• USA : +1 973 910 5725
  • INDIA: +91 905 291 3388
  • info@tekslate.com
  • Login

SharePoint Security

SharePoint Security

SharePoint Server 2010 incorporates a new, more powerful and flexible authentication model that works with any corporate identity system, including Active Directory directory services, LDAP-based directories, application-specific databases, and new user-centric identity models such as LiveID. This model uses claims-based authentication and a new product, code-named Geneva. Claims-based authentication is built around the concept of an identity and is based on standards” WS-Federation, WS-Trust — and protocols like the Security Assertion Markup Language (SAML).

Introduction to Claims based Secuity

Claims-based identity provides a common way for applications to acquire identity information from users inside their organization, in other organizations, and on the Internet. Identity information is contained in a security token, often simply called a token. A token contains one or more claims about the user. Think of it as metadata about the user that stays with them throughout their session.

 

Default permission levels

Permission levels are collections of permissions that allow users to perform a set of related tasks. SharePoint Server 2010 includes five permission levels by default. You can customize the permissions available in these permission levels (except for the Limited Access and Full Control permission levels), or you can create customized permission levels that contain only the specific permissions you need. For more information about how to customize permission levels, see Configure custom permissions (SharePoint Server 2010).

Although you cannot directly edit the Limited Access and Full Control permission levels, you can make individual permissions unavailable for the entire Web application, which removes those permissions from the Limited Access and Full Control permission levels. For more information about how to manage permissions for a Web application, see Manage permissions for a Web application (SharePoint Server 2010).

The following table lists the default permission levels for team sites in SharePoint Server 2010.

 

Permission level Description Permissions included by default
Limited Access Allows access to shared resources in the Web site so that the users can access an item within the site. Designed to be combined with fine-grained permissions to give users access to a specific list, document library, folder, list item, or document, without giving them access to the entire site. Cannot be customized or deleted.
  • View Application Pages
  • Browse User Information
  • Use Remote Interfaces
  • Use Client Integration Features
  • Open
Read View pages, list items and download documents.
  • Limited Access permissions, plus:
  • View Items
  • Open Items
  • View Versions
  • Create Alerts
  • Use Self-Service Site Creation
  • View Pages
Contribute View, add, update, and delete items in the existing lists and document libraries.
  • Read permissions, plus:
  • Add Items
  • Edit Items
  • Delete Items
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts
Design View, add, update, delete, approve, and customize items or pages in the Web site.
  • Approve permissions, plus:
  • Manage Lists
  • Add and Customize Pages
  • Apply Themes and Borders
  • Apply Style Sheets
Full Control Allows full control of the scope. All permissions

 

If you use a site template other than the team site template, you will see a different list of default SharePoint groups. For example, the following table shows additional permission levels provided with the publishing template.

Permission level Description Permissions included by default
Restricted Read View pages and documents. For publishing sites only.
  • View Items
  • Open Items
  • View Pages
  • Open
Approve Edit and approve pages, list items, and documents. For publishing sites only.
  • Contribute permissions, plus:
  • Override Checkout
  • Approve Items
Manage Hierarchy Create sites; edit pages, list items, and documents. For Publishing sites only.
  • Design permissions minus the Approve Items, Apply Themes and Borders, and Apply Style Sheets permissions, plus:
  • Manage permissions
  • View Web Analytics Data
  • Create Sub sites
  • Manage Alerts
  • Enumerate Permissions
  • Manage Web Site

 

User permissions

SharePoint Server 2010 includes 33 permissions, which are used in the five default permission levels. You can change which permissions are included in a particular permission level (except for the Limited Access and Full Control permission levels), or you can create a new permission level to contain specific permissions.

Permissions are categorized as list permissions, site permissions, and personal permissions, depending on the objects to which they can be applied. For example, site permissions apply to a particular site, list permissions apply only to lists and libraries, and personal permissions apply only to things such as personal views, private Web Parts, and more. The following tables describe what each permission is used for, the dependent permissions, and the permission levels in which it is included.

