SharePoint Security and Permission System Overview

September 1 2010 192 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 17% [?]

192 comments to “SharePoint Security and Permission System Overview”

  1. life hacks says:

    certainly like your website but you need to check the spelling on quite
    a few of your posts. Many of them are rife with spelling problems and I find it very troublesome to inform the truth however I’ll surely
    come back again.

  2. Great blog here! Also your site loads up fast! What
    host are you using? Can I get your affiliate
    link to your host? I wish my web site loaded up as quickly as yours lol

  3. Klara says:

    Hi there! This is my first visit to your blog! We are a collection of volunteers and
    starting a new project in a community in the same niche.
    Your blog provided us useful information to work on. You have done a outstanding job!

  4. whoah this blog is great i love studying your articles.
    Stay up the good work! You understand, a lot of individuals are
    looking round for this information, you could help them greatly.

    my blog … top seo companies in india

  5. Nice replies in return of this matter with real arguments and describing everything concerning that.

  6. What’s up, its nice paragraph on the topic of media print,
    we all understand media is a enormous source of facts.

  7. Keep in mind that you will have to pay around $12 for your domain name for the first year
    and may even need to spend a little on some design and creation tools
    for your web site. If however I told you that buying a cheap domain from some
    sort of registrar and cheap hosting from your hosting company, ended up saving you a small fortune, then this is indeed what I consult as cheap hosting
    web, we. Colocation hosting and VPS hosting is a great option for people who have businesses that
    depend on the internet.

    Here is my blog post; xen vps hosting

  8. Latesha says:

    Fantastic items from you, man. I’ve have in mind your stuff prior to and you’re
    just extremely magnificent. I actually like what you have bought
    here, really like what you are stating and the way in which through which you are saying it.
    You’re making it enjoyable and you continue to care for to stay it smart.
    I can not wait to read much more from you.

    This is really a wonderful site.

  9. If you sit down when playing games, you may want to use a stability ball which can help to straighten out your
    spine. In this respect it is very similar to other totalitarian regimes
    throughout history. Parents need to monitor the ESRB ratings on video games.

    my blog post: Clash of Clans Triche Gemmes Illimité

  10. Awesome blog! Do you have any suggestions for aspiring writers?
    I’m hoping to start my own site soon but I’m a little lost on everything.
    Would you propose starting with a free platform like WordPress or go for a paid option? There
    are so many choices out there that I’m totally overwhelmed ..
    Any tips? Many thanks!

    Feel free to surf to my homepage – typing work from home

  11. Hurrah! After all I got a webpage from where I be able to truly take useful facts
    regarding my study and knowledge.

    Check out my blog: Phytolyft Review

  12. Have you ever thought about including a little bit more than just your articles?
    I mean, what you say is valuable and everything. Nevertheless just imagine if you added some great visuals or video clips to give your posts more, “pop”!
    Your content is excellent but with pics and videos, this website could undeniably be one of the best in its
    field. Superb blog!

    My web site photo inspect

  13. ve been searching all around and the truth was in my eyes the whole time.
    It will be far more constructive confronting a cheating partner
    with real proof, instead of just a feeling that things are not right.
    Word games have become increasingly popular over the past
    few years especially since they can now be played at ones
    convenience.

  14. voyance says:

    When I originally left a comment I appear to have clicked on the -Notify me when new comments are added- checkbox
    and from now on whenever a comment is added I get four
    emails with the exact same comment. Is there a means you can remove me from that service?

    Thanks a lot!

    my web site – voyance

  15. New Balance U420 Pas Cher New Balance H710 wyirY
    Più tardi, quando l’identità di Hathor (da Ogdoad)
    è stato assimilato in quello di Iside, Osiride, che era stato Isis ‘marito (nel Ogdoad), era considerato il figlio,
    e, quindi, dal momento che Osiride era Isis’ marito (nel
    Enneade ), Osiride era anche considerato come il padre.
    I tentativi di spiegare come Osiride, il dio dei morti, potrebbe
    dare luogo ad un certo modo quindi sicuramente in vita, portando allo sviluppo della leggenda di Osiride e
    Iside, che era il più grande mito nella mitologia egizia..
    New Balance Women New Balance Red VYSle È accenti nichel e cuoio perno legati.

    Potrebbe essere in pelle platino e sapore metallico in busta stile.

    New Balance Shop Online Vente New Balance QHCCi Kipp Brothers Stix Mag Magnetic edificio Set contiene 24 pezzi, tra cui un bastoni 1.201 pollici, quattro unità
    2.25inch, e otto sfere di metallo. Basket New Balance Pas Cher New Balance
    1500 itHrS Frstepersons shooter è stato originariamente disegnato come una gara tra uomo e macchina, e cose come la scabbia, utilizzando connessioni Internet
    ad alta velocità stanno cambiando. N, nella privacy
    della propria casa, Hkan assumono giocatori del mondo.
    New Balance 670 New Balance M577 fmJqw Going for Gold ArgentoL’immagine prezzo dell’oro non ha fatto granché nel commercio Estremo Oriente per la
    maggior parte della sua Mercoledì. Fix oro.

    New Balance Navy New Balance 475 yjVdH Secondo Empire George:
    Need ricordo Intimo attentatore, che era bianco!
    Racial profiling non funziona mai quando i musulmani sono un gruppo
    eterogeneo, che include anche gli uomini neri. Risponderemo risposta SoCal_Gridlock: LinkIcon reporticon emailicon L’attentatore biancheria intima non era
    bianco e Israele non usa profiling comportamentale. New Balance
    Limited Edition New Balance 997 GRmMe Una delle ragazze più piccole, chiamiamo i suoi sdentate occhi
    da meravigliarsi se un pennarello arancione nella mia borsa.
    Pochi minuti dopo ho un’offerta su un cuore colorato sul mio
    braccio. New Balance V45 New Balance 1064 CsiVd
    Forse la gente ha deciso la dieta sbagliata in termini
    di dimensioni e di grande stringa allenamento eccessivo.

