Chapter 8 – Securing and Managing Site Content

Wrox – Professional SP 2010 Admin: page 195

Permission levels – are made up of sets of permissions. SP ships with a list of permissions; can’t be added, edited or deleted.

Securable objects – are levels within SP 2010 that can be locked down, or secured, by setting specific user access. Sites, lists, ibraries and items are all securable objects.

Server farm level acceess:

(1) Local administrator: Also members of server farm administrator; can do all duties of a farm admin, plus other non-Sharepoint tasks, such as installing patches, service packs, IIS, start/stop service, SQL server maintenance etc. By default do not have access to SP sites.

(2) Farm administrator: Can perform any tasks in Central Admin. By default do not have access to SP sites.

To manage server farm administrators, from Central Admin website, Site Actions à Site Settings à People and Groups. It’s not a functions in one of the 8 major central admin categories!!!

Service Application Administrators, two groups:

(1) Service administrators: Delegated by Farm Admin, can manage settings for a specific service application. Central Admin à Manage service Application.

(2) Feature administrators: Delegated by Farm Admin, are associated with a specific feature within a service application.

Site Collection Administrators —

Have full permission/access to all sites under the site collection.


Site Administration —

Site Owners group – users have full control to content on this site. Can be customized on a child site or lower level. When you create a site, a [site name] Owners group is created. Group members will have full access to the new site.

Administration beneath the site level —

doesn’t always require group membership.

à Document library or list – no specific group that manages content at this level, but permissions can be configured. Useful when you only want a portion of your content to have restricted access.
à Individual items – similar to above.

Understanding permissions —

Permission levels –

Tips —

(1) Not a good idea to modify default permission levels. Make a copy and edit it instead.
(2) Not good idea to delete default permission level.

6 default levels –

(1) Full control – will have access to everything on the site and can perform site admin tasks. Not to be confused with site collection administrators.
(2) Design – view/add/update/delete/approve/customize. Can approve contents too. Can do anything on the securable objects except for admin tasks.
(3) Contribute – view/add/update/delete list items and documents. Th standard permission level to grant user access to contents and containers.
(4) Read – Vew pages and list items and download documents. Standard permission for user who need read, but not add.edit item.
(5) Limited Access – Can view specific items, lists, documents, folders. The permission cannot be assigned. Instead, it’s a customized permissions.
(6) View Only – Can view pages, list items, documents. Users can’t download documents with server-side handlers.


(1) Restricted Read – For publishing sites only. Similar to read, but not to create alerts, browse user info or use client integration.
(2) View Only
(3) Approve – Edit/approve pages, list items, documents. For publishing sites only.
(4) Manage hierarchy – create sites; edit pages/list items/documents. Fir Publishing sites only.

Creating a New Permission Level Based on Existing Permission Level

Sharepoint Security Groups: Created within the browser and can be used with given site collections. By default, SP creates security groups (site groups) when a new site collection is created. The groups created vary according to the templarte that is used.

(1) Site Collection Administrators: has Full Control permission and can do anything to the site collection. Can’t be overridden.

Owners/Members/Visitors – By default these groups are created for all new site collections.

Configuring Permission during site creation —

When you create a new [site], default value is to use the same permission as the parent site collection. If choose to use a unique permission, you will be prompted to configure three new access groups: [new site name] owners/members/visitors.

When you add a new SP security Group (site collection level), it applies to current securable objects and all child securable objects.

Active Directory Groups –

You can also use AD Groups. For security, you must use AD email-enabled security groups. Distribution list cannot be used. The group must have a SID (security ID) in AD.

When to use Sharepoint Security group, and when AD Security group:

If Sharepoint Security group needs to match closely with AD Group, then use AD Security Group. But in AD Security group, the site administrator will not be able to add/update users because they’re now in AD.

NT Authority\Authenticated users is an AD group.

You cannot nest Sharepoint Security Groups. (nesting) You can only add a AD user or AD Group to a Sharepoint Group.

Sites inherits permission from parent sites/site collection; you can break the inheritance by browsing to the securable object/site, and break the inherited permission.

Web Application Policy – Grant a user or group access to the whole web application.

Good thing – This policy cannot be overidden by security settings in the sites.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: