Permissions Management in SharePoint 2013 Agnes Molnar

8/16/2019 Permissions Management in SharePoint 2013 Agnes Molnar

1/11


2/11

Page 1 of 11

Contents

Overview ................................ ................................ ................................ ................................. ............................... ............. 2

SharePoint Role Assignment .............................. ................................. ................................ ................................. ...... 4

SharePoint Groups vs. Active Directory Groups ................................ ................................ ................................ .. 6

Permission Levels ............................... ................................ ................................. ................................ ............................ 7

Action Plan ........................................................................................................................................................................ 9


3/11


4/11

Page 3 of 11

As SharePoint does role based on access control, the next thing to be aware of and understand isthe role assignment. Role assignment has three main components in SharePoint:

User or Group - the person or group of persons who gets the role.

Security Scope - the subject Permission Level - the level of permission(s) the user or group is assigned to the subject.

Let me show you some examples:

" Jeff needs to edit this document. "o User : Jeffo Security Scope : this documento Permission Level : edit

"Chris has to change the settings of this list. "o User : Chriso Security Scope : this listo Permission Level : change the settings (admin)

"HR and Marketing have to be able to read everything on this site."o Groups : HR, Marketingo Security Scope : this siteo Permission Level : read


5/11

Page 4 of 11

"Why Gary can see these files in ‘ Search ’?!” o User : Garyo Security Scope : these fileso Permission Level : read

SharePoint Role Assignment

In SharePoint, there are several levels of available security scopes. These levels are organizedinto a well-defined hierarchy; therefore, we have a very clear inheritance — by default, all thepermission settings are inherited from the parent level to its children.

These levels are:

Site List/Library Folder Item/Document

It’s also worth noting that we have permission inheritance by the site hierarchy as well, bydefault; every site inherits the role assignment from its parent .

In this case, using the default settings, every list and document library inherits the roleassignments from the site (and the site inherits from its parent site), as well as the folders,subfolders and items inside. These settings can be, for example:

Group Marketing has contribution (read or write) access to everything; Group Sales has read access to everything; Jeff, Joe and Jim have contribution access to everything (regardless of their group

membership).


6/11

Page 5 of 11

If you use the default settings (inheritance) on each level, these groups will haveread (Marketing) and contribution (HR) access to every list and library, every folder andsubfolder, every item and document. For example, if you have a document library “Campaigns”with a folder for each year (2013, 2012 etc.), the Marketing group, Jeff, Joe, and Jim can add new

documents, open and edit the existing ones, while the members of the Sales group will be ableto read these documents but not modify them.

But of course, you can break this inheritance by defining custom role assignment , on anylevel. In this case, you have the default role assignment on the site level (either set on this site orinherited from its parent site), but it’s not inherited to, and below the folder where you createthe custom role assignment.

For example, let’s say we have the very same role assignment on site level:

Group Marketing has contribution (read or write) access to everything; Group Sales has read access to everything; Jeff, Joe and Jim have contribution access to everything (regardless of their group

membership).

But you have a specific folder in the document library “Campaigns” for the currentyear (2014) where you want the group ‘Sales’ to have c ontribution access as they might have toadd or modify the current documents. In this case, you have to break the permission inheritance.The default role assignment after this will be identical with the current settings, but you canchange it according to your needs:

Group Marketing has contribution (read or write) access to everything; Group Sales has contribution (read or write) access to everything; Jeff, Joe and Jim have contribution access to everything (regardless of their group

membership).


7/11

Page 6 of 11

Of course, you can do this on any level. On one hand, this is good as you can have as customand complex permission settings on your content as you want. On the other hand, it’s a very bigchallenge and might be a huge risk due to its complexity.

Note : In SharePoi nt 2013 and Office 365, it’s very simple to share documents or even folders, listsand libraries with your colleagues. This makes the end users’ lives much easier, but can be a realchallenge for the administrators.

SharePoint Groups vs. Active Directory Groups

As you likely know, you can create groups in SharePoint, and sometimes, this might lead toconfusion. When your SharePoint farm is domain integrated and AD authenticated, you have ADgroups as well. The similarities of AD and SharePoint groups might be confusing, as well as the

differences. Let me clarify some points here:

AD groups can contain (AD) users, of course, but they can also be organized intohierarchy: every AD group can contain other AD group(s). They are always managedoutside of the scope of SharePoint; domain admins have the responsibility to add,remove or modify groups and manage the memberships.

With SharePoint groups , the picture is a bit different. SharePoint groups can contain(AD) users and AD groups. There’s no hierarchy of Sha rePoint groups - a SP groupcannot contain any other SP group. It’s a big limitation. But on the other hand,SharePoint groups are administered inside SharePoint; therefore you don’t need to

contact the domain administrators for every single change like group membershipchanges.


8/11

Page 7 of 11

Permission Levels

When working with role assignments, Permission Levels are the next thing we have to

understand. The most commonly used and known are ‘Read’, ‘Contribute’ and ‘Full Control’ inSharePoint, but there are many more. Outside the box, we get the following Permission Levels:

For the full reference of these levels, please refer to this TechNet article: User permissions andpermission levels in SharePoint 2013

Each of these permission levels is a combination of elemental permissions. These elemental

permissions can be organized into three groups:

List Permissions Site Permissions Personal Permissions

http://technet.microsoft.com/en-us/library/cc721640.aspxhttp://technet.microsoft.com/en-us/library/cc721640.aspxhttp://technet.microsoft.com/en-us/library/cc721640.aspxhttp://technet.microsoft.com/en-us/library/cc721640.aspxhttp://spdockit.staging.wpengine.com/wp-content/uploads/2014/03/permission-groups.pnghttp://technet.microsoft.com/en-us/library/cc721640.aspxhttp://technet.microsoft.com/en-us/library/cc721640.aspx


9/11

Page 8 of 11

For example, the Contribute Permission Level consists the following:

1. List Permissions:

Add Items Edit Items

Delete Items View Items Open Items View Versions Delete Versions Create Alerts View Application Pages

2. Site Permissions:

Browse Directories Use Self-Service Site Creation View Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open Edit Personal User Information

3. Personal Permissions

Manage Personal Views Add or Remove Personal Web parts Update Personal Web Parts

Besides using these OOTB levels, you can create your custom levels too. For example, you mighthave a requirement for a permission level that has the basic Contribute permissions except‘Delete’. It is used very often at customers who have specific policies for version managementand item deletion.


10/11

Page 9 of 11

Action Plan

As you can see, Permission Management is a complex task in SharePoint, and needs a complex

solution supporting:

User and Group Management Role Management Checking and consolidating Role Assignments

Except documenting and exploring SharePoint farm settings, Documentation Toolkit forSharePoint provides a detailed SharePoint permissions explorer and options to create andexport permission reports and this is why it is a very good and useful solution that can be usedduring a SharePoint permissions management process.

Documentation Toolkit for SharePoint is free for 30 days - download free trial.

http://www.spdockit.com/downloads/http://www.spdockit.com/downloads/http://www.spdockit.com/downloads/http://www.spdockit.com/downloads/


11/11

Page 10 of 11

Permissions Management in SharePoint 2013 Agnes Molnar

Documents

Transcript of Permissions Management in SharePoint 2013 Agnes Molnar