Token TOKEN User Groups Roles Claims Authentication Provider Identities STSUser Authentication...
-
Upload
janice-gregory -
Category
Documents
-
view
221 -
download
2
Transcript of Token TOKEN User Groups Roles Claims Authentication Provider Identities STSUser Authentication...
Microsoft SharePoint 2013 Sharing and Security Dan HolmeMicrosoft Technologies Analyst & EvangelistMVP, SharePoint [email protected]
SES-B308
CONSULTANTDAN HOLME
Dan Holme
INTELLIEM AUTHORMAUI, HAWAIIAvePoint
danholme http://tiny.cc/[email protected]
Token
TOKENUser
GroupsRoles
Claims
Authentication
Provider
Identities
STS
SharePoint Security Model: Conceptual
UserDS
Authentication
Method
Authorization
User
GroupRole
AssignmentPermission
Level
F D
RC
Security Scope
Site
Policies
ANONYMOUS
ACCESS & POLICY
USER POLICY
Web App
PermissionsGroupDS
Identity Authentication
Token
TOKENUser
GroupsRoles
Claims
Authentication
Provider
Identities
STS
SharePoint Security Model: Conceptual
UserDS
Authentication
Method
Authentication Authorization
User
GroupRole
AssignmentPermission
Level
F D
RC
Security Scope
Site
Policies
ANONYMOUS
ACCESS & POLICY
USER POLICY
Web App
PermissionsGroupDS
Identity
AgendaSharePoint security modelSecurity & sharing interfaces and featuresBest practices and real-world scenariosSolutions to common challenges andanswers to common questionsConversationAsk questions in real time
Clear?More?Technicalities?
Keep the conversation going after today: [email protected] @danholme
Sharing1
Understand
2
Plan
3
Configure
Sharing1
Understand
2
Plan
3
Configure
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Alex needs to change
the intranet
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
SharePoint UserObject representing the userLinked to user accountas defined by auth provider
Alex
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Alex
Change
Permission levelFull ControlDesignContributeRead
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Alex
Change
Security ScopeSiteLibrary or ListFolderDocument or Item
Intranet
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Alex canchange
the intranet
Role AssignmentAssign role (permissions) to user (or group) for a scope
Alex
Change
Intranet
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
GroupSite Owners Full ControlSite Members ContributeSite Visitors Read
Alex belongs to the group that can
changethe intranet
Alex
Change
Intranet
Authorization: An Overview
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Sharing1
Understand
2
Plan
3
Configure
Identify the Security ScopeSiteTop-level website in site collectionEach sub site
List or Library
Folder
Document or Item
Site
W
Library
Security Scope
Site
Consider InheritanceRoles assignments are inherited by child objectsSubsite, list, library, folder, item or document
You can break inheritanceAssign explicit permissionsThese permissions are inherited by child objects
Best PracticeUse inheritance wherever possible
Role Assignment
Role Assignment
Site
W
Library
Security Scope
Site
Identify the Permission LevelCommon permission levelsFull ControlDesignContributeRead
Collections of individual permissionsContribute includes Add Item, View Item, Edit Item, Delete Item, Create Alerts, etc.
Also calledRolesRole Definitionsor just “Permissions”
Permission Level
F D
RC
Sharing1
Understand
2
Plan
3
Configure
Grant Site Access (2010/2013)Add user to an existing groupSite PermissionsPeople and Groups
Create groupAssign permissionsPermissions selected when creating a group are scoped to the siteAdd user
Grant permissions directly to userSite Permissions Grant PermissionsCan also grant permissions directly to a group (e.g. Active Directory group)Not recommended to grant permissions directly to users or Active Directory groups
Site
Site Sharing and Access Requests (2013)ShareDefault: Adds user to the Site Members groupShow Options: Add user to another group
Configure access requestsEmail to one address when site access requested
Generating an access requestA user without access attempts to access site and requests accessA site user without full control shares the site with a user who does not have access
Respond to access requestsAdd user to appropriate group
Monitor access requestsSite Settings Access Requests and Invitations http://office.microsoft.com/en-us/sharepoint-
help/set-up-and-manage-access-requests-HA103456596.aspx?CTT=5&origin=HA102894713
Site InheritanceDefaultSubsites inherit permissions from parent sites
Break inheritance: new subsiteChoose Unique Permissions
Break inheritance: existing subsiteSite Permissions Stop Inheriting Permissions
Site
SiteSite
Configure Access (2010)ScopesList or Library, Folder, Item or Document
Manage permissionsClick Permissions
Assign permissionsClick Stop Inheriting PermissionsClick Grant/Edit/Remove
Review permissionsClick Check
Reinstate inheritance and delete explicit permissionsClick Inherit Permissions
Requires Change Permission permissionIncluded in Design permission level
SharePoint 2013 Sharing Interfaces
ShareInvite
Shared WithReport
AdvancedManage
Finding the Sharing InterfacesScope Share Shared With Advanced
Site
orSite Settings Site Permissions
List or Library
Folder
Document or
Sharing (2013) with Internal UsersScopesSite, List or Library, Folder, Item or Document
Assign permissionsUse the Share interfaceWhen you share, you break inheritance
Review permissionsUse the Share With interface
Manage permissionsUse the Advanced interface
Reinstate inheritance and remove unique permissionsUse the Advanced interface: Delete Unique Permissions
Requires Change Permission permissionIncluded in Design permission level
Sharing with External Users (Office 365)Share sites or documents with external usersShare sites or documentsNo additional license requiredNo user account required in your authentication provider
Requires full control permissionShare a siteAdd to access group
Share a documentChoose access level: Edit or ViewRequire sign-in or use guest link
Guest linksAnyone with the link can access the contentView or Edit only in Office Web Apps. Cannot download or open locally.
