SharePoint Permissions • Who has access? • What can they do with the access? • What is the easiest way to manage the permissions? • What structure of sites and lists/libraries makes the most sense for your workflow?
Authentication – establishes identity • We use Active Directory as the authentication provider • AD user accounts can represent individuals or groups of people • NPS\dsmith • NPS\domain users • AD user accounts are added to SharePoint, either as individual users or as part of SharePoint groups
Authorization -permission to do certain tasks • What can a user see? Apply permissions so users can get to the information they need, but not have access to restricted information • What can a user do with the resource? Apply permissions so that the ability to modify the resources is not more than is necessary
Permissions and Permission Levels • Thirty-three distinct permissions • Permission levels are groups of distinct permissions • Permission levels are assigned to individual users or to SharePoint groups • Default permission levels are full control, design, contribute and read
Default permission levels • Full Control (Owners group): All permissions. • Design: Create lists and document libraries, edit pages and apply themes to the web site. • Contribute (Members group): Add, edit, and delete items in existing lists and document libraries. • Read (Visitors group): Read-only access. View and open items and documents. • Limited Access: Automatically assigned, to give enough access so the user can navigate to the item that they do have permission for.
Planning • Design a clear hierarchy of inheritance • Separate sensitive data into its own lists, libraries, or even better, subsites • Balance ease of administration with the control of granular permissions • Decide what groups to use and what permission levels to give them
Who might be in these groups? • Team Site Owners (Full Control) • Two or three individuals at the most • Team Site Members (Contribute) • Might be individuals if a small workgroup • Might be an Active Directory group that includes everybody in an office or organizational group (e.g. NPS\inpnridg for NRPC) • Might be all NPS domain users • Team Site Visitors • Often all NPS domain users if not sensitive info on site
Fine Points • In most cases, assign permission levels to SharePoint groups instead of individuals • Look for existing Active Directory groups or ask that they be created • All groups have an owner (can be a single person or a single group) • Settings determine who can view or edit the membership of a group • Restricted access sites should be lower in the hierarchy