SharePoint Security and Permission System Overview

September 1 2010 489 comments

SharePoint Permission and Security Mechanisms

From time to time, our customers ask us about how SharePoint security and permission features work, and how should they be utilized. In this post we try to walk through the basic permission and security features of SharePoint. This post is not intended to be a complete description of every security and permission related feature in SharePoint, but we try to gather all the essential pieces here. We took many screenshots to illustrate what each setting or feature means in practice, enjoy the ride, ;-) !

Additional Resources:

Farm Administrators

Farm Administrators group is a group that is managed centrally via SharePoint Central Administration web-site:

Farm Administrators include by default SharePoint Farm -account, SharePoint installation account and BUILTIN\Administrators group. Farm Administrators have basically “all rights” in SharePoint Farm (or at least they have the ability to get them).

You can give Farm Administration rights to AD groups and AD users:

Additional Resources:

Authentication Providers

With authentication providers you can control how you would like to have your users authenticated in a web application. You can also enable/disable anonymous access and client integration and control client object model permission requirements among others:

Additional Resources:

Web Application Level Permission Policies

With web application level permission policies you can control centrally, with Central Administration, what kind of permission policies you want to apply to all site collections and sites under specific web application. By default SharePoint gives us four predefined policies:

Our recommendation is that you should not edit the default policies, but instead go ahead and create a new policies, if the out of the box policies are not what you are looking for. Policies itself do not grant any permissions unless you attach users or groups to that policy. Policies are just a definitions what the user who has granted the policy can do in the entire web application. With web application policies you can either Grant or Deny the permission.

Here is an example of adding a new web application level permission policy:

Additional Resources:

Web Application Level User Policies

User Policy is the place where the magic happens in a web application level. User policy is basically a AD user or AD group mapping to certain Web Application Level Permission policy. You can even define a Zone in which the policy is applied. For example you can use different policy for users who use the SharePoint sites from your internal network (intranet zone), and different policy for those who access the sites through public internet (internet zone), or just apply to “All Zones”. User policies are especially useful for service accounts and in development/integration environments where you probably recreate site collections often (maybe with TFS autobuild scripts).

Here is a screenshot of applying Manage Content -policy to Content Editors AD group:

Additional Resources:

Web Application Level Anonymous Policy

You can also define web application level anonymous users’ policy through Central Administration -site (but you can only select the policy from a three predefined policies):

Additional Resources:

Web Application Level User Permissions

This is just a checkbox list from where you can manage what kind of permission levels can be used in a web application and site collections (by default all check boxes are checked, and in general we rarely need to modify the selections):

Site Collection Administrators

Site Collection Administrators have full control of a specific SharePoint site collection. You can only use AD users (not AD groups, at least with the UI) as site collection administrators (We don’t actually know why it is like that, do you?). With Central Administration site, you can define two users as site collection administrators, but in site collection settings you can add more site collection administrators. Here is a screenshot of Central Administration site collection administrators settings page:

Additional Resources:

Anonymous Access Permissions

You can control what parts of your site the Anonymous users can access with Anonymous Access Setting:

Anonymous access can further be restricted by enabling View Form Pages Lock Down -feature. Our advice is to enable this feature in every public SharePoint site. More about this feature and some other anonymous access suggestions, please consult the following article:

Site Collection Level Permission Levels

Like in Web Application level permission policies, these are the actual permissions that SharePoint will check when user accesses resources in a SharePoint site. This time we have Grant only abilities (in Web Application Level Permission Policies you could use Grant and Deny). In itself permission levels are only definitions that group the more fine grained permissions together in a more useful entity.

