sharepoint security permissions identities and objects l.
Download
Skip this Video
Download Presentation
SharePoint Security: Permissions , Identities, and Objects

Loading in 2 Seconds...

play fullscreen
1 / 46

SharePoint Security: Permissions , Identities, and Objects - PowerPoint PPT Presentation


  • 339 Views
  • Uploaded on

Required Slide. SESSION CODE: OSP214. SharePoint Security: Permissions , Identities, and Objects . Dan Holme Director of Training & Consulting Intelliem. Dan Holme. MVP: SharePoint Server Consultant & Trainer at Intelliem www.intelliem.com Fortune-caliber business, academic & government

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SharePoint Security: Permissions , Identities, and Objects' - zoe


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sharepoint security permissions identities and objects

Required Slide

SESSION CODE: OSP214

SharePoint Security:Permissions, Identities, and Objects

Dan Holme

Director of Training & Consulting

Intelliem

dan holme
Dan Holme
  • MVP: SharePoint Server
  • Consultant & Trainer at Intelliem
    • www.intelliem.com
    • Fortune-caliber business, academic & government
    • Microsoft Technologies Consultant, NBC Olympics
  • Community Lead, www.SharePointProConnections.com
  • Contributing Editor, Windows IT Pro and SharePoint Pro Connections magazines
  • Author: Microsoft Press
    • SharePoint 2010 Training Kit, Technical Specialist Exam 70-667
  • @danholme
  • danh@intelliem.com
sharepoint security in a nutshell
SharePoint Security in a Nutshell
  • Authentication
  • Users and groups
  • Web application policy
  • Securable object
  • Roles (permission levels)
  • Role assignments (“assigning permissions”)
  • Record policies
  • Auditing

Policy

Identity/Claim

Group

Role (permission level)

Securable Object

Record

Authentication

Authorization

sharepoint security in a nutshell4
SharePoint Security in a Nutshell
  • Authentication

Identity/Claim

Authentication

Authorization

authentication
Authentication
  • Authentication providers
    • Defined the web application
      • Claims-based identity allows a web application to utilizemultiple authentication providers (e.g. Windows and Forms)without extending the web app
    • Verify identity of user
  • Role providers
    • Identify the roles (groups) of user
sharepoint security in a nutshell6
SharePoint Security in a Nutshell
  • Authentication
  • Securable object

Identity/Claim

Securable Object

Authentication

sharepoint logical structure
SharePoint Logical Structure

Web Application

Site CollectionTop-LevelSite

Site CollectionTop-LevelSite

Site

List

Library

Site

[Folder]

[Folder]

Item

Document

sharepoint security in a nutshell8
SharePoint Security in a Nutshell
  • Authentication
  • Users and groups
  • Securable object
  • Roles (permission levels)
  • Role assignments (“assigning permissions”)

Identity/Claim

Group

Role (permission level)

Securable Object

Authentication

Authorization

default groups
Default Groups
  • Owners: Full Control
  • Visitors: Read
  • Members: Contribute
  • Features add more groups (Designers, etc.)
  • The Members group is the “default members group”
site security
Site security
  • Groups are defined at the site collection
    • Can be given permission at the site level
    • Permission inherits down from there
    • When you create a group you do not have to assign a permission
    • A group without a permission at the site can still be assigned permissions to another securable object
  • Create a sub-site
    • Inherited or unique permissions

Site Collection

Top-LevelSite

Site

Library/List

[Folder]

Document/Item

list or library security
List or Library Security
  • Change permissions on a library
    • Library (or List) Settings Permissions for this document library (or list)
    • Stop Inheriting Permissions
      • Copies inherited permissions as initial explicit permissions
      • Can reset with Inherit Permissions button
    • Ribbon actions for selected group(s)/user(s)
      • Grant Permissions
      • Remove User (or group) Permissions
      • Edit User (or group) Permissions
      • Check Permissions: Resultant set of permissions
      • Anonymous Access
folder and item security
Folder and Item Security
  • Change permissions on a folder or item
    • Point at item  arrow  Manage Permissions
    • If you are viewing the item properties in SharePoint, Edit Permissions
  • Item level permissions on pages in a page library
    • Problem: A web part displays items
      • Users don’t see items they don’t have access to
      • The crawler sees all items in the web partand indexes them
    • Web Part content on ASPX pages is not indexed by default
    • Site Settings  Search and Offline Availability  Indexing ASPX Page Content

Site Collection

Top-LevelSite

Site

Library/List

[Folder]

Document/Item

inheritance
Inheritance
  • Permissions (role assignments) are inherited from the parent object
  • Inheritance can be broken
    • All permissions are explicit
    • Any changes to parent do not affect the object
  • Inheritance can be reinstated
    • All customizations (explicit permissions) are lost
  • Use inheritance wherever possible
  • No “traverse” permissions are necessary
    • All that matters is the permission on the item specified by the URI

