Documente Academic
Documente Profesional
Documente Cultură
SharePoint Permissions
Introduction to SharePoint Permissions
MATIJA HANI
About Matija
Page 1 of 18
Whitepaper SharePoint Permissions
Content
ABOUT MATIJA 1
CONTENT 2
SHAREPOINT PERMISSIONS 3
1. SharePoint Principals 4
Sample Demo 1 - Users and Groups 5
2. Securable Objects 7
3. SharePoint Permissions 8
Sample Demo 2 Manage Permission Levels 10
Role Assignments 12
Sample Demo 3 - Permission Management 14
Item-Level Permissions 16
CONCLUSION 17
Page 2 of 18
Whitepaper SharePoint Permissions
SharePoint Permissions
Introduction to permissions management
All enterprises need tools and procedures to keep content secure. SharePoint comes
with a powerful set of tools that help you control access to content. The following
white paper will cover some concepts related to content security in a SharePoint farm.
Regardless of the environment in which you are trying to secure your content, you face
the challenge of identifying the following elements:
2) Securable Objects: objects that users can access only with permission
Page 3 of 18
Whitepaper SharePoint Permissions
1. SharePoint Principals
In SharePoint, permissions
are assigned to principals.
A user in SharePoint is a person who has a user account from any authentication
provider supported by the Web application (Windows, ASP.NET membership provider,
etc.). Both AD users and AD groups are represented as SPUser objects.
A SharePoint user is defined at a site collection level, which means that if the same AD
user has permissions for multiple site collections, that user will have access to
multiple SPUser objects with different IDs for each site collection.
To access the list of users for a particular site, you should use the
following SPWeb properties:
SPWeb.SiteUsers
- a collection of all users in the site collection
SPWeb.AllUsers
- a collection of all users who are members of the current subsite
SPWeb.Users
- a collection of all users who have been directly given permissions for the
current subsite
Page 4 of 18
Whitepaper SharePoint Permissions
A SharePoint group is defined at a site collection level. It can only contain users (AD
users and AD groups). You cannot put SharePoint groups inside
other SharePoint groups.
The list of SharePoint groups can be accessed by using the following SPWeb properties:
SPWeb.SiteGroups
- a collection of all groups in the site collection
SPWeb.Groups
- a collection of all groups in the current subsite
Page 5 of 18
Whitepaper SharePoint Permissions
spGroup.Users.AddUser(newUsr);
context.ExecuteQuery();
Page 6 of 18
Whitepaper SharePoint Permissions
2. Securable Objects
You have the ability to stop inheriting permissions from any object. When you stop
inheriting permissions, all groups, users, and permission levels will be copied from the
parent object to the child object. After that, changes made to the parent object will no
longer affect the child object (and vice versa).
SPSecurableObject.HasUniqueRoleAssignments
- a flag indicating whether this object inherits permissions from the parent
object
SPSecurableObject.RoleAssignments
- a collection of all permissions assignments for the current object
SPSecurableObject.BreakRoleInheritance()
- a command to stop inheriting permissions from the parent object
SPSecurableObject.ResetRoleInheritance()
- a command to delete unique permissions for this object and restore
permission inheritance from the parent object
Breaking inheritance allows you to uniquely secure your content, but you should keep
in mind that every uniquely secured scope you create increases the number of places
where you need to perform updates when you need to change the permissions for a
user or group.
Page 7 of 18
Whitepaper SharePoint Permissions
3. SharePoint Permissions
SharePoint 2013 comes with 33 built-in permissions that help you define content
access levels. Permissions are categorized as list permissions, site permissions, and
personal permissions, depending on the objects to which they are applied:
o Create subsites: Create subsites such as team sites, meeting workspace sites, and
document workspace sites.
o Manage permissions: Create and change permission levels on the website and
assign permissions to users and groups.
o Add and customize pages: Add, change, or delete HTML pages or Web Part
pages, and edit the website.
o Manage lists: Create and delete lists, add or remove columns in a list, and add
or remove public views of a list.
o Add items: Add items to lists, and add documents to document libraries.
o Edit items: Edit items in lists, edit documents in document libraries, and
customize Web Part pages in document libraries.
o Delete items: Delete items from a list, and documents from a document library.
