SharePoint Security and Permission System Overview

September 1 2010 242 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 17% [?]

242 comments to “SharePoint Security and Permission System Overview”

  1. You need to take part in a contest for one of the highest quality blogs online.
    I’m going to recommend this blog!

  2. Regal Ecig says:

    Hey I know this is off topic but I was wondering if you knew
    of any widgets I could add to my blog that automatically tweet my newest twitter updates.
    I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would
    have some experience with something like this.
    Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new
    updates.

  3. Starting with either a Sapphire Crystal or Ruby
    Crystal is a good choice, but Fiddlesticks can work
    well with a Doran’s Ring or an Elixir of Brilliance and potions – his drain is simply that
    good. Dependant on your personal preferendes it
    can be e. Udyr, unlike Warwick, can serve as your team’s tank or off-tank even when starting in the
    jungle, making him a different but very powerful tactical choice.

    my blog – Summoners War Cheats

  4. Magnificent items from you, man. I’ve understand your stuff previous to and you are simply extremely magnificent.

    I really like what you’ve obtained here, really like what you are stating and the way in which wherein you say it.
    You’re making it enjoyable and you still take care of to keep it smart.
    I can not wait to read much more from you. This is actually
    a great website.

  5. Nice blog here! Also your site loads up very fast! What web host are
    you using? Can I get your affiliate link to your host? I wish my web site loaded up as quickly as yours lol

    Feel free to visit my site: how to use mind power (http://Www.xtrememind.com)

  6. It’s wonderful that you are getting ideas from this article as well as from our discussion made at this place.

    my web page; trials frontier hack

  7. Quality articles or reviews is the crucial to be a focus for the people to pay a
    quick visit the web page, that’s what this website is providing.

    My blog post plastic outdoor sheds

  8. If you say you need to think about it and tease her a little first it will be all the more
    exciting for her when you finally agree to be her boyfriend.
    Who said an alpha male is someone masculine and hardcore.
    Before you can reach this point however, you must go through a cleansing of the mind.

  9. Rodolfo says:

    Howdy! Do you use Twitter? I’d like to follow you if that would be ok. I’m absolutely enjoying your blog and look forward to new posts.

  10. Good day! I know this is kinda off topic nevertheless
    I’d figured I’d ask. Would you be interested in trading links or maybe guest writing a blog
    post or vice-versa? My website discusses a lot of the same
    subjects as yours and I think we could greatly benefit from each other.
    If you happen to be interested feel free to shoot me an email.
    I look forward to hearing from you! Awesome blog by the way!

  11. I’m gone to say to my little brother, that he should also pay
    a quick visit this weblog on regular basis to take updated from
    hottest news update.

  12. If you want too improve your familiarity only keep visiting this web site and be updated with the hottest information posted here.

    Also visit my web site; Gangstar Vegas Hack APK

  13. google says:

    A site that isn’t indexed much by Google or doesn’t turn up
    until page 1,993,990 on a Google search for iits kind is WORTHLESS to you.
    It is a lot better to use additional words that are related to the keyword.
    If there is already lots of Google Adsense put into that certain site, put
    yours on top of all of them.

  14. Around the mid ’90s, Japanese anime started to get very
    popular in the United States, causing a whole
    new level of awareness for cartoons in general. Just like any other
    form of art, the style a picture is drawn in and the color it is
    given can affect the feel that it gives off.
    Children can never get bored watching this fantastic show.

  15. Eugenia says:

    My brother recommended I might like this web site. He was entirely right.
    This post truly made my day. You can not imagine simply
    how much time I had spent for this info! Thanks!

  16. Greate article. Keep writing such kind of info on your blog.

    Im really impressed by it.
    Hey there, You have done a great job. I’ll certainly digg it
    and personally recommend to my friends. I’m confident they will be benefited from this site.

  17. like says:

    Its not my first time to go to see this web page,
    i am browsing this site dailly and get nice information from here all the time.

  18. Fabulous, what a webpage it is! This weblog presents valuable data to
    us, keep it up.

  19. An impressive share! I have just forwarded this onto a friend who
    had been conducting a little homework on this. And he in fact ordered me dinner due to the fact that I found it for him…
    lol. So let me reword this…. Thanks for the meal!! But yeah, thanks for spending some
    time to discuss this subject here on your website.

  20. Hey there! Do you know if they make any plugins to assist with Search
    Engine Optimization? I’m trying to get my blog to rank for
    some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Kudos!

  21. Do youu mind if I quote a feww of your articles as long as I provide
    ccredit andd sourcess back to your blog? My website iss in the exact same area
    of interest as yours and my visitors would truly benefit from a lot of the information you pfesent here.

    Please let me know if this alright with you.
    Thanks a lot!

    My blog Troxyphen Elite

  22. Link exchange is nothing else except it is only placing the other
    person’s website link on your page at suitable place and other person will also do same in support of you.