By Default SharePoint has these permission levels defined in site collections (levels can be a little bit different depending on what features have been enabled in a site collection):

You can also define your own permission levels, if predefined levels do not match the requirements. As a general principle, it’s not a good idea to modify predefined permission levels (it will only cause confusion). Own permission levels can be created in similar fashion as web application level permission policies:

Additional Resources:

SharePoint Groups

SharePoint groups are a little bit like AD groups, but these groups are managed in SharePoint instead of Active Directory. SharePoint groups can be used to delegate rights management for the site owners instead of system administrators. Whether this is a good thing or not… well it depends on what you want to archive. SharePoint groups are global to the whole site collection. You cannot specify SharePoint group that exists only in a (sub-)site level. SharePoint groups cannot be used over the site collections. One thing SharePoint groups do support that AD groups do not, is membership requests. You can control SharePoint groups’ permission levels whenever you want to use that group. Basically SharePoint group is just a collection of AD groups and AD users with attached permission level(s). While permission level can change for the group the members are globally defined (site collection wide).

Here is a small clipping of Group creation settings (not all settings are visible, but you get an idea):

SharePoint Groups do no directly give any rights to ad users or ad groups (unless you use some predefined group that already has for example site level permissions attached to it). You have to use that group somewhere. Next we walk through all the places where you can use SharePoint Groups, AD Groups and AD users to actually give the permissions.

Additional Resources:

Site Permissions

Site permissions is where all the permission management begins. More specifically the root site permissions (root site is the top site in a site collection). These are the permissions that all sub-items (sub-sites, libraries and lists, folders and document sets, documents and items) will inherit. That’s why it is important to carefully design the site permissions as the whole site will use these by default (unless the inheritance chain is broken). Our advice is to try to find some general permissions so that you do no need to break inheritance chain too often.

When you grant site permissions you can use AD groups, AD users and SharePoint groups. You can either add users to some of SharePoint groups or grant the permissions directly (aka attach permission level to user or group). I’m not sure why Microsoft recommends granting permissions though SharePoint Groups, because in many cases it makes a little sense. Probably because of in-built functionality that is attached to SharePoint groups or that when using SharePoint groups, you are able to move your site more easily to different domain (for example from development to cloud service, BPOS anyone?). Our advice is that go with SharePoint groups or grant directly, but try not to overuse SharePoint Groups as it only causes confusion in the end.

Here is a screenshot of SharePoint site level permission granting screen (this exact same functionality is also used in other levels described below):

Each sub site can break the permissions inheritance chain and specify their own permissions, just like you specify them in a root site.

Additional Resources:

Library or List Permissions

Library and List permissions can be managed though list settings. Basically the management works exactly the same as with Site permissions. First you break the inheritance chain and then you start to manage individual list’s or library’s permissions. You can grant rights for AD users, AD groups and SharePoint Groups. By default libraries and lists inherit their permissions from parent site.

With lists and libraries you have also some other security related features.

For example you can control Draft Item Security:

You can also control item/document scheduling, enable audience targeting and content approval (with or without workflows):

Additional Resources:

Folder or Document Set Permissions

Like with library and site permissions, folders and document sets can be granted with their own permissions by breaking the permissions inheritance chain.

Document Set and Folder permissions can be accessed from drop-down menu:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Document or Item Permissions

Last level in SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that (folders, libraries, sites…).

You can access document and item level permission settings page directly from the object you are interested in:

Additinal Resources:

  • Consult the links provided in Library or List Permissions

Miscellaneous Security and Permission Features

Web Part security settings can be configured at web application level:

SharePoint Designer permissions can be controlled with web application level settings:

See also: Managing SharePoint Designer 2010

Browser File Handling and Web Page Security validation can be controlled at web application level:

See Also: Security Validation and Making Posts to Update Data

You can also control blocked file types list (aka restrict of uploading certain file types):

See Also: Manage blocked file types (SharePoint Server 2010)

Self-Service Site Creation that is basically used for my sites is a way to give users a permission to create a new site collections in certain URL namespaces. This can be controlled through Central Administration -web site and the setting is for a web application:

See Also: Turn on or turn off self-service site creation (SharePoint Server 2010)

With SharePoint auditing features you can gather logs and get reports on what the users have been doing on the site collection:

This is a little bit unrelated to security, but as a note, SharePoint has also a two level recycle bin:

See also: Plan to protect content by using recycle bins and versioning (SharePoint Server 2010)

What Was Not Covered in This Article

There is also Windows Rights Managements Services integration in SharePoint… let’s discuss about that in a separate article, or give us a link to some article that discusses SharePoint/RMS integration! We could also talk a little bit about SharePoint managed accounts, but those are more of a infrastructure side. And what about security settings that some of SharePoint services contain? As you can see, SharePoint is a very flexible platform in these kind of things, but this flexibility comes with a price. That price is complexity. Hopefully this article clears some of that.

