George Khalil, Contributor
Published: 22 Aug 2011
To securely manage and maintain the content residing in your SharePoint sites, you have to invest some time into designing an effective security hierarchy. It’s all about ensuring that users can view only the content they have been granted access to.
SharePoint gives systems administrators the necessary security methodology to implement both broad and fine-grained permissions. And, happily, security in SharePoint 2010 is managed similarly to how it’s done in SharePoint 2007.
Let’s begin by analyzing the security hierarchy provided in SharePoint 2010.
Farm administrators: At the top of the hierarchy are the SharePoint farm administrators. They are in charge of managing and maintaining the SharePoint farm and its servers, including new server installations as the farm grows.
To manage farm administrators, launch Central Administration, then do the following:
- Navigate to Security/Manage the Farm Administrator Group.
- Click on New/Add Users.
- Under Select Users, browse for either users or groups to add as farm administrators.
- Click OK.
We can also remove a user by clicking on the checkbox beside the user name and selecting Actions/Remove Users from Group.
In SharePoint 2010, systems administrators have the ability to specify a “farm pass phrase” during the installation phase. The pass phrase secures the farm, and systems administrators must enter it when installing additional servers to the existing farm. This alleviates the issue in previous releases where potential rogue SharePoint servers would be added to an existing farm.
Site collection administrators: Next in the hierarchy are SharePoint site collection administrators. Systems administrators are also usually designated in SharePoint as site collection administrators. Members of this group have full control over all the sites sitting under a site collection.
Here are the two ways of managing site collection administrators:
1. Launch Central Administration and navigate to Application Management/Site Collections/Change Site Collection Administrators.
2. Launch the top-level site in your site collection and navigate to Site Actions/Site Permissions/Site Collection Administrators where you can add additional administrator names (See Figures 1 and 2).
Site user permissions and SharePoint security groups
When you provision a site, SharePoint 2010 automatically creates three SharePoint security groups: Owners, Members and Visitors-- in which you can then assign users or Active Directory groups. Each group contains a default set of permission levels.
Permission levels in SharePoint are a grouping of individual permissions, and each grouping represents a different task within a SharePoint site (see Figure 3). For example, the permission-level Contribute that is usually assigned to the SharePoint security group Members allows users to view, add, update and delete items and documents.
Each level of SharePoint can serve as a parent to everything below it. Each permission set at the parent level will be replicated to all child-securable objects, including subsites, lists and libraries as well as items within a list or library by default. This is referred to as permission inheritance, and it can easily be broken down into unique permissions, which are then granted to the child items. You can also revert back and resume inheriting permissions from a parent just as easily.
When creating a new site within an existing site collection, you have the ability to configure permissions during site creation (Figure 4). Here’s how to do that:
- Navigate to Site Actions/New Site
- Select your Template
- Click on More Options
- Enter Title and URL Name
- User Permissions will be set to “Use same permissions as parent site” by default. In this example, we will select “Use unique permissions”
- Click Create
- The next screen prompts you to configure the three new SharePoint security groups outlined earlier, in which you can add users and/or Active Directory groups to your SharePoint Groups
Creating custom permissions and custom user security groups
Working with out-of-the-box SharePoint security groups and permission levels may not necessarily work in every scenario. Luckily, you can create your own custom groups in SharePoint as well as your own permission levels.
For example, a common request in many SharePoint implementations is that the Contribute permission level not only allows users to add items, but also grants them the ability to delete items -- which can be problematic. Here we can create a custom permission level and name it “Contribute but cannot delete.” That way, users can view, add and update items, but they cannot delete them (Figure 5).
- Navigate to your top level site and click on Site Actions/Site Permissions
- Click on Permission Levels, located in the Ribbon UI
- Click Add a Permission Level
- Enter a name and description and then select the necessary permissions that will form part of this newly created permission level. In this example, we will not select the Delete Items or Delete Versions permissions
- Click Create
Now that we have our newly created permission level, let’s create a custom SharePoint security group and assign our newly created custom permission level to that group. (See Figure 6.)
- Navigate to the top level site and click on Site Actions/Site Permissions
- Click on Create Group located in the Ribbon
- Enter a name and description for the group. Also in this screen, specify the Group owner, Group Settings and Membership Requests
- Finally, select the newly created Permission Level Contribute but cannot delete
- Click Create
We can now add users to the newly created SharePoint security group.
- Navigate to Site Actions/Site Settings/Users and Permissions and click on People and Groups
- Click on the group that we have just created. It is listed in the Quick Launch Bar
- Click on New/Add Users
- Browse or enter a user’s name or Active Directory Security group
- Click OK
The last area is Web Application Policies. This is a method of creating a very broad set of permissions to an entire Web application, which includes all site collections and the sites below it.
These policies can be created only within Central Administration and cannot be overridden by any other security settings within the SharePoint sites.
Let’s create a policy that will deny a user access to a specific Web application.
- Navigate to Central Administration and click on Security/Users/Specify Web application user policy
- Click on Add Users
- Select your Web Application and Zone. Click Next
- Enter or browse for your users or groups
- Choose your permission level
- Click Finish
Implementing a strong security model in any SharePoint setup is imperative from the word “go,” but permission management in SharePoint is very flexible and granular. Adhering to the concepts covered here will help keep your organization’s critical data safe.
ABOUT THE AUTHOR
George Khalil has 12 years of experience as manager of the information technology team at William Buck, an Australian national business advisory firm and is now an independent enterprise systems consultant specializing in Microsoft Technologies. Khalil is a Microsoft Certified IT Professional, Technology Specialist, Systems Engineer and Systems Administrator. Read his blog at http://sharepointgeorge.com/.