List permissions

Permission Description Dependent permissions Included in these permission levels by default
Manage Lists Create and delete lists, add or remove columns in a list, and add or remove public views of a list. View Items, View Pages, Open, Manage Personal Views Design, Full Control
Override Check Out Discard or check in a document that is checked out to another user without saving the current changes. View Items, View Pages, Open Design, Full Control
Add Items Add items to lists, and add documents to document libraries. View Items, View Pages, Open Contribute, Design, Full Control
Edit Items Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries. View Items, View Pages, Open Contribute, Design, Full Control
Delete Items Delete items from a list, and documents from a document library. View Items, View Pages, Open Contribute, Design, Full Control
View Items View items in lists, and documents in document libraries. View Pages, Open Read, Contribute, Design, Full Control
Approve Items Approve minor versions of list items or documents. Edit Items, View Items, View Pages, Open Design, Full Control
Open Items View the source of documents with server-side file handlers. View Items, View Pages, Open Read, Contribute, Design, Full Control
View Versions View past versions of list items or documents. View Items, Open Items, View Pages, Open Read, Contribute, Design, Full Control
Delete Versions Delete past versions of list items or documents. View Items, View Versions, View Pages, Open Contribute, Design, Full Control
Create Alerts Create e-mail alerts. View Items, View Pages, Open Read, Contribute, Design, Full Control
View Application Pages View forms, views, and application pages. Enumerate lists. Open All

 

Site permissions

Permission Description Dependent permissions Included in these permission levels by default
Manage Permissions Create and change permission levels on the Web site and assign permissions to users and groups. View Items, Open Items, View Versions, Browse Directories, View Pages, Enumerate Permissions, Browse User Information, Open Full Control
View Usage Data View reports on Web site usage. View Pages, Open Full Control
Create Sub sites Create sub sites such as team sites, Meeting Workspace sites, and Document Workspace sites. View Pages, Browse User Information, Open Full Control
Manage Web Site Perform all administration tasks for the Web site, and manage content. View Items, Add and Customize Pages, Browse Directories, View Pages, Enumerate Permissions, Browse User Information, Open Full Control
Add and Customize Pages Add, change, or delete HTML pages or Web Part pages, and edit the Web site by using a Windows SharePoint Services-compatible editor. View Items, Browse Directories, View Pages, Open Design, Full Control
Apply Themes and Borders Apply a theme or borders to the entire Web site. View Pages, Open Design, Full Control
Apply Style Sheets Apply a style sheet (.css file) to the Web site. View Pages, Open Design, Full Control
Create Groups Create a group of users that can be used anywhere within the site collection. View Pages, Browse User Information, Open Full Control
Browse Directories Enumerate files and folders in a Web site by using Microsoft SharePoint Designer 2010 and Web DAV interfaces. View Pages, Open Contribute, Design, Full Control
Use Self-Service Site Creation Create a Web site by using Self-Service Site Creation. View Pages, Browse User Information, Open Read, Contribute, Design, Full Control
View Pages View pages in a Web site. Open Read, Contribute, Design, Full Control
Enumerate Permissions Enumerate permissions on the Web site, list, folder, document, or list item. Browse Directories, View Pages, Browse User Information, Open Full Control
Browse User Information View information about users of the Web site. Open All
Manage Alerts Manage alerts for all users of the Web site. View Items, View Pages, Open Full Control
Use Remote Interfaces Use SOAP, Web DAV, or SharePoint Designer 2010 interfaces to access the Web site. Open All
Use Client Integration Features Use features that start client applications. Without this permission, users must work on documents locally and then upload their changes. Use Remote Interfaces, Open All
Open Open a Web site, list, or folder to access items inside that container. None All
Edit Personal User Information Users can change their own user information, such as adding a picture. Browse User Information, Open Contribute, Design, Full Control

 

 

Personal permissions

Permission Description Dependent permissions Included in these permission levels by default
Manage Personal Views Create, change, and delete personal views of lists. View Items, View Pages, Open Contribute, Design, Full Control
Add/Remove Personal Web Parts Add or remove personal Web Parts on a Web Part page. View Items, View Pages, Open Contribute, Design, Full Control
Update Personal Web Parts Update Web Parts to display personalized information. View Items, View Pages. Open Contribute, Design, Full Control

 

To Control over the level of access to a site, site collection, or site content, you can define custom permission levels.
Customize an existing permission level

If the custom permission level that you want is nearly identical to an existing default permission level and you do not need to use the default permission level, you can customize the default permission level.