Site Collection

Top-LevelSite

Site

Library/List

[Folder]

Document/Item

permission levels
Permission Levels
  • Permission levels are collections of permissions
  • Defined at the site collection
  • How To
    • Customize an existing permission level
    • Copy an existing permission level and edit the copy
    • Create a new permission level “from scratch”
permission levels15
Permission Levels
  • Permission levels are collectionsof permissions
    • Default
      • Read
      • Contribute
      • Design
      • Full Control
      • Limited Access
    • Publishing feature
      • Manage hierarchy
      • Approve
      • Restricted read
permission levels16
Permission Levels
  • Permission levels are collections of permissions
  • Defined at the site collection
  • How To
    • Customize an existing permission level
    • Copy an existing permission level and edit the copy
    • Create a new permission level “from scratch”
override check out permission
Override Check-Out Permission
  • Allows
    • Check-in a document checked out by another user
    • Discard check-out
  • A SharePoint permission
    • Included in Full Control
  • Create a permission level ("role")
    • Perhaps with only Override Check Out
  • Create a role assignment
    • Assign the permission level to a SharePoint or Active Directory group
sharepoint groups
SharePoint Groups
  • Members group has two roles
    • Contribute
    • Exposes site in SharePoint and Office interfaces
      • My Site: Memberships (2010) or My SharePoint Sites (2007)
      • Office 2010: Save to SharePoint interfece
      • Office 2007: Open/Save dialog  My SharePoint Sites
  • Tip: Split up these two roles with a custom group
    • One group is the “contribute” permission: Members
    • One group is the “default group”: Site Visibility
      • No permissions given to this group
      • Choose the “Make Default Group” command (2010)or assign as the Members group (2007)
sharepoint groups19
SharePoint Groups
  • Enable hierarchical membership management
    • Site Managers. Membership managed bysite collection administrators
    • Site Members. Owned by Site Managers. Membership managed by owner.
  • Enable access requests
    • Optionally enable auto-accept of requests
  • Control membership visibility
group management comparison
Group Management Comparison
  • Active Directory
    • Technical user interface (AD Users & Computers)
    • No provisioning (requests, workflows)
    • Difficult delegation of membership management
    • Centralized security (group membership) management
  • SharePoint
    • Non-technical user interface (compared to ADUC)
    • Easy delegation of group membership management
    • Optional provisioning of membership requests
    • Unified view of SharePoint groups & users
    • Only applies to SharePoint
using active directory groups
Using Active Directory Groups
  • Assigning permissions directly to AD groups
    • Possible but not recommended
      • Assumes that content will always be hosted in aweb application using AD as its auth provider
  • Nest Active Directory groups in SharePoint groups
    • Add to a SharePoint group and give permissions (recommended)
      • User  Active Directory group  SharePoint group
      • Must be a security group (not a distribution group)
  • Distribution groups can be used to create audiences
user information list
User Information List
  • Group information list: Site Settings  People and Groups
  • User Information List
    • /_catalogs/users/simple.aspx
    • This list exists at the site collection level
    • Visible only to administrators with the URL
      • No longer has a link in the UI in 2010
  • Users appear when
    • Added explicitly to the User Information List
    • Given an explicit permission within the site collection
    • Contribute to the site
      • e.g. able to contribute based on membership in an AD group
    • Configure an alert
to nest or not to nest
To Nest or Not To Nest
  • User  Active Directory group  SharePoint group
  • Advantages
  • Disadvantages
  • Recommendations
to nest or not to nest24
To Nest or Not To Nest
  • User  Active Directory group  SharePoint group
  • Advantages
    • Provides authentication
      • Don’t assign SP permissions directly to AD groups. Not manageable in the long term.
    • Centralized management of groups and security
      • One AD group can provide access to SharePoint, shared folders, etc.
      • User removed from AD group is automatically out of SP groups
  • Disadvantages
  • Recommendations
to nest or not to nest25
To Nest or Not To Nest
  • User  Active Directory group  SharePoint group
  • Advantages
  • Disadvantages
    • Limited visibility of what’s really happening
      • Site will not appear in the users’ My Sites
      • User Information List will not show individual users until they have contributed to the site
    • AD groups with deep nesting or contacts can break SP
  • Recommendations
to nest or not to nest26
To Nest or Not To Nest
  • User  Active Directory group  SharePoint group
  • Advantages
  • Disadvantages
  • Recommendation: Based on governance plan
    • Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code)
    • “Intranet” sites: AD groups  SP groups to define access
      • Add site to users’ My Sites with personalization site links
    • “Collab” sites: Add users directly to SP groups
      • Provide My Site visibility
      • Provide visibility of user in user information list
administrative groups
Administrative Groups
  • Windows Administrators
  • SharePoint (Farm) Administrators
  • Site Collection Administrators
windows administrators
Windows Administrators
  • Windows Administrators
    • Can perform all farm administrator actions plus…
    • Install new products and applications
    • Deploy web parts and features to the global assembly cache
    • Create new web applications and IIS sites
    • Start and stop services
    • Like farm administrators, no access to site content
sharepoint farm administrators
SharePoint (Farm) Administrators
  • Farm Administrators
    • Can use Central Administration site to perform administrative tasks
    • Manage server and farm settings
      • Provides access to Central Administration
      • Not used for any other access
      • Does not permit use of PowerShell to administer SharePoint
    • No access to site content granted, by default
      • Possible for the admin to give themselves permissionsthrough auditable actions
  • Service application administrators
    • Capabilities vary by service applications
    • Central Administration is security trimmed
site collection administrators
Site Collection Administrators
  • Responsibilities
    • Manage all sites in a site collection
    • Assist with user access
    • Access second stage recycle bin to recover items
  • Permissions
    • Contacts for the site collection
    • Full Control access of all sites in the site collection
    • Audit all site content
    • Receive any administrative alert
  • Creating a site collection
    • 1 site collection administrator required, 2nd recommended
  • After creating site collection, can add more
    • Site Settings  Site collection administrators
sharepoint security in a nutshell31
SharePoint Security in a Nutshell
  • Authentication
  • Users and groups
  • Web application policy
  • Securable object
  • Roles (permission levels)
  • Role assignments (“assigning permissions”)