What we also didn’t discuss that are somewhat related to security are for example:

Whether to use AD Groups or SharePoint Groups as a Main Mechanism to Grant Rights?

Well, Everything starts from Active Directory. If Active Directory is a mess, it should be fixed before designing how to manage rights in SharePoint. If Active Directory is well maintained it also benefits the other applications that integrate to AD (for example normal file sharing and NTFS permissions, or systems like Microsoft CRM).

Use SharePoint groups sparingly. Try to utilize the predefined SharePoint groups that are created in SharePoint sites, if possible. Think twice before defining new Web Application policies or Site Collection Permission Levels, and create new ones only if there isn’t better way around it.

Final Words

Please give us comments and feedback! We will probably come back and update this article in the future.

Popularity: 34% [?]

489 comments to “SharePoint Security and Permission System Overview”

  1. Aw, this was a very nice post. In thought I wish to put in writing like this moreover – taking time and actual effort to make an excellent article… but what can I say… I procrastinate alot and on no account appear to get one thing done.

  2. Thanks for your blog post. What I would like to add is that personal computer memory needs to be purchased but if your computer still can’t cope with whatever you do along with it. One can set up two good old ram boards with 1GB each, for instance, but not one of 1GB and one with 2GB. One should check the car maker’s documentation for one’s PC to be certain what type of memory space it can take.

  3. FirstJackson says:

    I see you don’t monetize your website, don’t waste your traffic, you can earn additional cash every month because you’ve got high quality content.
    If you want to know how to make extra $$$, search for: Mrdalekjd methods for $$$

  4. Tremendous issues here. I’m very satisfied to look your
    article. Thanks a lot and I’m looking forward to touch you.
    Will you kindly drop me a e-mail?

  5. It’s amazing to pay a visit this web site and reading the views of all mates regarding this piece of writing, while I am also keen of getting familiarity.

  6. Since the admin of this site is working, no hesitation very rapidly it will be renowned,
    due to its feature contents.

  7. I pay a visit every day some sites and information
    sites to read articles or reviews, except this blog presents quality based posts.

  8. If you take your trade present exhibits to another country, you is likely to be considered
    as participating in enterprise in that nation’s
    borders, and would possibly thus require a particular visa.

    Visas are usually obtained by visiting the other country’s embassy
    or a particular Consulate Common, depending on your location. Pointers
    for obtaining a visa are typically out there on the vacation spot country’s web site, but you
    may additionally be capable of be taught extra by contacting your Department of State.
    Remember the fact that visas can take a very long time to be accepted and should price money.
    You will likely want one for each employees member you are taking with you for your
    commerce present exhibits, and you will have to pay separately for
    each. As well as, some countries might require you to acquire a
    visa it doesn’t matter what the explanation for your journey.

    What info we might gather about you

    Insurance coverage services

    Local Movers

    20 Lawrence Transportation Techniques Inc. 264 Roanoke, VA

    Skilled driver and crew at both origin and destination

    Register to pay council tax in your new house

    Monique P

    Do you have a piano or some other gadgets that want special consideration? We have now
    the expertise and the equipment to ensure these belongings are moved with care.
    Ask our representatives about the special conditions and handling that will
    apply. Even if you’ve never finished this form of thing before, don’t worry.
    We know what it takes and will likely be completely happy to information you thru the method.
    With the assistance of some quality moving guys (if they’re wanted), you have
    to be well on your approach in no time. This is the very last thing you might have
    to complete your trip, and it means more than you
    may think. Some companies have very unpleasant
    and inefficient movers, and these guys will do nothing greater than add
    to complication. There are high quality shifting businesses
    although, and the movers hold to their title.

    If you fascinated by Relocation, for some time you will get stuck because change will not be a straightforward
    task ,for that motive you should all the time choose Home Shifting in Dubai for your protected relocation. We, The AMWAJ
    House Shifting in Dubai is main Movers Firm in Dubai, UAE.
    The AMWAJ Movers in Dubai isn’t just the name of packers and movers; moderately it’s counted in widespread National Moving Companies.

    The motto of our company is belief and dedication to each of
    our buyer. Firewalls are used to dam unauthorised site visitors to the servers and the precise
    servers are positioned in a secure location which might solely be accessed by authorized personnel.
    We also keep your data confidential. Our inside procedures
    cowl the storage, access and disclosure of your info.
    This Site could include hyperlinks or references to different Web sites over which we have no
    management. Once you hire movers from Atlantic Relocation Techniques, your belongings might be
    safe and in the arms of pros. Our movers should complete our training
    program, in addition to drug screenings and background checks, before
    working for us, and they’re going to put their information, expertise, and professionalism to use so that you can quickly and safely relocate your objects.
    These things might be portable at a large portion of the times
    yet a few of the time they could look immobile. In this viewpoint,
    we fall into an utter mayhem neither we can abandon them nor take them close by.

    At that time it involves be actually tough to take
    out a powerful answer for this specific kind of difficulty.

    There are such a lot of small pieces that must be packed and plenty of objects are thought-about
    fragile. Pack things into the box that go together in the cabinet.
    This will make it simple to unpack and put issues right again into a cabinet when you get to the situation. Take your
    time and label with the moving date rapidly approaching, it’s essential to get the house packed up and able to go.

    By deciding on us for full-service hourly moving, we will arrive to
    your location with a shifting automobile and the requested variety of movers.
    We’ll prepare your gadgets to be moved. We will transfer
    your gadgets out of your residence/ enterprise/ storage area
    to a the unloading vacation spot of your choosing inside 30
    miles. We will moreover assemble and disassemble objects as well.
    Pianos, Safes, Pool Tables, and different massive gadgets would require a further payment.
    You may have to reclaim some further area in your own home.
    Possibly your new home just isn’t ready for transfer in.
    Maybe you’re downsizing or upgrading on your next move. Otherwise you simply need to keep
    some objects out of the way for use at a later date.

    Whatever the case, Budget Shifting and Storage desires to accommodate your
    needs. BBB has decided that Price range Shifting and Storage
    meets BBB accreditation requirements necessary to develop into
    a member, which includes a dedication to make a great religion effort
    to resolve any consumer complaints. BBB Accredited Businesses pay a charge for accreditation assessment/monitoring and for support of
    BBB providers to the general public.

  9. Hi every one, here every person is sharing such knowledge, therefore it’s nice to read
    this weblog, and I used to visit this weblog every day.

  10. I’m not certain where you’re getting your information, but good topic.
    I needs to spend a while finding out more or understanding more.
    Thank you for wonderful information I was on the lookout
    for this information for my mission.

  11. Very shortly this web site will be famous among all blog visitors,
    due to it’s good articles or reviews

  12. says:

    All this automatically helps you cut back weight by eliminating excess and unwanted fats in your body.
    Overeating never helps in solving the problems.
    Many people have related emotions and frustrations
    with the “Battle of the Bulge.” As a psychotherapist, I counseled many
    people with a wide range of problems. So, prior to purchasing
    something, make sure you won’t come throughout any compatibility issues with
    the product. It would make you feel higher and can go away a optimistic mark on your well being and determine.

    Each slimmer who has struggled with dropping physique
    fat or even as little as a variety of lbs is in a position to speak that
    a critical diet and coaching plan is each exhausting plus is ready to go away folks being disadvantaged.

    InstaSlim capsules are appropriate for individuals of any age group
    together with both women and men, being the perfect herbal based remedy.

    Most virtual keyboard devices are small and lightweight, typically times being
    no larger than a pack of chewing gum.