To customize an existing permission level

 

  1. Verify that you have one of the following administrative credentials:
    • You are a member of the Administrators group for the site collection.
    • You are a member of the Owners group for the site.
    • You have the Manage Permissions permission.
  2. On the Site Settings page, underUsers and Permissions, click Site permissions.
  3. In theManage section of the ribbon, click Permission Levels.
  4. In the list of permission levels, click the name of the permission level you want to customize.
  5. In the list of permissions, select or clear the check boxes to add permissions to or remove permissions from the permission level.
  6. ClickSubmit.

Copy an existing permission level

If the custom permission level that you want is similar to an existing default permission level, and you need to use both the default permission level and your custom permission level, you can copy the default permission level, and then modify the copy and save it as a new permission level.

To copy an existing permission level
1. Verify that you have one of the following administrative credentials:
• You are a member of the Administrators group for the site collection.
• You are a member of the Owners group for the site.
• You have the Manage Permissions permission.
2. On the Site Settings page, under Users and Permissions, click Site permissions.
3. In the Manage section of the ribbon, click Permission Levels.
4. In the list of permission levels, click the name of the permission level you want to copy.
5. At the bottom of the page, click Copy Permission Level.
6. On the Copy Permission Level page, in the Name field, type a name for the new permission level.
7. In the Description field, type a description for the new permission level.
8. In the list of permissions, select or clear the check boxes to add permissions to or remove permissions from the permission level.
9. Click Create.

 

Create a permission level

If there is no permission level similar to the one you need, you can create one.

To create a permission level

  1. Verify that you have one of the following administrative credentials:
    • You are a member of the Administrators group for the site collection.
    • You are a member of the Owners group for the site.
    • You have the Manage Permissions permission.
  2. On the Site Settings page, underUsers and Permissions, click Site permissions.
  3. In theManage section of the ribbon, click Permission Levels.
  4. On the toolbar, clickAdd a Permission Level.
  5. On the Add a Permission Level page, in theName field, type a name for the new permission level.
  6. In theDescription field, type a description of the new permission level.
  7. In the list of permissions, select the check boxes to add permissions to the permission level.
  8. ClickCreate.

You can manage site groups from the Site Administration page for your Web site. To manage site groups, follow the Manage site groups’ link on the Site Administration page to the Manage Site Groups page. On this page, you can view a list of site groups, change which rights are included in a site group, add a new site group, or delete a site group.

View a list of site groups

  1. On the Site Settings page for your Web site, underAdministration, click Go to Site Administration.
  2. On the Site Administration page, underUsers and Permissions, click Manage site groups.

The site groups available for the Web site are displayed on the Manage Site Groups page.

You can add new site groups for use on your site from the Manage Site Groups page.

Add a new site group

  1. On the Manage Site Groups page, clickAdd a Site Group.
  2. In theSite Group Name and Description area, type the name and description for your new site group.
  3. In theRights area, select the rights you want to include in the new site group.
  4. ClickCreate Site Group.

You can create a new site group based on an existing site group, and even copy the members of the existing site group into your new site group.

 

Copy an existing site group

  1. On the Manage Site Groups page, click the site group you want to copy.
  2. On the Members of “Site group name” page, clickEdit Site Group Permissions.
  3. On the Edit Site Group “Site group name” page, clickCopy Site Group.
  4. On the Copy the Site Group “Site group name” page, in theSite Group Name and Description area, type the name and description for your new site group.
  5. If you want to copy the users from the existing site group into your new site group, select theCopy users from “site group name” check box.
  6. In theRights area, select any additional rights that you want the site group to contain, and clear any rights that you do not want the site group to contain.
  7. ClickCreate Site Group.

You can also edit an existing site group to change the rights assigned to that site group.

Interested in mastering SharePoint Training? Enroll now for FREE demo on SharePoint Training.

Edit an existing site group

  1. On the Manage Site Groups page, click the site group you want to change.
  2. On the Members of “Site group name” page, clickEdit Site Group Permissions.
  3. On the Edit Site Group “Site group name” page, select the rights you want to include and clear any rights that you do not want.
  4. ClickOK.

If you find that a site group is not used, you can delete the site group.

Delete an existing site group

  1. On the Manage Site Groups page, select the check box next to the site group you want to delete.
  2. ClickDelete Selected Site Groups.

