How to Configure Complex SharePoint Security

ovenforksqueeΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

98 εμφανίσεις



How to

Configure

Complex SharePoint Security

Security is the number one concern for a lot of managers and site owners. It is important that the
team understands this topic completely in a way they can
explain to users
.

The Big Picture

SharePoint security is most maintaina
ble when applied hierarchical
ly, where access narrows as you
move lower in the hierarchy:


There are

at least

eight

places you can set security in SharePoint:

1)

Farm Administrators

are set in Central Admin>Operations

2)

Application Policy

settings can grant or deny access to an entire web

application in Central
Admin>Applications

3)

Site Collection Administrators

are set in Central Admin>Applications and in Site Settings of
the top
-
level site

4)

SharePoint Groups

and Individual Permissions

are set on the permissions pages of each site

5)

List
-
level

permissions

can be set on List Settings>Permissions

6)

Draft item security

can be set for list/libraries on the List Settings>Versioning Settings


7)

Item
-
level
permissions

can be set from List Settings>Advanced Settings (lists only)

8)

Unique item
-
level
permissio
ns

can be set
for individual folders/items/documents





Anatomy of a SharePoint Group

90% of our security is set through SharePoint Groups set on sites (item 4). Creating, maintaining, and
fixing SharePoint Groups is the #1 tier 2 support issue in
production.

SharePoint
Group
: _Members




Permission

Level
: Contribute




Permission
s
:
Add, Edit, Delete, View, Open, Delete, Alerts, User Info, Browse

The permissions pages are not intuitive! They depend on what site you a
re on and change based on
whether or not the site is inheriting permissions. Everyone gets lost.

When you create a new group, the Group Owner controls the membership of that group. The Site
Owner should be the owner of most SharePoint groups and their emai
l address should be listed as
the contact for requests to join/leave the group.

Sites have a special relationship with three SharePoint Groups set when you create a site with
unique permissions or when you break inheritance and choose People and Groups>Set
tings>Set Up
Groups:
Visitors
,
Members
,
Owners
.

See Figure 1.

Figure 1. Setting up SharePoint Groups for a site


To
switch

a site

from inherited permissions to unique permissions
:

1)

Go to
Site Actions>
Site
Settings
>Advanced Permissions>Actions>Edit Permissi
ons.

2)

Remove the groups that aren’t needed.

3)

Click Groups>Set Up Groups and associate the three main groups (Figure 1).

You can use
existing groups or create new ones if needed.

4)

Click

Settings>
Edit Group Quick Launch and remove spurious groups (this helps the site
owner maintain their own security).



5)

On the Home page add a Site Users web part tied to the site’s Members group (this also
helps the site owner a lot). See Figure 2.

Figure 2. A Site U
sers web part wired to the Members group of a site

will save you support calls


To check a SharePoint Group’s permissions within a site collection:

1)

Navigate to the top
-
level site in the site collection.

2)

Go to the People and Groups page and click on the gr
oup.

3)

Click Settings>View Group Permissions. SharePoint displays a list of where the group has
access as shown in Figure 3.

Figure 3. Viewing where a group has access


FAQ

What does Limited Access mean when you see it in Figure 3

and should I worry about it
?

Limited Access means the
user or group

has access to

specific lists, document libraries, list items,
folders, or documents
with a site, but not the entire site. This usually appears when a list or library
has unique permission
s.

Who has unlimited access to all sub sites that can’t be blocked?

The Farm Administrator

(farm scope)
, users set in Web Application Policy settings as Full Read or Full
Co
ntrol (web application scope), and the site collection a
dministrators

(site collect
ion scope)
.



The customer needs users to be able to add but not edit or delete
documents
. What do
you do?

Create an Add Only permission level and add that permission level to the Visitors group for the site.
Then Visitors can add but not change items. To do

that:

1)

Navigate to the top
-
level site in the site collection.

2)

Click
Site Actions>
Site Settings>Advanced Permissions>Settings>Permission Levels.

3)

Click Add a Permission Level.

4)

Name the permission level Add Only ,

select Add in List Permissions, and click OK.

See Figure
4
.

5)

On the Permissions page, click Groups and then click on the edit box of the site’s Visitor
group.

6)

Scroll down and select Add Only as shown in Figure 5 then click OK.

Figure
4
. Creating a new permission level


Figure
5
. Adding the Permission

Level to the group




The
customer needs users to be able to view, add, edit, and delete their own list items,
but no one else’s.
What do you do?

Since it’s a list, you can use item
-
level permissions. To set up item level permissions for a list:

1)

Navigate t
o the list.

2)

Click Settings>List Settings>Advanced List Settings and choose Item Level Permissions as
shown in Figure 6, then click OK.

3)

Contributors to the list can then view/edit only their own items. Site Owners can view/edit
all of the items.


4)

It’s impor
tant to explain this to the contributors and site owner. A customer walk through is
a good idea when you do this.

Figure 6. Setting item
-
level permissions




The
customer needs users to be able to view, add, edit, and delete their own documents,
but no one
else’s

within a shared document library
.
What do you do?

There is no built
-
in way to do this automatically in a shared document library. You have a couple
options though:

1)

Politely question the requirement.

Versioning, auditing, and the recycle bin can ofte
n
assuage user concerns about this type of change control.

2)

Use a list with attachments instead of a library (allows item
-
level permissions).

3)

Create filtered views that only show the current user’s document (low security, but easy).

4)

Create folders for each
user to use where the folder has special per
missions (secure, but
must be set up and maintained manually with one folder per user)
.

5)

Create a SPD workflow that copies documents in to a secured library (drop
-
box).

6)

Create a VS workflow that sets item
-
level

permissions

(custom development or add
-
on).

The

customer wants to maintain their own security, but they are new to SharePoint. What
do you do?

1)

Carefully configure three main security groups for them: Visitors, Members, and Owners as
described earlier.

2)


Add

a Site Users web part to their Home page and verify that Add user adds the user to the
Members group.

3)

Edit the Groups Quick Launch so that only the three groups you created appear there.


4)

Walk the customer through how to maintain their groups.

The custome
r wants to make sure a top
-
level site owner can’t access a particular sub
-
site.
What do you do?

This may or may not be a good idea, however, it can be done:

1)

Create the sub site using unique permissions and create unique Visitors, Members, and
Owners groups

for the site.

2)

Make the requestor (the customer) the site owner.

3)

Make sure
someone on your team or an IT
-
owned group

is th
e owner of the new Owners
group


you will get support calls on this one when the user breaks permissions!

Tips
:



Avoid list
-
level
permissions and unique item
-
level permissions (items 5 and 8) unless
programmatically maintained.



Avoid “All Authenticated” in collaboration sites, use

an


All Employees

AD group
if
you have
one
. “All Authenticated” is OK in publishing sites since they ar
e public by definition.



“Any user who can read items” or “Only users who can edit items” can ONLY be set if the
“Create major and minor (draft) versions” is selected. The “Only users who can approve
items (and the author of the item) can be selected if th
e “
Require content approval for
sub
mitted items?” Is set to “Yes”.



Be careful about editing/clearing out/cleaning up the Groups Quick Launch some people get
confused on how to do it and delete the actual groups as there are items if deleted will
cause issu
es when trying to view other elements (i.e. Style Library). Proper way


Click on
any group presently within the Quick Launch, then under Settings select the “Edit Group
Quick Launch” and either add or delete items from within this list.