SharePoint Security and Permission System Overview

September 1 2010 286 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 18% [?]

286 comments to “SharePoint Security and Permission System Overview”

  1. Write more, thats all I have to say. Literally, it seems as though
    you relied on the video to make your point.
    You obviously know what youre talking about,
    why throw away your intelligence on just posting videos to your blog when you could be giving us something enlightening to read?

  2. Cool blog! Is your theme custom made or did you download it from somewhere?
    A theme like yours with a few simple adjustements would really make my blog shine.
    Please let me know where you got your theme. Many thanks

  3. What’s up, yup this paragraph is actually nice
    and I have learned lot of things from it regarding blogging.

    thanks.

  4. Pete says:

    This post will assist the internet viewers for setting up new website or even a blog from start to end.

  5. desasosiego says:

    Hay algo que poco consideramos del sistema respecto a sus contendientes, en Windows Phone
    al salir a través de la flecha atrás las aplicaciones se cierran por completo (salvo ciertos casos),
    lo que hace que al momento de regresar a ejecutar una app esta tarde en empezar pues no reinicia sino más bien empieza nuevamente, en cambio en Android el ir hacia atrás solo minimiza las apps, en verdad si en un Android
    de gama media-baja uno cierra las aplicaciones que se están ejecutando
    y por ejemplo vuelve a abrir Whatsapp, esta tardara en comenzar lo
    mismo que hoy en día tarda en WP, hasta la fecha solo he visto que FB y Calendario cuentan con esta
    opción de ahí que su reanudación es instantánea, yo
    creo que lo que en realidad hace falta es que sea optimizada para que no consuma tantos recursos, es una aplicación que se come la batería.

  6. With this particular guide, you’re also in a position to treat Style I & II herpes in addition to shingles.

  7. I’ll let Becky, one of the veteran coconut oil users, explain this to you:.
    It will also help reduce allergic reactions and clear up certain skin conditions such as eczema or dermatitis.
    Lately, the coconut oil has been given much attention not
    only for its use in cooking but also for its value as a hair and
    skin care product.

  8. water damage says:

    I go to see each day some websites and information sites to read articles or reviews, however this web site provides quality based writing.

  9. Aliza says:

    In fact, these are the two mostt prevalent. Now what happens
    at the assembly level, restt of it is a task where one
    has to worry about writing a photo picker yourself. It is something like this for the solar decathlon which is the Royal Institute of British Architects’ highest product
    accolade. The presentation layer is responsible for the creative and artistic inspirations.

    Today’s cable operators manage residential, commercial, institutional, hotels, offices
    and restaurants etc.

  10. Get an email account used to join up for internet based coupons.
    That way, till next time you choose to go shopping or a great opportunity comes, you have enough stock to make use of.
    Utilizing online codes for internet based savings is yet another smart means
    of shopping.: Be aware of free shipping offers – one
    of the better areas of online Ebony Friday shopping (aside from devoid of to cope with the chaos to get) gets your
    products shipped free of charge. If you are done shopping and don’t qualify for free delivery, check how long away you will be from achieving that quantity.
    TIP Think Cellphone- there isn’t a matter of doubt to look web via cellular.
    By getting the apps of trusted web site will alleviate your shopping activities and you may also compare different internet sites at the same
    time for the very best package. EBay, Amazon,
    Style05 tend to be couple of brands of the popular and reliable
    internet based tshirt shops. This will prevent you
    from wasting time at checkout and from wasting money.: don’t wager on a table with the
    very least wager higher than five per cent of one’s spending plan. Effortless
    and greatest on line Blackjack Idea When you do your
    quest online first, you’ll get knowledge of how much the car
    you prefer is selling for your needs locally. You ought to do some study online to learn more
    about different varieties of vehicles before you make your
    final decision. You do not have to cope with pushy salesmen, the weather,
    as well as wearing decent clothing. Online shopping allows you a higher choice when it
    comes to gift-giving event.

  11. chest drawer says:

    Remarkable issues here. I’m very happy to look your post.

    Thanks a lot and I am taking a look ahead to contact you.
    Will you please drop me a e-mail?

  12. Victor says:

    Thanks for sharing your thoughts. I truly appreciate
    your efforts and I am waiting for your further post thanks once again.

  13. Clara says:

    Hello! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my
    blog to rank for some targeted keywords but I’m
    not seeing very good results. If you know of any please share.
    Thanks!

  14. Currently it sounds like Drupal is the preferred blogging platform out there right now.
    (from what I’ve read) Is that what you are using on your blog?