Using the Command Line to View Site Groups

You can view the list of site groups from the command line in Windows SharePoint Services by using the enumroles operation. This operation takes the -url parameter, and then simply lists the names of the site groups for that Uniform Resource Locator (URL), so you can use the correct site group name when assigning permissions to users. For example, to view the list of site groups for a site at http://myserver/site1, you would type the following command:

stsadm -o enumroles -url http://myserver/site1

Assigning Per-List Permissions

Windows SharePoint Services provides the ability to control permissions on a per-list basis. If you have sensitive information stored in a list, and you do not want to expose the information to all members of your site, you can set permissions for just that list to control which users can view, edit, or add items to that list. You can grant permissions to a list or document library to individual users, to groups of users, or to a site group. Per-list permissions work for any list or document library in a Web site based on Windows SharePoint Services (for example, Announcements, Tasks, Shared Documents, and so on).

List permissions can be changed by any user who has the Manage List Permissions right (by default, included in the Administrator site group) or Full Control permissions for that list. By default, all members of a Web site (all users assigned to a site group, except for the Guest site group) have access to all lists and document libraries on that Web site. Each site group has a predefined level of permissions for all lists and document libraries. The default list permissions are:

  • View items (given to the Reader site group by default)
  • View, insert, edit, delete items (given to the Contributor site group by default)
  • View, insert, edit, delete items; change list settings (given to the Web Designer site group by default)
  • View, insert, edit, delete items; change list settings; change list security

In addition, you can set advanced permissions, which allows you to grant any of the following rights for a user or site group:

  • Manage Lists (given to the Web Designer site group by default)
  • Manage List Permissions
  • Manage Personal Views (given to the Contributor site group by default)
  • Cancel Check-Out (applies only to document libraries; given to the Web Designer site group by default)
  • Add List Items, Edit List Items, and Delete List Items (given to the Contributor site group by default)
  • View List Items (given to the Reader site group by default)
Members of the Administrator site group always have the highest level of permissions for all lists and document libraries. You cannot change list or document library permissions for the Administrator site group. Also, any site group that has the View List Items right (such as Reader) can continue to see the list name, description, number of items, and time when the list was last modified, even though they cannot view the list contents directly.

To control permissions for a list, go to the list itself or to the Customize “List name” page for the list.

View permissions for a list

  1. Navigate to the list, and then in the left pane, clickModify settings and columns.
  2. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  3. The Change Permissions: “Listname” page displays the users and groups that have access to the list, and show the permissions level each user or group is assigned.

You can change the list permissions for all members of a particular site group by modifying that site group’s permissions.

Change list permissions for a particular site group

  1. Navigate to the list, and then in the left pane, clickModify settings and columns.
  2. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  3. Select the check box next to the site group you want to change.

For example, click the check box next to Web Designer to change the permissions for all members of the Web Designer site group.

  1. ClickEdit Permissions of Selected Users.
  2. In theChoose Permissions section, select the level of permissions to allow, and then click OK.

You can also grant permissions to individual users, or to user groups, instead of to all members of a site group. Remember that when you grant a user or group permissions to a specific list in your site, they are added to the Guest site group if they are not already members of the site. Note that members of the Guest site group cannot navigate to a page within the site unless you give them the exact page URL.

Assign list permissions to a specific user or group

  1. Navigate to the list, and then in the left pane, clickModify settings and columns.
  2. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  3. On the list toolbar, clickAdd Users.
  4. In the Step 1: Choose Users section, in theUsers area, in the text box, type the network domain name or e-mail address for the user or group you want to assign permissions.
  5. In the Step 2: Choose Permissions section, underPermissions; select the level of permissions for the user or group, and then click next.
  6. In the Step 3: Confirm Users section; verify that the e-mail address, user name, and display name for the user or group are correct.
  7. If you want to notify the user or group of their permissions with an e-mail message, in the Step 4: Send E-Mail section, select theSend the following e-mail to let these users know they’ve been added check box, and fill in the text you want to send.
  8. ClickFinish.

If you want to restrict your list to a specific set of users, you must both grant access to the individual users and remove access from other site members.

Remove list permissions for a user, group, or site group

  1. Navigate to the list, and then in the left pane, clickModify settings and columns.
  2. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  3. Select the check box next to the site group, user, or group you want to remove permissions for, and then click Remove Selected Users.