http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/share-sites-or-documents-with-people-outside-your-organization-HA102894713.aspx
Manage External Sharing (Office 365)Enable or disable external sharingSharePoint Admin Center
Tenancy (all plans)Settings
Site collection (Enterprise plans E1, E3, E4 only)Select site collection(s) then click Sharing
Manage External Sharing (Office 365)Read the documentation!Revoking permissions to external usersDisabling and deleting guest linksDisabling and re-enabling sharing
2013 E: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manage-external-sharing-for-your-sharepoint-online-environment-HA102849864.aspx2013 P: http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/manage-sharing-with-external-users-HA102849862.aspx
2010: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/share-a-site-with-external-users-HA102476183.aspx?CTT=5&origin=HA102849864
Sharing Scopes (Office 365)
W
Site
W
Library
Site
W
Internal External Guest Link
A Deeper Look
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Users
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
UsersDefined in the site collectionUser object is at site collection level
What creates a user?Administrator or group owner adds a user to a groupUser shares with (assigns permission to) another user
Requires Change Permissions permissionExcept using Office 365 Guest Link
User who has permission via an Active Directory group effects a change on the site
Visibility of users who belong to a site via a groupUser belongs to an Active Directory group that belongs to a SharePoint groupThere is no visibility that the user belongs or has access until the user object is actually created
User
SharePoint Groups
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
GroupsDefined in the site collectionGroup is available for use throughout the site collectionRegardless of where the group is created, group object is at site collection level
Default groupsSite Owners – Full ControlSite Members – ContributeSite Visitors – ReadOther groups dependent on site definition
Can contain users from any authentication providerActive Directory users + Forms-Based Auth users + SAML token users
Group
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
To Nest or Not To NestAD User
AD Security Group
To Nest or Not To NestAdvantagesGrants user permissionsCentralized role-based management
SharePointShared foldersExchange mailboxesOther applications
Nesting group groupReduced impact on SharePoint search crawl
DisadvantagesScalability in fine-grained scenarios
At some “level” you stop using AD groups
Limited visibility of userLose self-service group management
Business owners can manage groups in UIAccess requests
Lose collaboration functionality*AlertsWorkflow assignmentTask assignmentPeople picker controls* Exact functionality lost “depends”
Impact of membership changes on search crawl: Kirk Evans’ bloghttp://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifying-guidance-on-sharepoint-security-groups-versus-active-directory-domain-services-groups.aspx
To Nest or Not To Nest“Intranet” sitesAD groups SP groups to define accesse.g. Domain Users, All EmployeesSupport easy management of accessLower impact of membership changes on search crawl
“Collaboration” sitesAdd users directly to SP groupsProvide visibility of user in groups and sharing interfacesProvide visibility to site owners and membersSupport collaboration functionality
Ideal worldSynchronization of membership between Active Directory and SharePoint groups
while accounting for impact on crawlCan be accomplished using scheduled PowerShell jobs to “synchronize” group memberships
Permission Levels
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Contribute + Manage ListsNew in 2013. In 2010, Manage Lists was only in Design.
Access specific asset and shared resources (e.g. a library and its views)Assigned automatically. Don’t remove it in Site Permissions.
