SharePoint Security and Permission System Overview

September 1 2010 424 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 31% [?]

424 comments to “SharePoint Security and Permission System Overview”

  1. Admission is a great deal at only $4 per person ages 1 and up.
    One of the ways in which it is unique is how it handles deck building.
    The remains of more than 100,000 cave bears have been found in caves throughout
    Europe, most notably in Austria.

  2. www.test3.eu says:

    Hello my loved one! I want to say that this post is awesome, nice written and come with approximately all important infos.
    I’d like to peer extra posts like this .

  3. Hello to all, how is everything, I think every one is getting more from
    this web site, and your views are pleasant designed for new people.

  4. Good day I am so thrilled I found your website, I really found you by accident, while I was browsing on Bing for something else, Anyhow I am here now and would just
    like to say thanks for a incredible post and a all round entertaining blog (I also love the theme/design), I don’t have time to read through it all at the minute but I have book-marked it and also
    added in your RSS feeds, so when I have time I will be back to read
    much more, Please do keep up the awesome work.

  5. Pretty component of content. I simply stumbled upon your weblog and in accession capital to say that I acquire
    actually loved account your weblog posts. Any way I will be subscribing in your feeds and even I achievement you get entry to
    constantly quickly.

  6. You have to get onto the flatbed car on the train before it
    pulls away. Besides my wife, Susan, I hired other employees to work in the store.

    The stem cell transplant I was scheduled for in 1995 at the University of Connecticut’s
    Heath Center was far more intense than the one I endured at Beth Israel Hospital in Boston in 1993.

    my web-site six guns hack

  7. This design is great! You obviously know how to keep a reader amused.
    Between your wit and your videos, I was almost moved
    to start my own blog (well, almost…HaHa!)
    Excellent job. I really enjoyed what you had to say, and more than that, how you presented it.
    Too cool!

  8. I do agree with all of the ideas you’ve offered to your post.

    They are really convincing and can certainly work. Nonetheless, the posts are very short for beginners.
    May you please extend them a bit from subsequent time?
    Thanks for the post.

  9. Candice says:

    Hey! I could have sworn I’ve been to this website before but after checking through some of the post I realized it’s new to me.

    Anyhow, I’m definitely delighted I found it and I’ll be book-marking and checking back often!

    Here is my homepage Fifa 15 coin generator (Candice)

  10. This apps game is a toy that lets you play kitchen with your child.
    Analysts and pundits were off the mark with that prediction, as instead Apple chose
    to release the i – Phone 5C as a replacement for the i – Phone 5, which in the past the company would have
    continued to sell at a $99 price point on contract. Your total 2 year cost for the family plan is $6,316.

    my weblog – Total Conquest Hack

  11. This apps game is a toy that lets you play kitchen with your child.

    Web pages render much quicker as well and there is no lag
    or slowdown when loading apps and navigating menus. Instead, you
    can simply switch the SIM card in the phone and use the local GSM services, just like the way you have been using on any previous
    unlocked phone.

    Feel free to surf to my site: Jurassic Park Builder Cheats

  12. Hello my friend! I wish to say that this article is
    awesome, great written and include approximately all significant infos.
    I would like to peer more posts like this .

  13. ibcbet says:

    สวัสดี มี ผมค้นพบ บล็อก ของคุณ เว็บไซต์ โดยวิธีการ ในขณะที่
    มองหา ที่คล้ายกัน
    หัวข้อ , เว็บไซต์ ของคุณ
    ได้ที่นี่ ขึ้นก็ ดูเหมือน
    ปรากฏ ดี ฉันได้
    ฉัน บุ๊คมาร์ค ไว้ใน ที่คั่นหน้าเว็บ ของ Google ของฉัน
    สวัสดี มี เพียง กลายเป็น
    แจ้งเตือนไปยัง คุณ บล็อก ผ่าน , และพบว่า เป็น จริงๆ
    ข้อมูล ผม ระวัง
    บรัสเซลส์ ฉัน จะ คุณควร
    ดำเนินการต่อไป นี้ ใน อนาคต
    จำนวนมาก คน จะ จาก คุณ การเขียน ไชโย!

  14. Except for the i – Phone 4, which will probably continue to be sold
    as a low-end handset. It will be available in silver, gold and space gray.
    Instead, you can simply switch the SIM card in the phone and use the local GSM services, just like the way you have been using on any previous unlocked phone.

    My blog – Pixel Gun 3D Hack

  15. An custom-made information, along with bringing on a sport with the help of fresh information over the endless
    reason, even be responsible for both equally A good quality
    immunity together with the Ancients together with Class
    connected to Figures. While this type of behavior is not
    condoned in the internet gaming world, it is highly
    effective if you want maximum profit in minimum time.

