SharePoint Security and Permission System Overview

September 1 2010 426 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 31% [?]

426 comments to “SharePoint Security and Permission System Overview”

  1. Andy G says:

    Great overview. This is something even my clients will find easy to understand!

  2. Deb says:

    In SharePoint 2007, if someone did not have access to a library it would not even show in the list on the quick launch bar. I am not finding this to be the case in SharePoint 2010. Is there a way to make it not show to those that do not have access so it is not even a choice?
    Thank you in advance.

  3. Nuno Aragão says:

    Good Overview. Can you cover how to configure, and what permission level is required to access “system pages” located at _vti_bin, and access to WebServices ?

  4. Dave Sampson says:

    You rock! This was exactly what I was looking for! Thanks so much!

  5. jigar patel says:

    We are developing a public facing site on share point where people will come and register themselves. So what will be the used for user registration and authentication in that case as AD won’t work?

  6. Cris says:

    Is there any good way to view all site permissions by user and groups? I’m new to this site and this job and there are alot of broken inheritances, and explicitly assigned permissions on this site. Before it gets out of control, I would like to see what is out there on a macro basis. So far I haven’t been able to determine a way to do this. I am not the server admin, but if the ‘option’ is in MOSS I can ask them to export (if that is a solution) for me.

  7. This is awesome. Very complete, clear and concise. It is the best summary and most comprehensive explanation of permissions I’ve ever read. I have referred many SharePoint folks to this article and site. Many thanks!

  8. Sai says:

    Great article.
    Good job.

  9. Osama Hamdan says:

    Very Good overview, This exactly what I was hoping to find, Simple, Complate and concise.
    Many thanks.

  10. Junwei Lv says:

    Great article,I read it and action ! I am new to SharePoint 2010 , thanks your share .

  11. Most of this seems to be tied to allowing access to sites and documents by team members or valid users who are part of the organization. How do you let someone, like a client, who is not a user have access to documents, etc. on SharePoint?

  12. para kazanma says:

    ” I’ve ever read. I have referred many SharePoint folks to this article and site. Many thanks!”

  13. Patrick says:

    Well documented article.
    Thanks you for the good work

  14. Hala says:

    Thank you for your effort

  15. Christin says:

    Amazing exactly what i was looking for.Thank you guys this will help me a lot.

  16. Mitch says:

    What about Calendar groups, I used Domain users, thinking everybody would see it, and it turns out nobody can. I’ve also tried adding Groups (Security groups in AD) no luck, distribution list (in ad no luck) Any ideas how to get a group calendar to show up on everybodys calendars?

  17. Tanuj Kumar says:

    This is one of the best articles so far I have read online. No crap, just useful information. Very well presented. Its really helpful for beginner as well developer. This link also helpful, check out it..

    Its also help me lot in complete my task.


  18. Seema says:


    I have created a claims based SharePoint application using this link

    every thing goes fine i mean if we assign all the users coming from the ACS tokenissuer rights as a whole,

    but i dont want to do so

    i want to assign the users permission in sharepoint 2010 on role basis to users coming from ADFS.

    Can you please help me how to do so

  19. what are the things which a cad software lacks? taking in view a textile designer

  20. SEO Pledge, the marketing wing of Canrock Ventures, is looking for web businesses interested in improving their organic traffic. We specialize in traffic generation with the use of SEO, SEM, and social media. Please contact us at our contact form on our site.

  21. Harry says:

    Good overview. Will you add a paragraph that speaks to conflicting group security? (or just send me an email please). What permissions win when a user is in two groups, “contribute no delete” and “Contribute”, and both groups are applied to a library, list or folder. Likewise if a user is in a “view” group and is then added as full acces at the user group what, will they be able to delete and/or modifiy a document in a library or folder?

  22. My partner and I absolutely love your blog and find many
    of your post’s to be exactly what I’m looking for.
    can you offer guest writers to write content for you?
    I wouldn’t mind composing a post or elaborating on most of the subjects you write related to here. Again, awesome weblog!

    My web site … single speed road bikes

  23. I got this web page from my pal who informed
    me regarding this web page and at the moment this time I am visiting
    this web page and reading very informative content at this time.

  24. Felipe says:

    I’ve read several just right stuff here. Definitely price bookmarking for revisiting. I wonder how a lot effort you set to create this type of wonderful informative site.

  25. Link exchange is nothing else however it is just placing
    the other person’s website link on your page at suitable place and other person will also do same in support of you.