Policy

Identity/Claim

Group

Role (permission level)

Securable Object

Authentication

Authorization

anonymous access
Anonymous Access
  • Disabled by default
  • Authentication of anonymous users
    • Enable for web application: Central Administration  Application Management  Manage Web Applications  Select web app  Authentication Providers  Click the link for the Zone.
  • Authorization of access by anonymous users to site
    • Site settings  Advanced permissions  Settings  Anonymous Access
    • Enable access to Entire Web Site
    • or Enable access to selected Lists & Libraries
      • Then enable anonymous access to selected lists and libraries
    • or None
  • For intranet: Add Domain Users to group
web application security
Web Application Security
  • Central Administration  Application Management  Manage Web Applications
  • User Policy
    • Bound to web application AAM zone
  • Permissions
    • Full Control
    • Full Read
    • Deny Write
    • Deny All
    • Permission policy allows you to create your own policies
  • Scenarios
managing permissions
Managing Permissions
  • Defined at the web application
  • Not typical to modify or disable the permissions at the web app
  • Central Administration  Web Application Management  User Permissions
  • Example: prevent changes to branding
    • Deselect Apply Style Sheets and Apply Themes and Borders
sharepoint security in a nutshell35
SharePoint Security in a Nutshell
  • Authentication
  • Users and groups
  • Web application policy
  • Securable object
  • Roles (permission levels)
  • Role assignments (“assigning permissions”)
  • Record policies
  • Auditing

Policy

Identity/Claim

Group

Role (permission level)

Securable Object

Record

Authentication

Authorization

auditing
Auditing
  • Configured at the site collection level
  • Site Settings  Site Collection Administration: Site collection audit settings
  • Audit log reports
records management
Records Management
  • New in SharePoint 2010: in-place records management
  • Enable the feature at the site collection level
  • Declare records management attributes
    • Site collection
    • Folder
    • Content type
  • Supports security at the document level without permissions
more information
More Information
  • Dan Holme: dan.holme@intelliem.com
    • @danholme
  • www.sharepointproconnections.com
  • Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 2010
  • 70-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)
slide39

Play the Microsoft Office & SharePoint Track Tag Contest

Download the Microsoft Tag Reader

Open the internet browser on your mobile phone

and visit http://gettag.mobi

Grand Prize (1)

Xbox 360 Prize Package

and Microsoft® Office 2010

Daily Prizes

40 copies of

Microsoft® Office 2010

Come to the Expo Hall – Yellow Section OSP Info Desk

for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall!

track resources

Required Slide

Track PMs will supply the content for this slide, which will be inserted during the final scrub.

Track Resources
  • For More Information – http://sharepoint.microsoft.com
  • SharePoint Developer Center – http://msdn.microsoft.com/sharepoint
  • SharePoint Tech Center – http://technet.microsoft.com/sharepoint
  • Official SharePoint Team Blog – http://blogs.msdn.com/sharepoint
related content

Required Slide

Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session.

Related Content
  • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions
  • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT
  • Hands-on Labs – OSP01-HOL – OSP20-HOL
  • Product Demo Stations – Yellow Section, OSP
    • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks and demos
resources

Required Slide

Resources

Learning

  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

www.microsoft.com/teched

www.microsoft.com/learning

  • Resources for IT Professionals
  • Resources for Developers

http://microsoft.com/technet

http://microsoft.com/msdn

slide43

Required Slide

Complete an evaluation on CommNet and enter to win!

slide44

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

slide45

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.