#SPSSAN
June 30, 2012 San Diego Convention Center
BEST PRACTICES FOR MANAGING SHAREPOINT PERMISSION LEVELS
SharePoint 2010Tony Rockwell
#SPSSAN
Who?Tony RockwellAbout me:
20+ years in IT5 years focused on SharePointMCTS SharePoint 2010 Configuration
• SharePoint Administration• Installation; Configuration;
Upgrades• Enable OOTB features• Implement 3rd party tools• Founding Board Member of
SANSPUG• SPSSAN organizer
Solution Specialist at EMP Live
EPM Live is the global leader in SharePoint-based project, portfolio & work management solutions that help organizations increase productivity by improving visibility, execution and collaboration on all types of work.• PortfolioEngine• WorkEngine• ProjectEngine
#SPSSAN
House Keeping• Thank our Sponsors!• This is an Interactive Session• Save questions – you choose
Twitter hashtags:#PermissionLevels
#SPSSAN
Agenda• SharePoint Security
• Why Create custom permission levels?• Inheritance & Scopes• Best Practices• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References
#SPSSAN
SharePoint Security• Why create custom permission levels?
• Because security matters to you• Ease security administration• Enable refined security
• Terminology
Farm AdministratorService Application AdministratorFeature AdministratorSite Collection Administrator
Permission LevelsUsersGroupsSecurable ObjectsInheritance & Scopes
#SPSSAN
Inheritance & ScopesSite Collection
Web Object
Document Library Object
Folder Web Object
Item
Item
Item
Scope 1
Scope 2
#SPSSAN
Best PracticesSharePoint Permissions
• Use fine-grained permissions only when business case requires it
• Break permission inheritance infrequently as possible
• Use domain groups to assign permissions to sites when possible
• Assign permissions at the highest level possible
• Make use of appropriate SP roles
#SPSSAN
Best PracticesSharePoint Permission Levels & Scopes
• Don’t modify or delete a default permission level• Copy a default permission level & modify it
• The maximum # of unique security scopes set for a list should not exceed 1,000
• Use group membership rather than individual membership in your scopes
#SPSSAN
Scenario• The Company• Each department owns a site• Department site owner to manage site… but delegates
permissions to someone else• Delegate should not modify site, pages, etc. only
add/remove (manage) users• Delegate should also have standard “Contribute”
access to site
#SPSSAN
Required Administrative Credentials• You are a member of the Administrators group
for the site collection
• You are a member of the Owners group for the
site• You have the Manage Permissions permission
If you use PowerShell you also need the
SharePoint_Shell_Access role in the SQL db
#SPSSAN
1. Navigate to top-level site2. Site Actions > Site Permissions (or Site Settings for
Publishing)
3. Click on Permission Levels in the Ribbon4. Select the permission level to copy – Contribute 5. Scroll down & select Copy Permission Level
How-to: SharePoint interface
#SPSSAN
6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)
7. Select desired permissions • Check Enumerate Permissions (Manage will auto-select,
Deselect it)8. Scroll down & click Create
The custom permission level is ready to use!• Create a SharePoint group for each department; i.e. “Accounting
User Managers”• Give the group the “User Manager” permission level • Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups
How-to: SharePoint interface
#SPSSAN
How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.com
Create a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition
Add name and descriptionPS > $plevel.Name = "Custom: User Manager" PS > $plevel.Description = “Enumerate Permissions"
Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions”
#SPSSAN
How-to: PowerShellAdd the permission level to your sitePS > $spWeb.RoleDefinitions.Add($plevel) Clean upPS > $spWeb.Dispose()
See base permissions that are availablePS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews ManageLists ViewFormPages Open ViewPages AddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite ManageSubwebs CreateGroups ManagePermissions BrowseDirectories BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo EnumeratePermissions FullMask
#SPSSAN
Session wrap-upQuestionsPlease complete a Session Survey
Help me improveHelp the organizers improve future eventsWin prizes!
#SPSSAN
Contact me @Email: [email protected]: @sharepoinTonyBlog: http://sharepoinTony.info/blogLinkedIn: http://www.linkedin.com/in/ajrockwell San Diego SharePoint Users Group: www.sanspug.orgslideshare: http://www.slideshare.net/trock2010/
REFERENCE:Technet - User Permissions and Permission Levelshttp://technet.microsoft.com/en-us/library/cc721640.aspxSpbasepermissions - definitions http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspxSP Permission Inheritancehttp://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx Best Practices for Fine-grained Permissions (White Paper)http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx Best Practices Center for SharePoint 2010http://technet.microsoft.com/en-us/sharepoint/hh189420
#SPSSAN
The After-Party: SharePint
Karl Strauss Brewing Company 1157 Columbia Street San Diego, CA 92101Phone: 619-234-2739
Immediately following event closing & prize drawings (@6:30 pm)
Directions (.9 miles):1. Head northeast on 1st Ave2. Turn left onto W. B St 3. Turn left onto Columbia StKarl Strauss will be on the left
#SPSSAN
June 30, 2012 San Diego Convention Center
THANK OUR SPONSORS
Please be sure to fill out your session evaluation!