  23. To read the baby bed entire recall notice, including contact information and product numbers, click here.
    I would bring all those elements, and I sewed on lace to make them look cute!
    Building your own baby bed furniture in here. Okay, now we’re going
    to take a few side-snap pajamas because the hospital
    ones can be excellent and a nasal aspirator.

    Review my web site meilleur quad marrakech Hotels new York city

  24. Hello! I know this is kinda off topic but I was wondering which blog platform are you using for this website?
    I’m getting sick and tired of WordPress because I’ve had issues with hackers
    and I’m looking at options for another platform.
    I would be great if you could point me in the direction of
    a good platform.

  25. Hello my friend! I want to say that this article is awesome, great
    written and include almost all significant infos. I’d like to peer extra posts like
    this .

  26. Asking questions are genuinely fastidious thing if you are not understanding anything completely, except this
    post gives pleasant understanding even.

  27. Hi there very cool website!! Guy .. Beautiful .. Wonderful
    .. I will bookmark your web site and take the feeds also?
    I am glad to find a lot of useful info here in the publish,
    we want work out more techniques in this regard, thanks
    for sharing. . . . . .

  28. I got this web page from my pal who shared with me about this site and
    now this time I am browsing this site and reading very informative articles or reviews
    here.

    Here is my web site :: Criminal legacy cheats

  29. Accreditation verifies that a school meets a predetermined set of standards; however, there are many different accreditation agencies, so it is important to research not only a school’s accreditation, but also the accrediting agency’s reputation and standards.

    The global vehicle production is expected to increase from 21 million units to 106 million units per year by
    2021 as the industry recovers completely from the impact of the global economic recession in 2008-09.
    The engineering company Hunter offer some very good deals on automotive lift services
    and some companies even sell their products online for them at cheaper
    rates, its those services which you really want to take advantage
    of as they will give you the best possible automotive lift service for the cheapest price online.

  30. The Family Guy The Quest for Stuff Hack is absolutely not for kids
    or for those who cannot tolerate graphic visuals. In some games like flash games, I include sound and screen configuration under controls.
    Suppose your airplane crashes onto some forsaken island in the middle of the ocean.

  31. I’ve been exploring for a little for any high quality articles or weblog posts in this
    sort of space . Exploring in Yahoo I finally stumbled upon this site.
    Reading this info So i’m glad to show that I have an incredibly good uncanny feeling I came upon exactly what I needed.
    I so much surely will make certain to do not forget this website and provides it a glance regularly.

  32. This is a topic that’s close to my heart… Many thanks!
    Where are your ccontact details though?

  33. It’s remarkable to pay a quick visit thuis web page and
    reading the viewss of all mates about this post, while I am also eager of getting experience.

    Check out myy blog; Slots Pharaoh’s Way Hack

  34. Before we go over the practical benefits of the burger maker in this StufZ evaluation, lets
    put the problem into perspective first.

  35. When you want to phone card be extremely handy in order for members to properly layout your site.
    Please always bear in your military care packages phone card that are
    available. Typically this may result in 20″ incomplete” calls billable towards the same trend.
    In fact, 5787 people typed in the communication lasts.
    He knows the value of any gift or offer high.

  36. Reviews says:

    Marvelous, what a website it is! This weblog provides helpful information to us, keep it up.

  37. Klara says:

    Very nice post. I just stumbled upon your weblog and wished to say that I’ve truly enjoyed browsing your
    blog posts. In any case I’ll be subscribing to your feed and I hope you write again very soon!

  38. harga huawei says:

    Examples are Vonage, Axvoice and 8×8, each of which offers call
    plans and packages with multiple options and features.

    The large change, for now, a minimum of, making use of
    the Bold 9780 is it ships with Black – Berry OS
    six. There are new designs like crocodile skin,
    zebra etc.

  39. Howdy! I understand this is kind of off-topic however I needed to ask.
    Does running a well-established website such as yours take a
    lot of work? I’m completely new to running a blog
    but I do write in my diary everyday. I’d like to start a blog so I
    can share my personal experience and thoughts online.
    Please let me know if you have any suggestions or
    tips for brand new aspiring blog owners. Thankyou!

  40. In fact when someօne doesn’t know afterward its սp to other visitors tɦat thy will assist, so here it
    hɑppens.

  41. Gus says:

    Magnificent goods from you, man.I’ve understand your stuff previous to and you
    arre just extremely fantastic. I actually like
    what you’ve acquired here, certainly like what you arre stating and tthe way in which you
    say it. You make it entertaining and you still care for
    to keep it sensible. I can’t wait to read far more from you.
    This is actually a tremendous website.

    Here is my site; facebook advertising in news feed;
    Gus,

  42. HSV invited us to check the GTS at Phillip Island, also
    it was there that people deducted that not only may be the GTS the very best HSVbut quite simply the very best Australian performance car actually created.

Leave a Reply