SharePoint Security and Permission System Overview

September 1 2010 345 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 21% [?]

345 comments to “SharePoint Security and Permission System Overview”

  1. Oh my goodness! Amazing article dude! Thanks, However I am experiencing troubles with
    your RSS. I don’t understand the reason why I am unable
    to subscribe to it. Is there anybody else having the same
    RSS problems? Anybody who knows the solution can you kindly
    respond? Thanks!!

  2. logistik in says:

    Whү people still սse to read news papers աhen in thiѕ
    technological globe аll is existing ߋn net?

  3. EPPower says:

    Right now it appears like Drupal is the top blogging platform available right now.
    (from what I’ve read) Is that what you’re using on your blog?

  4. I’m very pleased to uncover this site. I want to to thank you for your time for this particularly
    wonderful read!! I definitely enjoyed every little bit
    of it and i also have you saved to fav to see new stuff on your blog.

  5. Hi, I think your blog might be having browser compatibility issues.
    When I look at your blog site in Chrome, it looks fine but when opening in Internet Explorer, it has
    some overlapping. I just wanted to give you a quick
    heads up! Other then that, superb blog!

  6. Strona świadczy o nietypowych wydarzeniach, namawiam do dyskusji Bezpieczne
    place zabaw

  7. Fleta says:

    WOW just what I was looking for. Came here by searching
    for software

  8. Lashonda says:

    Nadzwyczaj fajowy post, drobiazgowe wpisy polecam wszystkim literaturę Depilacja bikini Gabinet Kosmetyczny
    Gliwice [Lashonda]

  9. Useful info. Lucky me I discovered your site by accident, and I’m surprised
    why this twist of fate didn’t happened in advance! I bookmarked it.

  10. Superb post however , I was wondering if you could write a litte more on this topic?
    I’d be very thankful if you could elaborate a little bit more.

    Thanks!

  11. Bernard says:

    Strona świadczy o dobrych wydarzeniach, zachęcam
    do rozmowy Usuwanie Rozstepow Gabinet Kosmetyczny Gliwice (Bernard)

  12. Let me say not every decision made in haste is wrong.
    cm don’t accept any liability for loss or injury which results from
    ounting on tthe data in our alerts or contained on either of our webites.
    Piiper is no stranger to writing books on trading, as his Thee Technique to Trade
    proves.

    Feel free too surf to my blog; elite trader
    app review (mileysmoneymethod.net)

  13. Hello, this weekend is fastidious for me, as this occasion i am reading this enormous informative
    article here at my home.

    Feel free to surf to my web page … saffron extract reviews;
    losingweight.pw,

  14. Greetings from Colorado! I’m bored to deeath att
    work so I decided to check out your site on my iphone during lunnch break.
    I enjoy the information you provide here and can’t wait to
    take a look when I get home. I’m surprised at hoow fast your
    blog loaded on my mobile .. I’m not even using WIFI,
    just 3G .. Anyways, wonderful blog!

  15. Wyjątkowo wartościowy wpis, polecam ludziom Mezoterapia Igłowa Kosmetyczka Gliwice

  16. Martin says:

    s with bad credit standing can easily apply and gain approval.
    They both result in you making one payment per month, but they involve very different approaches, and the right one for you will depend on your circumstances.

    As per this plan, the borrower must have to go for qualifying few conditions.

  17. Thank you for thhe auspicious writeup. It
    if truth bbe told used to be a leisure account it.
    Glance complex to far introduced agreeable from you!

    However, how ccan we keep in touch?

  18. We were happy not to spend money on a toddler bed bath and beyond bridal registry usa that we
    really didn’t need. Talking about the actions during the day,
    or even plans for tomorrow can calm your son or daughter, as long as they don. The creative practice
    is tricky and sometime elusive to many of us.

  19. Music can be an extraordinarily outstanding aid when youre exercising and
    several people have attested to this; it ill keep you motivated and will surely provide a steady rhythm for you.
    To add another sick twist, swing the dumbbells to overhead with each rep.
    Picturds of the workout weight loss meal plans delivered
    improve you to understand hoow to carry out the work outs.

  20. Hello I am so happy I found your blog page, I really found you by error, while I was searching on Google for something else,
    Nonetheless I am here now and would just like to say kudos for a
    fantastic post and a all round enjoyable blog (I also love the theme/design),
    I don’t have time to go through it all at the minute but I have
    book-marked it and also included your RSS feeds, so
    when I have time I will be back to read a great deal more, Please do
    keep up the superb b.

  21. The royal family of Bali still resides here.

  22. Everything is very open with a precise explanation of the challenges.

    It was definitely informative. Your website is very helpful.
    Thanks for sharing!

  23. fashion blog says:

    If you would like tto obtain a great deal ftom tjis pst then you have to
    apply these methods to your won web site.

  24. However, there is an advantage, the cell maintain time is certainly longer than smartphones.
    Also, the more specific you can be about your subject heading, the better.
    We thought we’d skirted it because, when we got engaged, we
    barely knew anyone with kids under 10.

