SharePoint Security and Permission System Overview

September 1 2010 426 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 31% [?]

426 comments to “SharePoint Security and Permission System Overview”

  1. Ernestine says:

    When some one searches for his required thing, so he/she desires to be available that in detail, so that thing is maintained over here.

  2. Having read this I believed it was extremely enlightening.
    I appreciate you finding the time and effort to put this short
    article together. I once again find myself spending way too
    much time both reading and leaving comments. But so what, it was still worthwhile!

  3. hack says:

    We are a gaggle of volunteers and starting a new scheme in our community.
    Your site provided us with helpful information to work on. You
    have performed a formidable job and our entire group shall be thankful to you.

  4. By choosing products that have been tested and approved by a dermatologist to significantly reduce the likelihood of damage to the skin and,
    more importantly, greatly increases the likely hood that you are investing in a product that provides
    desirable results. Whereas, heavier makeup can be absorbed into pores which can cause irritation, acne, and infection. Stay
    away from heavy drinking to keep your skin looking younger,
    longer.

  5. oster brunch says:

    Men and women who regularly have their first foods before eight in the morning tend to be healthier than men and
    women who skip that important first food of the day.
    If you had to perform on America’s Got Talent, what
    would you do. But where do you go to when you get hungry in the morning.

  6. Are you trying to find some great deals for all your family?
    The change has to be brought now and huge car . begin uncontrollable.
    Brussels is actually amazing starting point hang by helping cover
    their.

  7. Great site you have here but I was wanting to know if you knew of any discussion boards that
    cover the same topics discussed here? I’d really love to
    be a part of community where I can get comments from other
    experienced people that share the same interest. If you have any suggestions, please let me
    know. Thanks a lot!

  8. Kory says:

    Can the knowledge of mathematics help a gambler to win. Then he added
    a ton of third-and-mediums and third-and-longs.
    Look inside the records for more information before placing your soccer
    bets.

  9. Teresita says:

    Usually I don’t learn article on blogs, but I would like to say that this write-up very compelled me to check out
    and do so! Your writing taste has been surprised me.
    Thanks, very nice post.

  10. Hello there! This is my 1st comment here so I just wanted to give a
    quick shout out and say I truly enjoy reading through your blog posts.
    Can you suggest any other blogs/websites/forums that deal with the same subjects?
    Thank you!

  11. embocadura says:

    Hello! Would you mind if I share your blog with my twitter group?
    There’s a lot of people that I think would really appreciate your content.

    Please let me know. Thanks

  12. Article writing is also a excitement, if you be acquainted with then you can write if not it is complicated to write.

  13. I think the admin of this web page is actually working
    hard in favor of his web site, since here every information is quality based data.

  14. igennie.us says:

    Hi to every one, because I am in fact eager of reading
    this webpage’s post to be updated daily. It consists of good material.

  15. Simply desire to say your article is as astonishing.
    The clearness in your post is simmply great and i can assume you’re an expert on this
    subject. Well with your permissdion let me to grzb your feed to keep updated with forthcoming post.
    Thanks a million and please carry on thhe enjoyable work.

  16. Volume handle with mic mute, massive mic sounds crystal clear for group chat,
    and it is collapsible for uncomplicated transport.
    So trust yourself and all one does, believers are miracle makers.
    The Bay of Pigs Invasion marked the climax of anti-Cuban US actions.

    Check out my site; boom beach cheats (http://www.facebook.com)

  17. Thanks for finally talking about > SharePoint Security and Permission System
    Overview | SharePoint Blues < Loved it!

  18. Keep this going please, great job!

    Take a look at my web-site … las vegas nightclub

  19. Gamers of Max Payne 3 make an effort to Max Payne 3 cheat codes when they sense their alternatives have finished,
    and all sorts of they must do is to cross the amount they may be jammed on,
    to allow them to start working on a quantity which they might genuinely have the
    opportunity to pass. So if he’s on the Internet constantly, and would love you to determine – look out.
    They begins flattering you prefer crazy and fawning throughout you,
    or suddenly the pussycat is claws and growls.

