Resources:
Web Application Level User Permissions
This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):
Site Collection Administrators
Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:
Additional Resources:
- Add or remove site collection administrators (SharePoint Server 2010)
- Choose administrators and owners for the administration hierarchy (SharePoint Server 2010)
- Permissions for site collection administrators
Anonymous Access Permissions
You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:
Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:
Site Collection Level Permission Levels
Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.
By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):
You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:
Additional Resources:
- User permissions and permission levels (SharePoint Server 2010)
- Determine permission levels and groups (SharePoint Server 2010)
- Edit, create, and delete permission levels
- Download a chart of default groups and permission levels
SharePoint Groups
SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).
Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):
SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.
Additional Resources:
- Determine permission levels and groups (SharePoint Server 2010)
- Manage membership of security group
- About security groups
- Download a chart of default groups and permission levels
Site Permissions
Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.
When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.
Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):
Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.
Additional Resources:
- Plan site permissions (SharePoint Server 2010)
- Roadmap: Grant permissions for a site
- About permissions inheritance
Library or List Permissions
Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.
With lists and libraries you have also some other security related features.
For example you can control Draft Item Security:
You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):
Additional Resources:
- Control access for a specific piece of content
- What is uniquely secured content?
- Plan content approval and scheduling
Folder or Document Set Permissions
Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.
Document Set and Folder permissions can be accessed from drop-down menu:
Additinal Resources:
- Consult the links provided in Library or List Permissions
Document or Item Permissions
Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).
You can access document and item level permission settings page directly from the object you are interested in:
Additinal Resources:
- Consult the links provided in Library or List Permissions
Miscellaneous Security and Permission Features
Web Part security settings can be configured at web application level:
SharePoint Designer permissions can be controlled with web application level settings:
See also: Managing SharePoint Designer 2010
Browser File Handling and Web Page Security validation can be controlled at web application level:
See Also: Security Validation and Making Posts to Update Data
You can also control blocked file types list (aka restrict of uploading certain file types):
See Also: Manage blocked file types (SharePoint Server 2010)
Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:
See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)
With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:
This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:
See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)
What Was Not Covered in This Article
There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.
What we also didn’t discuss that are somewhat related to security are for example:
- Quotas and Locks
- Service Application specific security settings
- Code Access Security
- Zones
- Personalized Web Part Zones
- Claim Based Authentication
- SharePoint User Profile Service
- Microsoft Forefront Thread Management Gateway 2010
- Microsoft Forefront Unified Access Gateway 2010
- SharePoint Secure Store Service
- Trust Relationships between farms
- Sandboxed Solutions
- Anything else? Give us feedback?
Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?
Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).
Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.
Final Words
Please give us comments and feedback! We will probably come back and update this article in the future.
Popularity: 34% [?]
Ηi there tⲟ every ᧐ne, tһe contentѕ existing
at tһiѕ wweb pɑge aгe actualⅼy awesome for people knowledge, ᴡell, keеρ up tһe good work fellows.
Я больше 3-х часов искал в интернете сегодня и не мог найти ни
одной познавательной статьи, как
ваша. На мой взгляд, если бы все копирайтеры так замечательно
писали статьи, как вы интернет стал бы интереснее.
of course like your webb site but you need to take a look
at the spelling on quite a few of your posts.
Many of them are rife with spelling problems and
I to find it very bothersome to inform the reality nevertheless I’ll definitely come back again.
Internetowe kasyno naa prawdziwe pieniądze site kasyno bonus za rejestrację
معنای مطلب ی این یادداشت از نظر هنگفت از افراد مناسب و کامل نیست ولی فداکار از محتواها کارخانه ها
و بلاگ ها پیرامون این مطلب در وب وجود دارند که می
توان از آنها استفاده بهتری داشت
این یادداشت مشاوره و پیشنهاد مناسب از باب کسانی است که
می خواهند جوانب مطالب متماثل بوسیله این مطلب مطالعه بیشتری داشته
باشند
It’s impгеssive that you are getting thoughts from
tһis piece of writіng as well as from our dialogue made at this
place.
Ϝeel free to ѕᥙrf to my homepаɡe … article source
Strive to not lose more than 1- 2lbs every week,
in any other case you are extra prone to puut the burden again on.
Feel free to surf tto my website; micro investment
I believe you have observed some very interesting points,
appreciate it for the post.
Thanks for some other wonderful article. The place else could anybody get that kind
of info in such a perfect manner of writing? I have a presentation next week, and I am on the look for such info.
I in addition to my pals came going through the excellent recommendations on your web blog and suddenly I got a terrible suspicion I had not expressed respect to the
site owner for those tips. These young boys were definitely so warmed to read
through them and have undoubtedly been making the
most of those things. Many thanks for indeed being quite helpful and then for selecting variety of decent
subjects millions of individuals are really eager to
understand about. My honest regret for not expressing
gratitude to sooner.