Page 8 of 18
Whitepaper SharePoint Permissions
o Manage personal views: Create, change, and delete personal views of lists.
o Add/remove personal Web Parts: Add or remove personal Web Parts on a Web
Part page.
o Update personal Web Parts: Update Web Parts to display personalized
information.
Page 9 of 18
Whitepaper SharePoint Permissions
Example 2 List all details for a single permission level using CSOM
//detailed view of all base permission for the Contribute permission level
Page 10 of 18
Whitepaper SharePoint Permissions
Page 11 of 18
Whitepaper SharePoint Permissions
Role Assignments
SPPrincipal (who)
SPSecurableObject (where)
SPRoleDefinition (what)
Another consideration, before you grant permissions to a user, is whether to grant the
permissions directly to the desired user or to use a SharePoint or AD group.
In most cases, you should rely on granting permissions to groups and managing the
groups memberships. Tracking permissions for individual users on a number of
uniquely secured objects is time-consuming and error prone.
Using AD groups allows AD DS to manage the users for you, so you can centralize
security with other enterprise applications that also rely on AD DS. For ease of
administration, it is still preferable not to grant permission to AD groups directly, but
to instead add them as members of SharePoint groups. You should also avoid using
AD groups that contain nested groups.
Page 12 of 18
Whitepaper SharePoint Permissions
Using AD security groups also has a downside: security groups in SharePoint sites do
not provide full visibility for everything that occurs on the site.
For example, when a security group is added to a SharePoint group for a specific site,
the site will not appear in the users My Sites. The User Information List will not show
activity to individual users until they have contributed to the site. In addition, security
groups that have a deep nested structure might break SharePoint sites.
Based on these advantages and disadvantages, you should use the following
guidelines:
Page 13 of 18
Whitepaper SharePoint Permissions
Page 14 of 18
Whitepaper SharePoint Permissions
Certain users in SharePoint have access to administrative task and can access all the
content on the site collection or even entire farm. These users are called farm
administrators and site collection administrators.
Farm Administrators
Members of the farm administrator groups perform administrative tasks in the
SharePoint central administration. They have the permissions to change web
application policies and site collection administrators. Therefore, they can grant
permissions to themselves to access any site, list, or document on your farm. You can
add individual users or AD groups to the farm administrators group.
To manage site collection administrators, you need to change the following properties:
SPSite.Owner
- primary administrator of the site collection
SPSite.SecondaryContact
- secondary administrator of the site collection
SPWeb.SiteAdministrators
- site collection administrators group
Page 15 of 18
Whitepaper SharePoint Permissions
Item-Level Permissions
A common requirement for a list is that a user should be able to read and edit items
for which he or she is the author. This can be accomplished by using the Item-Level
Permissions found under the Advanced Settings for a list.
You can also limit the items a user is allowed to create or edit:
Page 16 of 18
Whitepaper SharePoint Permissions
Conclusion
The out of the box tools that SharePoint provides can help you secure your content
but are also limiting when it comes down to tracking certain permissions for a user or
managing permissions over time. Preparing an overview of the necessary permissions
is time-consuming. You need to be able to ask and answer questions such as the
following:
Who can access the document Executive Salaries? (Your answer to this question
should be a report of all users who can access the document, including group
members of the groups that have access.)
How can a user access this document? (Your answer will depend on whether
permissions have been directly assigned to the user or whether the user must be
a member of a SharePoint group or AD group to receive those permissions.)
Where does user X have permissions? (Your answer will be a list of all the
documents a user can access through both unique and inherited permissions on
a site collection level, or even a farm level.)
To answer these questions, you would either have to take a lot of time to track down
the answers through the SharePoint UI or develop a custom solution. Lets take a look
at some common situations when it comes to permissions management:
Page 17 of 18
Whitepaper SharePoint Permissions
What is SPDocKit?
Why SPDocKit?
Try it!
Take SPDocKit for a spin: download it now. A 30-day free trial and
more info is available at www.spdockit.com.
Page 18 of 18