    Take a look at my web-site blitz brigade hack,blitz brigade cheats,blitz brigade hack android,blitz brigade hack ios,blitz brigade cheats android,blitz brigade hack free,blitz brigade hack download free,blitz brigade hack gratuit,blitz brigade triche,blitz brigade astuce

  20. The app separates all foods into small pieces. I found a cube of fat deposition in our bodies to use it later as a topping on a regular basis especially in the community.
    Trust me, even if it is advised that you must do to add intensity.
    In subsequent weeks you should really consider can you still buy
    ephedra diet pills calorie shifting concept is a total workout.

  21. I prefer to find trending topics which can be monetized through actual products and affiliate offers.
    Stop wondering how to make quick money online and start making it happen today.
    Depending on the approaches that you put in place,
    you stand to make varying amount of money.

  22. Hi, the whole thing is going well here and ofcourse every one is sharing data, that’s truly fine,
    keep up writing.

  23. Amparo says:

    If you would like to improve your know-how only keep visiting
    this website and be updated with the most up-to-date news posted here.

    My site herpes cure 2014 (Amparo)

  24. WOW just what I was looking for. Came here by searching for free psn codes and
    cards

    My web-site – mahjong games

  25. Uninstall the sound card driver and scan it for hardware changes.
    For a free option, Celtx is a favorite of penniless
    screenwriters and film students. This would include your name and title or tag line, as appropriate,
    phone number, website, and email address.

  26. What do you think about using meta headings on blog posts?
    I heard told me to stop using them a few months ago as they can harm your rankings
    Added a share on my Facebook, hope you dont mind

    Feel free to surf to my blog … small business seo

  27. Celui-ci est difficile de s’chez retrouver sur internet avec intégraux ces site qui proposent ce genre de prestations.
    Nous insistons ça-dessous sur la présentation détaillée après claire de à nous équipe de professionnels, quelque
    que vous puissiez mieux en choisir bizarre. Consulter en voyance gratuite à l’exclusion de cb Astrosolis conseil des aide de voyance en ligne.
    Ils proposent des consultations interactives puis ludiques qui
    permettent aux clients d?interagir par Webcam en compagnie
    de leurs voyants. Au plaisir de réaliser vos consultations de voyance amour,
    affectif par cela tarot de Marseille ensuite ce pendule. Notre équipe de voyants
    de supérieur professionnel, toi attends près unique en privée ou bien avec à nous appui de voyance audiotel Personnalité
    suis Dana, voyante médium de naissance. ou bien en privé par téléphone

  28. What’s up, its nice paragraph concerning media print,
    we all be familiar with media is a great source of information.

  29. Rosalie says:

    Admiring the dedication you put into your website and
    detailed information you offer. It’s awesome to come across
    a blog every once in a while that isn’t the same out of date rehashed material.

    Wonderful read! I’ve saved your site and I’m adding your RSS feeds to
    my Google account.

  30. The roots of my hair. You can also accentuate the oval shaped faces
    who want to conceal, avoid a skimpy fringe. Funky patternsOr how about all recognize that
    Victoria Beckham is lucky enough to hide any flaws that you have medium length hairstyles for fine hair, but they are.
    Look at People hair styles Around YouYes, we can create
    a full on blonde, seeing as she gets older.

  31. I know this if off topic but I’m looking into starting my own weblog and
    was wondering what all is required to get setup? I’m assuming
    having a blog like yours would cost a pretty penny?

    I’m not very web smart so I’m not 100% positive.
    Any suggestions or advice would be greatly appreciated.
    Thank you

  32. free birds says:

    Here in this case Tagore is referring to the halo of Lord Krishna.
    You both shower and instead of feeling better afterwards, you begin itching as soon as
    you dry your body. If you don’t like having them after six weeks or so, sell
    them on or give them to a new home.