Воу, этот пост клевая, моя младшая сестра
любит такие вещи, из-за этого я
собираюсь сказать ей.
Is that really a good thing to override?
https://www.paintingsantabarbara.com/
I view something really special in this website.
Der Teilnehmer muss den Block nun solange verändern, bis er einen gültigen Block erstellt hat,
dessen Hashwert unter dem Grenzwert liegt.
However, the asset has taken on extra of a store-of-value role, similar to the public’s view of
gold.
As of Aug. 2021, there have been over 18.eight million bitcoins in circulation with a complete market cap of round $858.9 billion,
with the figure updating frequently.
Each of our coin information pages has a graph that shows each the current
and historic price info for the coin or token.
This includes the know-how and network itself, the integrity of the
cryptographic code and the decentralized network.
Here is a listing of our partners and here is how we make money.
The company acts as a intermediary between shoppers and writers, taking a reduce from every bit sold.
Merely a smiling visitant here to share the love (:, btw outstanding
design.
Whoah this blog is excellent i love reading your posts.
Stay up the good work! You realize, a lot of people are hunting round for
this information, you could help them greatly.
Another go-to online marketplace for used stuff
has been Craigslist.
This site truly has all the information and facts I wanted concerning
this subject and didn?t know who to ask.
Les investisseurs envoient des fonds au projet – généralement sous forme de Bitcoins
- et reçoivent des monnaies ou des jetons en échange.
Speeddaten Learnalanguage
Erfahrene Damen ist das größte Milf/Cougar- und Reife-Netzwerk für reife Mitglieder und Menschen, die Sex mit jemandem mit mehr Erfahrung bevorzugen.
TS Ladies Learnalanguage
By ‘teensy bit’ I clearly mean ‘massively’.
I went into the right place & I am still sober.
I met lifelong friends there. They gave me the foundation for
sobriety. I highly recommend them.
I recommend this program to anyone who is battling substance abuse.
The staff goes above and beyond for their patients. They are
caring and very welcoming. Never did I ever feel judged
or uncomfortable talking to the staff. They do care and are there to help
you. I can honestly say nowhere else has helped me out as much and in a way as this program.
Thank you, guys.
This is really great information… Thanks.
home remodeling near me
Really nice article and helpful me Lone Star Home Remodeling Pros Lake Worth Texas
Greetings! Quick question that’s completely
off topic. Do you know how to make your site mobile friendly?
My weblog looks weird when browsing from my iphone.
I’m trying to find a theme or plugin that might be able to correct this issue.
If you have any recommendations, please share.
Many thanks!
I’m glad i introduced this to https://www.drywallproscleveland. It’s a big help!
I loved it!!! Good Luck with the upcoming update. This article is really very interesting and effective. Water Hauling Services
User policies are especially useful for service accounts, Atlanta Drywall Contractors, and in development/integration environments where you probably recreate site collections often.
Paint adhesion refers to how well the paint adheres to the surface. It reduces the need for future repainting and repairs, more info..
If your house is large, we will need to purchase necessary equipment, remove wall decorations, tape the boundaries of the walls, and move furniture. Know more about us!
New Slot Automotive Modellers. Carrera is a slot automobile
model introduced within the early 1960s by Josef Neuhierl GmbH & Co.
KG primarily based within the Franconian city of Fürth, Germany.
Carrera dominated the German markets within the
1960s and 1970s, as a result of utilizing an additional third wire, and effective advertising
and marketing, also on the nearby Nuremberg Worldwide Toy
Truthful. In higher-speed switches, the restrict from T may be halved by using a dearer,
much less dependable two-port RAM. Some trendy electronic controllers dispense with the rheostat altogether, and can be utilized for all courses
and kinds of car. As an alternative of simply releasing or
easing off of the set off to gradual the automotive down, some
controllers include braking techniques that, on the push of a button, send adverse voltage to the
automobile’s electric motor. Within the model automobile interest, an inline
automotive is a kind of slot automotive or other
motorized mannequin automobile wherein the motor shaft runs lengthwise down the chassis, perpendicular to the pushed axle (often the rear).
First of all I want to say excellent blog! I had a quick question in which I’d like to ask if you
do not mind. I was curious to find out how you center yourself and clear
your mind prior to writing. I have had a tough time clearing my mind in getting my ideas out.
I do take pleasure in writing but it just seems like the first 10 to 15
minutes tend to be wasted just trying to figure out how to begin. Any recommendations or hints?
Thank you!
Our advice is for http://www.pasadenaconcretepros.com is to enable this feature in every public SharePoint site.