  15. I know this web page provides quality dependent articles or reviews and other information, is there any other web site which offers these information in quality?

  16. Provide a list of individuals or organizations that are not directly affiliated to the agency which can aid you with your adoption services (Http://giochi.Freeuniverse.It/),
    along with the costs of those services. Their concern is that in fully adopting IFRS GAAP, this will result to more costs than benefits, although dependent on the nature and the
    size of the business. At this great number, hundreds of thousands of prospective adoptive parents are still thinking of adopting
    a child.

  17. Nice post. I learn something new and challenging
    on websites I stumbleupon every day. It’s always
    useful to read through articles from other writers and use
    a little something from their sites.

    My page :: promises drug rehab

  18. blocked nose says:

    Hey There. I found your blog using msn. This
    is a really well written article. I’ll be sure to bookmark it and return too read
    more of your useful info. Thanks ffor tthe post. I’ll certainly
    return.

    Feeel free to surf to my web page … blocked nose

  19. If you live with chronic illness or pain, you may feel that the medical team who
    is supposed to be supporting you has run out of answers.

  20. Hi to all, it’s truly a good for me to pay a visit this website, it consists of
    helpful Information.

    my website ผ้านวมสีพื้น

  21. My spouse and I stumbled over here different web page and
    thought I may as well check things out. I like what I
    see so i am just following you. Look forward to exploring your web page
    repeatedly.

  22. The internet is much more as being a little nation, with assorted sects and
    towns liking different things. It may be the difference inside the volume of traffic, which will ultimately determine the caliber of performance in the real business.
    Keeping a record of how customers view your small business,
    and reacting into it with time, might be not enough.

  23. I love reading through a post that can make people think.

    Also, many thanks for allowing me to comment!

  24. Good day! Ɗο you usse Twitter? ӏ’d llike tto follow үou if thhat աould be ok.
    I’m undoubtedly enjoying ƴօur blog and loοk forward tߋ new posts.

    Here iѕ my web site Hack download

  25. For newest news you have to go to see web and on internet
    I found this site as a most excellent web site
    for latest updates.

    Look at my blog New Hampshire new beginnings drug rehab

  26. Georgetta says:

    Wikipedia en un formato más atrayente para los dispositivos móviles con Android, con toda la funcionalidad del portal
    web en los menús de tu smartphone.

  27. If you want to increase your knowledge simply keep visiting this website and be updated
    with the most recent news posted here.

  28. Superb, what a webpage it is! This website presents valuable data to us, keep it up.

  29. Andrew says:

    I know this website presents quality dependent posts and additional data, is there any other web page which offers such things in quality?

  30. Watching online movies is the one of the newest web trends that is
    increasing with each passing day. Also, because You – Tube is a trusted name, renting a movie from them is safer than many of the other
    sites. Money for the movie itself and for the beverage when you are watching the movie.

  31. Hello mates, how is everything, and what you desie
    too say aboht this piece off writing, in my view its in fact amazing in support of me.

  32. Arab Exposed says:

    Hello, I think your blog might be having browser compatibility issues.
    When I look at your blog site in Ie, it looks fine but
    when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that, amazing blog!

  33. Kodurakendustes esindavad meie tooted moodsaid lahendusi that is aastaringseid.
    Konditsioneerid on ideaalsed jahutamiseks ja niiskuse eemaldamiseks ning head alternatiivi that is pakuvad that is õhksoojuspumbad elektrilisele soojussalvestiga küttele.
    Kui Teil on õli- või gaasküte, siis miks mitte vahetada see GENERALi õhk- vesisoojuspumba vastu – sel moel säästaksite loodust ja
    vähendaksite küttearveid.

  34. Jerrod says:

    If some one desires expert view concerning running a blog after that i advise him/her to pay a quick visit this website,
    Keep up the fastidious work.

  35. ” Common obviously thinks Assata Shakur is an innocent scapegoat the cops tried to frame, therefore he does not support killing cops. Interracial dating can also occur between European (Hispanics), Native American races (Mexicans) and Asians. It will be great to see what Jay Z and Budweiser have in store for the attendees next year.

  36. Swing your arm to smash a ball or kick your leg to hit a
    soccer ball; the Kinect is astonishingly receptive to your motions.
    If you just want a cool action game that will help you waste a little time, then you’re doing something right
    if you check for online options. Excellent animation and a challenging action makes Flashpoint among
    the many top PC first man shooting game.

Leave a Reply