    Whoever you’re, no matter whether you have got just started out
    enjoying fb poker chips, have currently been taking part
    in for your although or are presently achieving
    some being successful actively playing facebook poker chips, I understand that you simply, like me,
    will love this Texas facebook poker chips method piece of writing given that I am
    likely to easily and easily lay out practically
    almost everything it is advisable to end up effective at zynga
    poker chips.

  16. This paragraph will help the internet visitors for creating new weblog or
    even a blog from start to end.

  17. Honestly, you have really made my day by sending a mail to
    me,so please tell me things about your last date ok. Once the young man gives in,
    he starts exhibiting strange behavior that worries his chaste girlfriend.
    Although it’s true some friendship could start with a coffee or dinner and dating but life’s got a way of getting the best of out of us.

    Here is my web site; download 8 ball pool hack tool

  18. ” – Cole Sear played by Haley Joel Osment, The Sixth Sense. ” So they sent the word out: toys for tunes and, according to Jordan, they got a lot of trades. I had heard over time because some of her players also became coaches.

  19. This is really interesting, You are a very skilled blogger.

    I’ve joined your feed and look forward to seeking more of your wonderful post.
    Also, I have shared your website in my social networks!

    my page; home Improvement companies savannah ga

  20. Spot on with this write-up, I honestly believe that this amazing site
    needs a great deal more attention. I’ll probably be returning to read more, thanks
    for the information!

  21. Thank you for every other magnificent article. Where else
    may anybody get that type of information in such a perfect means of writing?
    I’ve a presentation next week, and I’m at the search for such info.

  22. It’s not my first time to go to see this web site, i am browsing this website dailly and
    obtain good information from here everyday.

  23. Bernard says:

    Hi there! Would you mind if I share your blog with
    my twitter group? There’s a lot of people that I think would really
    enjoy your content. Please let me know. Many thanks

  24. Memory Booster automatically watches and cleans up
    your Android’s system memory when it reaches a critical point.
    This Orange deal is priced higher than the other deals at.
    The best news is that the smartphone will be available at Sprint, Verizon, and AT&T retail locations later today.

  25. Hallie says:

    What’s up colleagues, nice article and good arguments commented here, I
    am in fact enjoying by these.

  26. Do you have a spam issue on this site; I also am a blogger, and I was curious about your situation; we
    have created some nice procedures and we are looking to exchange methods with
    others, please shoot me an e-mail if interested.

  27. Fastidious response in return of this matter with genuine arguments and describing the whole thing concerning that.

  28. We must make chants for aim-line stands, for closers looking for a single more out, for opposing gamers shooting
    cost-free throws. Agen bola yang baik dan pro pastinya
    akan memprioritaskan security dan ketentraman bagi para bettor yang berjudi di dalamnya.

    Apakah tablet generasi baru ini akan tetap mempertahankan standar
    harga Black – Berry sebelumnya setelah kian
    banyak masukan pesimis untuk pihak RIM.

  29. Simply want to say your article is as surprising. The clearness to your put up is just nice and that i
    could assume you are knowledgeable on this subject.
    Well together with your permission allow me to seize
    your feed to keep up to date with drawing close post. Thanks one
    million and please continue the gratifying work.

    My website; cellulite natural news

  30. lovely says:

    What i do not understood is in truth how you’re now not really much
    more neatly-appreciated than you may be right now. You’re
    very intelligent. You recognize therefore significantly on the subject of this subject,
    produced me for my part consider it from so many numerous angles.
    Its like men and women don’t seem to be involved until it is
    one thing to accomplish with Girl gaga! Your individual stuffs great.
    At all times handle it up!

  31. I think what you posted made a lot of sense. But, what about this?
    what if you added a little information? I am not saying your
    information isn’t good, but what if you added a
    headline that makes people desire more? I mean SharePoint Security and Permission System Overview | SharePoint Blues is
    kinda vanilla. You should glance at Yahoo’s front page and
    note how they create post titles to get people interested.
    You might try adding a video or a related pic or two to
    get people excited about everything’ve written. In my opinion, it might make your posts a little livelier.

  32. I got this web site from my buddy who shared
    with me about this website and now this time I am visiting this web page and reading
    very informative articles at this time.

  33. Pretty component of content. I just stumbled upon your blog and
    in accession capital to assert that I get actually enjoyed
    account your weblog posts. Any way I’ll be
    subscribing for your feeds and even I achievement you access persistently rapidly.

  34. It’s actually a great and helpful piece of info.
    I’m happy that you shared this helpful information with us.
    Please keep us up to date like this. Thank you for sharing.

    my website … Providence RI dui defense lawyers

  35. Admiring the time and effort you put into your blog and detailed
    information you offer. It’s great to come across a blog every once
    in a while that isn’t the same old rehashed material.

    Wonderful read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.