  25. I just like the valuable information you supply on your articles.
    I will bookmark your weblog and check again here regularly.

    I’m rather certain I will learn many new stuff proper right
    here! Best of luck for the next!

  26. A Noise Gate iѕ a type ߋf “audio gate” thɑt іs “open” aand alloաs lookѕ to pass unaltered οnce the level is aƄove
    a “threshold” level.

    Hегe іs my web ѕie – audacity mac download cnet

  27. My husband annd I discovered this particular house and figured you may find it irresistible!

  28. Stephaine says:

    Amazing! Thats a dwelling!

  29. Thank you for another informative site. The place else may just I get that kind of info written in such a perfect manner?
    I’ve a challenge that I’m just now running on, and I’ve been at
    the look out for such information.

  30. I have read so many content about the blogger lovers however this paragraph is truly a good piece of writing, keep it up.

  31. Vance says:

    However, you’ll most likely have to practice certain words in the beginning to obtain completely comfortable.
    Primary teeth also play a crucial role in the
    speech of children and they maintain a space for eventual growth of permanent teeth.
    With Invisalign braces you can straighten your teeth and no one will
    even have to know.

  32. You realize, I find your weblog an excellent example of
    dedication aand devotion to providing the best content material!

  33. It’s remarkable to go to see this web site and
    reading the views of alll colleagues concerning this paragraph, while I am also
    keen of getting experience.

    Also visit myy page; estate agents Hadley Wood

  34. However, if you are not prepared for making your beach vacation more
    soothing then you may find it mildly annoying. A dedicated stretch limousine for parties offer with full of
    entertainment facility, mini dance floor and excellent drinking facility (with mini bars and freezers)
    during the party. The southern coast, by contrast, is
    in the main rocky cliffs plunging into the Mediterranean.

  35. Thank you a bunch for sharing this with all folks you actually understand what you’re talking about!

    Bookmarked. Kindly additionally seek advice from my website =).
    We can have a link change arrangement among us

  36. I’m gone to inform my little brother, that he should also pay a visit this weblog on regular basis to take updated from latest news.

  37. The device runs on eight standard C batteries that are rechargeable to ensure
    having enough juice for the device to work continuously.

    All aluminium deck construction combines integral strength and corrosion resistance while maximising vehicle transport capacity.
    A car can massage organs which no masseur can reach.

  38. In AC buzzers, the AC Mains voltage is applied to an electromagnet coil.
    The hybrid car differs from the electric car, since it does not need to
    be plugged in to recharge the batteries. However, they tend to
    last longer and are built to take more of a beating. Lightning almost strikes
    at Laguna Seca e-Power electric motorcycle race, instead Moto – Czysz sizzles.
    Coming in 8th was Shelina Moreda riding CRP’s other e – CRP 1.
    Treadmills that are among the popularly used exercise machines
    today, were once used as power sources to lift buckets of water and
    to power grain mills.

  39. CASINO says:

    I don’t know whether it’s just me or if everyone
    else experiencing issues with your website. It
    appears like some of the written text within your content are running off the screen. Can someone else please provide feedback and let
    me know if this is happening to them too? This
    might be a problem with my internet browser because I’ve had this happen previously.
    Appreciate it

  40. Georgia says:

    Please note that most of the commercially promoted health drinks and energy bars are
    laced with sugar and caffeine. It gives you a
    chance to lose weight in a healthy, safe, natural and fun way.
    But with those emotional triggers firmly in place, true hunger is difficult to identify.

  41. What is SEO says:

    You needn’t hire any expensive detectives, or run around the cops waiting for someone
    to take you seriously. If Internet is an ocean, then Search Engines are the ships that carry you to your ultimate destination – namely the
    website you want to land into. This requires a bit of finesse, because search
    engine algorithms have been programmed to weed out sites that stuff keywords nonsensically into text.

  42. place zabaw says:

    Bardzo fajny post, drobiazgowe teksty zalecam wszystkim literaturę Place zabaw dla
    dzieci

  43. snow skiing says:

    While accommodation is mainly based around the slopes, there is also a good
    choice of places to stay closer to Main Street and
    the ski lifts if you want to be in the heart of the action or want access to
    the main town for convenience. Sugar Mountain at Banner Elk, North Carolina located two miles east Banner Elk,
    Sugar Mountain Resort is North Carolina’s largest ski
    spot with 115 skiable acres and also a vertical drop of 1,200 feet.
    Then you have Alpine meadows that boast of trails that will
    make chills run down your spine.

  44. test x surge says:

    Though currently the Intoxilyzer makes the promising
    to automatically be accurate, it is not infallible.
    Water is than allowed of drain gone completely. The exact general location has firm guidelines and then focuses on helping
    individual who need to have to go clear responds to.

  45. This blog was… how do you say it? Relevant!! Finally I have found something which helped
    me. Many thanks!
    creditos rapidos sin nomina

Leave a Reply