Best Practices for managing SharePoint permission Levels

1. Best Practices for managing SharePoint permission Levels SharePoint 2010 Tony Rockwell

2. Who? Tony Rockwell About me: 20+ years in IT 5 years focused on SharePoint MCTS SharePoint 2010 Configuration • SharePoint Administration • Installation; Configuration; Upgrades • Enable OOTB features • Implement 3rd party tools • Founding Board Member of SANSPUG • SPSSAN organizer Solution Specialist at EMP Live EPM Live is the global leader in SharePoint-based project, portfolio & work management solutions that help organizations increase productivity by improving visibility, execution and collaboration on all types of work. • PortfolioEngine • WorkEngine • ProjectEngine

3. House Keeping • Thank our Sponsors! • This is an Interactive Session • Save questions – you choose Twitter hashtags: #PermissionLevels

4. Agenda • SharePoint Security • Why Create custom permission levels? • Inheritance & Scopes • Best Practices • Permission Level Scenario • How-To using the SharePoint interface • How-To using PowerShell • References

5. SharePoint Security • Why create custom permission levels? • Because security matters to you • Ease security administration • Enable refined security • Terminology • Permission Levels • Users • Groups • Securable Objects • Inheritance & Scopes Farm Administrator Service Application Administrator Feature Administrator Site Collection Administrator

6. Inheritance & Scopes • Site Collection • Web Object • Web Object • Document Library Object Scope 1 • Folder • Item • Item • Item Scope 2

7. Best Practices SharePoint Permissions • Use fine-grained permissions only when business case requires it • Break permission inheritance infrequently as possible • Use domain groups to assign permissions to sites when possible • Assign permissions at the highest level possible • Make use of appropriate SP roles

8. Best Practices SharePoint Permission Levels & Scopes • Don’t modify or delete a default permission level • Copy a default permission level & modify it • The maximum # of unique security scopes set for a list should not exceed 1,000 • Use group membership rather than individual membership in your scopes

9. Scenario • The Company • Each department owns asite • Department site owner to manage site… but delegates permissions to someone else • Delegate should not modify site, pages, etc. only add/remove (manage) users • Delegate should also have standard “Contribute” access to site

10. Required Administrative Credentials • You are a member of the Administrators group for the site collection • You are a member of the Owners group for the site • You have the Manage Permissionspermission If you use PowerShell you also need the SharePoint_Shell_Access role in the SQL db

11. How-to: SharePoint interface • Navigate to top-level site • Site Actions > Site Permissions (or Site Settings for Publishing) • Click on Permission Levels in the Ribbon • Select the permission level to copy – Contribute • Scroll down & select Copy Permission Level

12. How-to: SharePoint interface • Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”) • Select desired permissions • Check Enumerate Permissions (Manage will auto-select, Deselect it) • Scroll down & click Create The custom permission level is ready to use! • Create a SharePoint group for each department; i.e. “Accounting User Managers” • Give the group the “User Manager” permission level • Make the owner of this SP Group, the Site Owner or SCA • Change the owner of the Member & Visitor groups

13. How-to: PowerShell PS > $spWeb = Get-SPWebhttp://sharepoint.contoso.com Create a new object PS > $plevel= New-Object Microsoft.SharePoint.SPRoleDefinition Add name and description PS > $plevel.Name= "Custom: User Manager" PS > $plevel.Description= “Enumerate Permissions" Set the base permissions PS > $plevel.BasePermissions= “EnumeratePermissions”

14. How-to: PowerShell Add the permission level to your site PS > $spWeb.RoleDefinitions.Add($plevel) Clean up PS > $spWeb.Dispose() See base permissions that are available PS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") EmptyMaskViewListItemsAddListItemsEditListItemsDeleteListItemsApproveItemsOpenItemsViewVersionsDeleteVersionsCancelCheckoutManagePersonalViewsManageListsViewFormPages Open ViewPagesAddAndCustomizePagesApplyThemeAndBorderApplyStyleSheetsViewUsageDataCreateSSCSiteManageSubwebsCreateGroupsManagePermissionsBrowseDirectoriesBrowseUserInfoAddDelPrivateWebPartsUpdatePersonalWebPartsManageWebUseClientIntegrationUseRemoteAPIsManageAlertsCreateAlertsEditMyUserInfoEnumeratePermissionsFullMask

15. Session wrap-up Questions Please complete a Session Survey Help me improve Help the organizers improve future events Win prizes!

16. Contact me @ Email: trockwell@epmlive.com Twitter: @sharepoinTony Blog: http://sharepoinTony.info/blog LinkedIn: http://www.linkedin.com/in/ajrockwell San Diego SharePoint Users Group: www.sanspug.org slideshare: http://www.slideshare.net/trock2010/ REFERENCE: • Technet - User Permissions and Permission Levels • http://technet.microsoft.com/en-us/library/cc721640.aspx • Spbasepermissions - definitions • http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx • SP Permission Inheritance • http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx • Best Practices for Fine-grained Permissions (White Paper) • http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx • Best Practices Center for SharePoint 2010 • http://technet.microsoft.com/en-us/sharepoint/hh189420

17. The After-Party: SharePint Karl Strauss Brewing Company 1157 Columbia Street  San Diego, CA 92101Phone: 619-234-2739 Immediately following event closing & prize drawings (@6:30 pm) Directions (.9 miles): 1. Head northeast on 1st Ave 2. Turn left onto W. B St 3. Turn left onto Columbia St Karl Strauss will be on the left

18. Thank our Sponsors Please be sure to fill out your session evaluation!