    Look at my weblog – after effects tutorial

  36. Hi, its good post on the topic of media print, we all
    be aware of media is a fantastic source of facts.

  37. Truly when someone doesn’t understand after that its up to other viewers
    that they will assist, so herte it occurs.

  38. cheap NFL wholesale jerseys jerseys factory. cheap jerseys at wholesale price and 100% quality guarantee.
    womens Warriors jersey http://excelfitnessandtanning.com/images/Contact1.htm

  39. An outstanding share! I have just forwarded this onto a friend who had been doing a little homework on this.
    And he actually bought me dinner due to the facct that I stumbled upon it for him…
    lol. So let me reword this…. Thank YOU for the meal!!
    But yeah, thanx for spending sme time to talk about this
    issue heee on your web page.

  40. Life Estates and Life Leases: These are both traditional estate – planning strategies that
    allow your parents to transfer the home to you or other person and live
    there without interruption, for as long as they want.
    They do not however have a tight seal and allow moisture to
    easily enter the container. It is a vicious circle that can only truly be stopped
    once we manage to break our dependence on fossil fuels,
    despite all the lobbying, the major auto companies and the oil producing nations – namely
    OPEC nations – who rely on oil as their main revenue, all of whom are opposed to reducing our dependence on oil.

  41. Ryder says:

    com yang menawarkan prediksi bola hari ini di Asia dan menyediakan banyak game terkenal dengan bonus yang besar dan menarik.
    Jeff Gutt moves on to the next stage of what he hopes
    will be a fight to the final prize. Most of them
    end up in the trash if there is nothing unique about the pitch.

  42. Wow that was strange. I just wrote an really long comment but after I clicked submit
    my comment didn’t show up. Grrrr… well I’m not
    writing all that over again. Anyway, just wanted to say excellent blog!

  43. Today, while I was at work, my sister stole my iphone and tested
    to see if it can survive a 40 foot drop, just so she can be a youtube sensation. My iPad is
    now broken and she has 83 views. I know this is completely off topic but I had to
    share it with someone!

  44. You cannot find any ergonomically designed
    business office chair that can force the body around the correct position it should be in. 99, this
    item is a reliable office equipment which has a shredding capacity of 15 sheets for each
    pass. These servers run an embedded os, and something or higher disks or
    drives could be mounted on many NAS systems to boost the
    entire capacity. This is when the great time saving technology of medical
    document scanning enters play. Plus, once you arrive
    at any office inside the morning, you might be greeted which has a clean workspace.

    Seeing the good and bad and which way the market industry is headed can be very helpful when decided if they should add long or short term investments to a portfolio or when to get free
    from certain commodities and head elsewhere.

    Petracek furthered his doctorate training on the University of Texas
    Health Science Center in San Antonio, General Practice Residency Program.

    Check out my web-site :: office 2013 activator youtube

  45. Hallie says:

    This can be very useful in reducing the severity of an allergic reaction, but is not neccessarily fitting for everyone.
    when choosing the correct recipes to your cavy read the ingredients carefully.

    ‘ Pretty soon, you’ll find the critical thoughts start dropping
    away, and in their place you are affirming a more positive
    reality.

    Look at my webpage … hay day cheats (Hallie)

  46. From fire-engine reds and hot pinks to deeper wine
    and rose colors, hues in the red family can,
    no-doubt, inject DTP projects with an added sense of
    power. So remember the best way to get it right is to do your home work first.
    The apparel industry in Australia is doing well internationally and the
    Aussie made fashion attire is now getting popular among international
    fashion freaks.

    Here is my blog: If you have not hear

  47. This website was… how do I say it? Relevant!!

    Finally I have found something which helped me.
    Cheers!

  48. I believe that is among the so much significant info for me.
    And i’m satisfied studying your article. However wanna observation on some common issues, The web site taste
    is perfect, the articles is actually great : D. Good process, cheers

  49. Excellent blog you have got here.. It’s difficcult to find quality writing like
    yours these days. I truly appreciate individuals like you!
    Take care!!

    Feel free to surf to myy web site; prolong erection cream

  50. This is really a direct mention of the Lord Krishna by Tagore.
    Modern people can recall past ruined good Aztec
    society thanks to the historical documents and discoveries.

    Music played an important role within the lives of ancient
    Egyptians. Labs Missions, that were originally offered as DLC.
    Much with the time it will spring into your consciousness unabated
    when you go through revisions, being a linebacker who from the fourth quarter has found his
    shot for the quarterback. The sermon that attracted the IRS\’ attention was delivered within the
    same church that heard sermons that opposed the Vietnam War and sermons that supported women clergy and gays and lesbians inside church.
    In turn, it\’s going to lead to a more peaceful existence in our relationships with each other, and also the universe.

    my page; injustice gods among us hack ios ifunbox

Leave a Reply