  33. When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four e-mails with the same comment.
    Is there any way you can remove people from that service?
    Thanks!

  34. I’m really loving the theme/design of your weblog.
    Do you ever run into any browser compatibility issues? A handful
    of my blog readers have complained about my site not working correctly in Explorer but looks great in Opera.
    Do you have any tips to help fix this issue?

  35. Terra says:

    Hey! This is my 1st comment here so I just wanted to give
    a quick shout out and tell you I truly enjoy reading through your articles.
    Can you recommend any other blogs/websites/forums that go over the
    same topics? Thanks a lot!

    Feel free to visit my web-site … cure genital herpes fast (Terra)

  36. What’s up to every , as I am really eager of reading this website’s post to be updated daily.
    It contains fastidious stuff.

  37. Asking questions are genuinely pleasant thing if you are not understanding
    something fully, except this article offers pleasant understanding yet.

  38. Kerri says:

    Excellent blog here! Also your site loads up fast! What host
    are you using? Can I get your affiliate link to
    your host? I wish my site loaded up as fast as yours lol

  39. Hi, I wish for to subscribe for this webpage to take hottest updates, thus
    where can i do it please help.

  40. Vaporizer says:

    Aw, this was an exceptionally nice post. Taking a few minutes and actual effort to create a superb article…
    but what can I say… I put things off a whole lot
    and never seem to get anything done.

  41. Hi there! Do you use Twitter? I’d like to follow you if that would be okay.

    I’m undoubtedly enjoying your blog and look forward to new posts.

  42. Excellent blog you have got here.. It’s hard to find high quality writing like
    yours these days. I truly appreciate people like you!
    Take care!!

  43. NTT Serwery says:

    Good response in return of this matter with real arguments and describing all concerning that.

  44. zombie says:

    I like the valuable info you supply in your articles.
    I will bookmark your weblog and test again here regularly.

    I’m slightly certain I’ll be told many new stuff right here!
    Best of luck for the following!

  45. I know this if off topic but I’m looking into starting my
    own blog and was curious what all is required to get set up?

    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet savvy so I’m not 100% positive.
    Any suggestions or advice would be greatly appreciated.
    Kudos

  46. Hi! This is kind of off topic but I need some advice from an established blog.
    Is it very hard to set up your own blog?
    I’m not very techincal but I can figure things out pretty
    fast. I’m thinking about creating my own but
    I’m not sure where to start. Do you have any points or
    suggestions? Appreciate it

  47. Here are some insightful quoltes I like… Lemme know if you like them:

    “Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to development.”

    “I, at any rate, am convinced that He (God) doesn’t throw dice.”

    “The important thing is not to stop questioning; fascination has its own reason for existing.”

    “Two things are infinite: the universe and human stupidity; and I am not certain about the universe.”

    “Falling in love is not at all the most ignorant thing that people do — but gravitation cannot be held responsible for it.”

    “The most beautiful experience we can have is the mysterious. It’s the fundamental emotion that stands at the cradle of true art and true science.”

    “Anyone who hasn’t made a mistake has never tried anything new.”

    “Try not to become a man of success, but rather try to become a man of worth”

  48. The coach should then state that they grasp as it constitutes the actions they will carry out.
    Ask Metal Stamping Experts About the Best Feed for Your Application. After cold calling on 100 prospects require a
    step back and evaluate what you saw.

  49. Roosevelt says:

    If you are going for finest contents like
    me, just pay a quick visit this web site daily as
    it gives feature contents, thanks

    My page WiFi Password Finder [Roosevelt]

  50. The best and cheapest way to watch films at any time you want is online movies.
    You get what you pay for and when paying nothing, you can’t
    really complain. To cut the discussion short,
    you can always rely on these fun lands to watch
    movies online free.

Leave a Reply