  13. Hi! I’m at work browsing your blog from my new iphone! Just wanted to say
    I love reading your blog and look forward to all your
    posts! Keep up the fantastic work!

  14. Greta says:

    That is essential as despite the fact that the embedding
    strategies have been regulated, the precise encoding strategies are nonetheless to be standardized.
    The advantages of working a digital desktop have all the time been apparent for SMEs on a limited funds.

    The large advantage of cloud internet hosting is that SMEs get all the computing power they want
    at a fraction of the associated fee and entry to a range of specialist data
    that might otherwise be prohibitive in a standard workplace.
    There’s little question that we face a relentless
    battle to maintain our information safe and most
    SMEs are now conscious that they can be the target of
    malicious assaults. There’s no doubt that our on-line safety has become more advanced through the years and getting access to the right kind
    of experience is increasingly important for businesses whether or not they are giant companies or small start-ups.
    That leads to greater collaboration, more productive working practices and exposure to the up-to-date know-how
    that is usually missing in additional conventional, small business set ups.

  15. Fine way of telling, and good article to get facts regarding my presentation subject,
    which i am going to present in college.

  16. Everything posted made a great deal of sense. However, think on this,
    suppose you added a little information? I am not saying your
    content is not good, however suppose you added something that grabbed a person’s attention? I mean SharePoint
    Security and Permission System Overview | SharePoint Blues is kinda plain. You should peek at
    Yahoo’s home page and see how they create post headlines to get viewers interested.

    You might try adding a video or a related picture or two
    to get people interested about everything’ve got to say.
    In my opinion, it could make your blog a little bit more interesting.

  17. Ruben Perdew says:

    I really appreciate your help. This exta little bit of information will likely be implemented.

  18. pings says:

    I besides believe hence, perfectly pent post!

  19. I believe what you typed made a bunch of sense. However, what about this?

    suppose you were to write a killer title? I ain’t saying your
    information isn’t good., however suppose you added
    a post title that grabbed people’s attention? I mean SharePoint Security and Permission System
    Overview | SharePoint Blues is kinda plain. You could look at Yahoo’s front page and note how they create news
    titles to grab viewers to open the links. You might try adding a video or
    a pic or two to get people excited about what you’ve written. In my opinion, it could make your
    posts a little livelier.

  20. Good post! We will be linking to this great content on our site.
    Keep up the great writing.

  21. I was excited to uncover this website. I need to to thank you for ones
    time for this particularly wonderful read!! I definitely enjoyed every part of it and
    I have you saved to fav to check out new information in your web site.

  22. Cassandra D. Everhart says:

    Many thanks conducive towards the great data. carpet cleaner

  23. 2:30 Wow, you found a can. You can get a dime for that in Oregon…

    I’m out.

  24. An outstanding share! I’ve just forwarded thiss onto a friend
    who was conducting a little research oon this. And he in fact bought me breakfast simply because I stumbled upon it
    for him… lol. So allow me to reword this…. Thank YOU for the
    meal!! But yeah, thanx ffor spending some time to discuss this topic
    here on your web page.

    my web site free onlinee meeting people sites (

  25. Hi , you are amazing ! we did it in our project that call خیانت and got a very good result .
    all was because your article .
    thank u so so so much :) :) :)

  26. ao huren says:

    Visit ao huren for your own free sexy chat experience!

  27. sua enfagrow says:

    Hi to every one, for the reason that I am genuinely keen of reading this blog’s post to be
    updated regularly. It contains nice information.

  28. sharepoint says:

    really good site in شرکت حسابداری world .

  29. click here says:

    Great post! We will be linking to this particularly great content on our site.
    Keep up the good writing.

  30. Abilene Buick, Cadillac & Chevrolet drivers know that the perfect deals
    on new and used fashions might be discovered att Holm pioneer automotive Center.
    The drivers pushing auto manufacturers tto make use of FFC are decreased weight, less connectors, bundle effectivity, improved EMI/RFI performance, the transfer towards
    multiplexing and the develpment toward infotainment systems
    in vehicles. Multiplexing of electrical
    inricators in automobiles is starting for usee as automobiles are continually being designed with extra electronics and choices.
    The components listed in the report are on-premiseand cloud-based mostly.