If you no longer want to use unique permissions for a particular list, you can reset the permissions to use the Web site’s general permissions.

Reset permissions to the default state

  1. Navigate to the list, and then in the left pane, clickModify settings and columns.
  2. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  3. ClickInherit permissions from the parent Web site.
  4. ClickOK to change to inherited permissions.
The Inherit permissions from the parent Web site link does not appear unless the list permissions have already been customized.

Controlling Access for All Authenticated Users

If you want all authenticated users of your intranet to be able to access your Web site, rather than adding each user individually or in groups, you can configure your site to allow all users on your network rights to use the site. You can also specify which site group (either Reader or Contributor) to assign to all authenticated users.

Allow all authenticated users rights to a top-level Web site

  1. On your site, clickSite Settings.
  2. UnderAdministration, click Go to Site Administration.
  3. On the Site Administration page, underUsers and Permissions, click Manage anonymous access.
  4. In theAll Authenticated Users section, under Allow all authenticated users to access site, select Yes.
  5. UnderAssign these users to the following site group, select a site group.
  6. ClickOK.

Controlling Anonymous Access to a Web Site

If you want users to be able to contribute to your site anonymously, you can configure your site to allow anonymous access. Anonymous access is used to allow users to browse sites without authenticating (a standard Internet scenario), respond anonymously to surveys, or even contribute to a list or document library anonymously.

Anonymous access relies on the anonymous user account on your Web server. This account is created and maintained by your Web server (Internet Information Services (IIS)), not by Windows SharePoint Services. On IIS, the anonymous user account is usually IUSR_ComputerName. When you enable anonymous access in Windows SharePoint Services, you are enabling that user account for your Web site.

Enabling Anonymous Access

Anonymous access is disabled by default, and is controlled at the site level. If you want to allow anonymous access (such as for an Internet site, where you want visitors to be able to browse without authenticating), you must enable anonymous access by assigning rights to the anonymous user. To enable anonymous access, you must first be sure that IIS is configured to allow anonymous access, and then on the Site Administration pages for your Web site, you can enable anonymous access.

Allow anonymous access for a virtual server in Internet Information Services

  1. ClickStart, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Right-click the virtual server you want to enable anonymous access for, and then clickProperties.
  3. Click theDirectory Security
  4. In theAuthentication and access control section, click Edit.

The Authentication Methods dialog box appears.

  1. Select theEnable anonymous access check box.
  2. ClickOK to close the Authentication Methods dialog box.
  3. ClickOK to close the Properties dialog box.

You may need to restart IIS for this change to take effect. After anonymous access has been turned on for the virtual server in IIS, you can enable anonymous access for a specific top-level Web site.

Enable anonymous access for a top-level Web site

  1. On your site, clickSite Settings.
  2. UnderAdministration, click Go to Site Administration.
  3. On the Site Administration page, underUsers and Permissions, click Manage anonymous access.
  4. In theAnonymous Access section, select a level of access to allow:
    • Entire Web site
    • Lists and libraries
    • Nothing
  5. ClickOK.

Per-List Permissions and Anonymous Access

You can control anonymous access for your entire site by using the Manage Anonymous Access page, or you can control anonymous access for specific lists by using the per-list permissions feature. If anonymous access is disabled for your site, it cannot be enabled for a particular list in the site.

Enable anonymous access for a list

  1. Verify that anonymous access is enabled for your site.
  2. Navigate to the list, and then in the left pane, clickModify settings and columns.
  3. On the Customize “Listname” page, in theGeneral Settings section, click Change permissions for this <list/document library>.
  4. In the Action pane, clickChange anonymous access.

On the Change Anonymous Access Settings page, click the check box for the level of permissions that you want to grant to anonymous users.

If Internet Information Services (IIS) is not configured to allow anonymous access, these check boxes are unavailable.
  1. ClickOK.

For Indepth understanding of SharePoint click on

Summary
Review Date
Reviewed Item
SharePoint Security
Author Rating
5

“At TekSlate, we are trying to create high quality tutorials and articles, if you think any information is incorrect or want to add anything to the article, please feel free to get in touch with us at info@tekslate.com, we will update the article in 24 hours.”

0 Responses on SharePoint Security"

Leave a Message

Your email address will not be published. Required fields are marked *

Site Disclaimer, Copyright © 2016 - All Rights Reserved.