    E in alcuni casi, la maggior parte delle persone che dimenticano un sacco di
    nostri piani a causa del fatto che siamo scoraggiati con questi guadagni, e questo è normale, perché in realtà non è sufficiente accordo con l’insegnamento e l’apprendimento di una
    partita dieta giusta è fatto.

  16. I don’t even know how I ended up here, but I thought this post was great.

    I do not know who you are but certainly you are going to a famous blogger if you are not already ;) Cheers!

    Check out my blog post – online games (instagram.com)

  17. In this disease actually, fat content of the food is not absorbed thus causing malabsorption of
    fat soluble vitamins also. In contrast to high priced drugs and medical care, the improvement dietetic therapy is free of charge.
    Hair color refers to the coloring of all the hair while highlighting
    refers to coloring only some strands of hair in a lighter color than the rest of the hair.

    Feel free to surf to my website; Gluten Free Society

  18. Bradford says:

    My weblog: Marrakech riad eden Andalusian (Bradford)

  19. Why people still make use of to read news papoers
    when in this technological world thee whole thing is existing on net?

  20. In order to cope in the fast-paced market, new applications
    are essential. You can run your online business perfectly if you become cordial
    towards the customers. it may also be useful for headhunting and employment.

    Check out my site: gallery.ireland-soft.com

  21. Arleen says:

    Hi there, its pleasdant article regarding media print, we all know
    media is a impressive source of data.

  22. Alex B. says:

    Thank you for some other magnificent article.
    The place else may just anybody get that type of info in such a perfect
    method of writing? I’ve a presentation next week, and I’m on the
    look for such information.

  23. Anonymous says:

    Thank you a lot for sharing this with all folks you really recognise what you are talking about!

    Bookmarked. Kindly additionally consult with my website =).
    We may have a hyperlink trade arrangement among us

  24. tiles says:

    No matter if some one searches for his essential thing, therefore
    he/she wants to be available that in detail, so that thing iss
    maintained over here.

  25. Generally you should wait a minimum of a month between points
    1 and 4. Lotto Lie Number One – There is nothing you can do to improve your chances of winning
    the lottery. As you analyze the previous winning numbers
    for lotto do not think that these numbers will surely give you the
    win.

  26. Except for the i – Phone 4, which will probably
    continue to be sold as a low-end handset. Analysts and pundits were off the mark with
    that prediction, as instead Apple chose to release the i – Phone 5C as a replacement for the i – Phone 5, which in the past
    the company would have continued to sell at a $99 price point on contract.
    On Friday, when the i – Phone 5 was released, it was discovered that Verizon i –
    Phones were SIM-unlocked.

    Visit my blog post: jungle heat hack no survey mac

  27. I got this site from my friend who shared with me on the topic of
    this site and now this time I am visiting this site and reading very informative articles at this place.

  28. Hi! Quick question that’s totally off topic.
    Do you know how to make your site mobile friendly?
    My weblog looks weird when viewing from my iphone. I’m trying to find
    a template or plugin that might be able to resolve this
    issue. If you have any recommendations, please share.

    Thanks!

  29. carver twins says:

    My partner and I stumbled over here different page and thought I might as
    well check things out. I like what I see so now i’m following you.

    Look forward to exploring your web page for a second time.

  30. regenhair says:

    It’s an awesome paragraph in support of all the web users; tthey will obtain advantage from it I am sure.

    my site; regenhair

  31. Have you ever thought about including a little bit more than just
    your articles? I mean, what you say is valuable
    and all. However imagine if you added some great pictures or videos to give your posts more,
    “pop”! Your content is excellent but with pics and clips, this website could undeniably be one of the most beneficial in its field.
    Great blog!

  32. Fantastic web site. Plenty of useful information here.
    I am sending it to some pals ans also sharing in delicious.

    And certainly, thank you in your sweat!

  33. Mackenzie says:

    I am genuinely grateful to the holder of this web page who
    has shared this enormous article at here.

  34. Please let me know if you’re looking for a
    article author for your weblog. You have some really good articles and I feel I would be a good asset.

    If you ever want to take some of the load off, I’d love to write some content for
    your blog in exchange for a link back to mine. Please send me
    an e-mail if interested. Regards!

  35. cramped legs says:

    Wow, that’s what I was looking for, what a material!

    present here at this webpage, thanks admin of this web page.

  36. Harrison says:

    When someone writes an post he/she keeps the idea of a user in his/her brain that how a
    user can be aware of it. So that’s why this post is perfect.

    Thanks!

  37. dean cain says:

    Hi to all, the contents existing at this website are truly amazing for people knowledge, well, keep up the nice work
    fellows.

  38. drama quotes says:

    Why users still make use of to read news papers when in this
    technological world everything is presented on web?

  39. Normally I don’t learn article on blogs, however I would like to say that this
    write-up very pressured me to check out and do it! Your writing style has been amazed me.
    Thanks, quite nice article.

  40. I am truly glad to readd this blog posts which includees lots of helpful information, thanks for providing
    these data.

    My web page: best value home improvement oakland

  41. Strona świadczy o interesujących wydarzeniach, namawiam do dyskusji

    Also visit my web page – plac zabaw producent

  42. Thanks on your marvelous posting! I genuinely enjoyed reading it, you can be a great author.
    I will be sure to bookmark your blog and will often come back down the road.
    I want to encourage one to continue your great job, have a nice weekend!

Leave a Reply