    Such a tie-up may assist resolve a few of the sooner problems Applke
    faced with parts. With our handy online scheduling and truthful pricing, we’re right here to assist.
    By shopping on-line, you get rid of all of this frustration and you
    may get right down to what yoou are attempting to perform.
    So the corporate entity can get the maximum benefit from the
    machne for tthe lowest price, and they will deal with the
    market cokmpetitors without any problem. This can be left at folks’s properties or
    businesses to get the word out about your enterprise.
    You should select which options are best for you and slium your used Audi cars down from there.
    So is thewre a restrict to how far we can reduce the cd worth?

  31. This is something unexpected, really. power washing

  32. Hi there! This is my first comment here so I just wanted to give a quick shout out and say I genuinely
    enjoy reading your articles. Can you suggest any other blogs/websites/forums that deal with the same subjects?

    Thanks for your time!

  33. Using SharePoint Enterprise Search API | SharePoint Blues is kinda vanilla.
    You might peek at Yahoo’s home page

  34. With our handy online scheduling and truthful pricing, we’re right here to assist.
    By shopping on-line, you get rid of all of this frustration

  35. this is among the so much important information for
    me. And i’m glad studying your article. But should statement
    on some common issues

  36. It make take several minutes for the service to move from the starting stated to started state. The system service starts two Windows services with the farm account: first the ForeFront Identity Manager Synchronization Service and then the ForeFront Identity Manager service.

  37. я немедленно запишу ваш rss
    адрес, поскольку я бессилен отыскать ваш
    e-mail link или e-newsletter. Можно ли попросить ваши контакты?
    Будьте добры, разрешите мне переговорить с вами для того, чтобы я мог
    бы подписаться.

  38. you get rid of all of this frustration and you
    may get right down to what yoou are attempting to perform.
    So the corporate entity can get the maximum benefit from the
    machne for tthe lowest price, and th

  39. But should statement
    on some common issues, The web site style is wonderful

  40. steemfilter says:

    I was able to look for word ‘Example’ in the Title field. FullTextSqlQuery uses managed properties in its queries and in the example query Title is an managed property. You can also easily create cus

  41. SharePoint site structure hierarchy is document or item. Document and item permissions can also be granted just like you did with structures above that

  42. сейчас же кину в закладки ваш rss, поскольку я бессилен найти ваш e-mail hyperlink или newsletter.
    Можно ли попросить ваши контакты?
    Пожалуйста, разрешите мне общаться с вами для того, чтобы я
    мог бы подписаться. Б

  43. click here says:

    These states have legalized sports betting, but not all have yet begun accepting wagers.

  44. visit here says:

    I think that everything said made a lot of sense.
    But, consider this, suppose you added a little information? I am
    not suggesting your content is not solid, but suppose you
    added a post title to maybe get people’s attention? I mean SharePoint Security and Permission System
    Overview | SharePoint Blues is kinda vanilla.
    You might glance at Yahoo’s home page and see how they
    create news titles to get viewers interested. You might add a video or a
    related picture or two to get people excited about everything’ve written. Just
    my opinion, it would bring your posts a little livelier.

  45. idn poker88 says:

    I read this paragraph completely regarding the comparison of most recent and previous technologies,
    it’s amazing article.

  46. چنل ید says:

    مضمون ی این نبا از نظر چقدر از افراد نازل و کامل نیست ولی فدایی از مطالب کارگاه ساختمانی ها و بلاگ
    ها پیرامون این مطلب در وب وجود دارند که می
    توان از آنها استفاده بهتری داشت

    موضوع کلام ی این یادداشت از نظر وافر از افراد مناسب و
    کامل نیست ولی ازجان گذشته از مطالب مرکز مجازی
    در اینترنت ها و بلاگ ها پیرامون این مطلب در وب وجود دارند که می توان از آنها استفاده بهتری

Leave a Reply