  26. php, which is not a template) and replace it with the URL for your new image.
    Another benefit of purchasing the domain and hosting together is the support from your
    web hosting company. A lot of people write them for free, and they even let you see the programming code if you know how to read it and want
    to tweak them.

    Stop by my web blog: jarida wordpress free download

  27. cars says:

    Struggling to get your car paid off? Are you mad about the last deal you got?
    Perhaps you’re looking for an automobile now, and you’re not sure what to do differently.
    You’re in the same boat with many other people. Keep reading to find out information regarding what to do next time you enter a dealership.

  28. This software helps you customize nutrition dependant on your real age,
    weight, height, and metabolism. Except this is exactly what does happen, frequently in badly considered build muscle
    strategies. Then opt for ones cheapest way to help you feed those guns while using the Egg White peptids.

    my blog … Muscle Maximizer Review

  29. We do look at every one of the concepts you’ve provided in the post. There’re really effective and may undoubtedly get the job done. Nevertheless, a threads are too quick for beginners. May just you want stretch all of them a bit by next time period? Appreciate the particular write-up.

  30. Bin says:

    How can Enable Anonymous Access to Doc Library Sub Folders?

  31. Good post. I certainly appreciate this site. Stick with it!

  32. If some one wants expert view on the topic of blogging and site-building then i advise him/her to pay a visit this webpage, Keep up the nice work.

  33. It’s an remarkable paragraph in favor of all the online users; they will get benefit from it I am sure.

    Have a look at my website;

  34. says:

    Human growth hormone or HGH supplements are proposed for many
    who are having problems making use of their growth hormonal generation.
    Beside cardio, walking, and swimming, goes additionally to the health club to do lifting exercise.
    This increased oil production by the skin can
    lead to acne breakouts.

  35. Ahaa, its nice discussion regarding this
    article here at this blog, I have read all that, so now me also commenting at this place.

    Here is my web page: minecraft server

  36. Gerard says:

    wonderful put up, very informative. I ponder why the other
    specialists of this sector do not understand
    this. You should proceed your writing. I’m sure, you’ve a great readers’ base already!

  37. Hello! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing months of hard work due to no backup.
    Do you have any solutions to stop hackers?

  38. std exam says:

    Previous to the more important sections of her trunk.
    The use of teeth is definitely a NO – You can make something so great flip so bad
    in just seconds. Men have become tormented by ladies who are cruel.

    Feel free to visit my page std exam

  39. At tɦis time I am ready to do my breakfast, later than having mmy breakfast comig again to read adɗitional

    Check out my web site; GénéRateur de Clé Steam

  40. I love what you guys are up too. This sort of clever work
    and coverage! Keep up the fantastic works guys I’ve included you guys to our blogroll.

  41. Woah! I’m really enjoying the template/theme of this blog.
    It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between usability and visual appearance.
    I must say you’ve done a very good job with this.
    Additionally, the blog loads very quick for me on Safari.

    Outstanding Blog!

    Here is my web-site – does spanish fly work

  42. You really make it seem really easy with your presentation however
    I to find this matter to be really something that I believe
    I’d by no means understand. It sort of feels too complicated and very wide for me.

    I am looking forward on your subsequent put up, I
    will try to get the cling of it!

  43. Google says:

    I think the admin of this web page is really working hard for
    his website, for the reason that here every data is quality based data.

    My weblog; Google

  44. I’m no longer sure where you’re getting your info, however
    good topic. I needs to spend some time studying more or working out
    more. Thanks for excellent info I was in search of this info for my mission.

    Feel free to surf to my blog post – Cheap Coworking Space San Francisco

  45. It’s genuinely very complex in this busy life to listen news on TV, therefore
    I only use the web for that purpose, and take the hottest news.

  46. There are some normal mixtures like hamburger with sauce, horseradish sauce and mustard, presented with Yorkshire pudding – a
    dish produced out of prepared batter, broil – pork
    with “crackling” (fresh cooked pork skin). I’d give “Bollywood” only one of two
    possible points here, since although “-ollywood” can evoke only “Hollywood,” what the “B” stands for has to be learned.
    After deciding on menu, make three lists; one for the menu broken down into recipes for each dish; one for the grocery staples that can be
    bought ahead and one for the fresh items you need only a day or two before.

  47. esmd222x2sfa says:

    Hi there friends, its fantastic post regarding tutoringand entirely
    explained, keep it up all the time.

  48. If some one wishes to be updated with most recent technologies
    then he must be visit this web site and be up to date daily.

Leave a Reply