Read without Open Items permission
SharePoint 2013: http://technet.microsoft.com/en-us/library/cc721640.aspxSharePoint 2010: http://technet.microsoft.com/en-us/library/cc721640(v=office.14).aspx Read vs. View: http://blogs.devhorizon.com/reza/2012/10/26/interesting-difference-between-view-only-vs-read-permission-levels/
Permission LevelsCommon permission levelsFull ControlDesignEditContributeReadView OnlyLimited Access
Other permission levels depending on site definition (template)
Permission Level
F D
RC
Permission LevelsPermission levels are collections of permissionsDefined at the site collectionManaged by site collection administratorsCustomize an existing permission levelCopy an existing permission level and edit the copyCreate a new permission level “from scratch”
Permission Level
F D
RC
Contribute Without DeleteStart with the Contribute permission levelClick Copy Permission LevelModify the new permission level
Override Check-Out PermissionAllowsCheck-in a document checked out by another userDiscard check-out
A SharePoint permissionIncluded in Full Control
Create a permission level ("role")Perhaps with only Override List Behaviors (2013) [Override Check Out (2010)]
Create a role assignmentAssign the permission level to a group for a site or library
Security Scope
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Security Scopes and InheritanceInitial security scopeTop-level site of a site collectionRole assignments (permissions) are inherited by all child objects
Create a security scopeWhen you break inheritance (share), you create a security scopeAll permissions are explicit (unique)Explicit permissions are inherited by child objects unless they break inheritance
Inheritance can be reinstatedAll customizations (explicit/unique permissions) are lostThe security scope is now the parent (or a higher-level) object
Use inheritance wherever possible
Security Scope
Site
Understand Effective PermissionsExplicit or InheritedNot bothDifferent than NTFS (inherited + explicit)
No “partial inheritance”When inheritance is broken, changes to parent permissions no longer affect child objects
SharePoint access is to a URIThe permission to the URI is all that matters
No “traverse” permissions are necessaryNo need for permission to the “parent” (e.g. NTFS Traverse Folder)
Check effective permissionsAdvanced sharing interface Check PermissionsReport permissions for one user or group
Security Trimming and IndexingThe SharePoint interface and search results are security-trimmedUsers don’t see what they do not have permission to read
Item level permissions on pages in a page libraryProblem: A web part displays items
Users don’t see items they don’t have access toThe crawler sees all items in the web partand indexes them
When inheritance is broken anywhere within a site, all Web Part content on ASPX pages is no longer indexed by default Site Settings Search and Offline Availability Indexing ASPX Page Content
Role Assignments
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Managing Security ManagementLimit who has the “Change Permissions” permissionCreate a permission level: Full Control Except PermissionsManage the membership of the Site Collection Administrators group
Site Collection Administrators… it’s the new Windows Administrators group!
Permissions and Policies
Authorization
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Authorization
Role Assignment
User
Group
Security Scope
Permission Level
F D
RC
Site
Policies
ANONYMOUSACCESS &
POLICY
USER POLICY
Web App
Permissions
PermissionsCentral AdministrationManage Web Applications
PermissionsDefine the rights (permissions) that can be used to define roles (permission levels)
Permissions
User PolicyCentral AdministrationManage Web Applications
Define access to all content in a web applicationBound to web application zone
Permission PoliciesFull Control, Full Read, Deny Write, Deny AllPermission policy allows you to create your own policies
Allow and DenyDeny overrides any allow permissions
Define policies for any available permissionScenarios
Policies
ANONYMOUSACCESS &
POLICY
USER POLICY
Anonymous AccessDisabled by defaultAuthentication of anonymous usersEnable for web application: Central Administration Application Management Manage Web Applications Select web app Authentication Providers Click the zone
Authorization of access by anonymous users to siteSite settings Advanced permissions Settings Anonymous AccessEnable access to Entire Web Siteor Enable access to selected Lists & Libraries
Then enable anonymous access to selected lists and librariesor None
Maximum permission: Anonymous User PolicyWeb application setting
Policies
ANONYMOUSACCESS &
POLICY
USER POLICY
Anonymous Access and the IntranetAnonymous access vs. “all users”Read vs. other permissions<Domain>\Domain UsersNT Authority\Authenticated Users<Domain>\All Employees
Sign InIntranet “Home”http://intranet.contoso.com Root site collection Anonymoushttp://intranet.contoso.com/public Explicit managed path AnonymousEverything else “All Users” Read
Beyond Authorization
Information Management PoliciesEnable in-place records managementDeclare records management attributesSite collectionFolderContent type
Effect is document-level security without permissionsInformation management policiesInformation rights policiesRelies on Active Directory Rights Management Services
Insight
AuditingConfigured at the site collection levelSite Settings Site collection audit settings
Configured for content typesSite Settings Site Content Types
Audit log reportsSite Settings Audit log reports
ChallengesAudit log events are purged over timeAudit logs are per-site collectionPresentation of audit information: report formatting
Third-party tools
InsightEffective permissionsReporting permissionsAuditing accessNotification Inheritance has been brokenContent has been sharedGroup membership has been changed
SolutionsPowerShell, third party tools
SharePoint Security NotesPermissionsSecurable objects, as granular as an item or document
Other features augment security managementRecords management, information management policies, information rights policies
Columns can not be secured uniquely, out-of-boxPerformanceConditional formattingRelated listsSeparate lists with a view of both using connected web partsThird party solutions
AudiencesMake content visible to usersEffect can be close to security, but audiences are not security
MAHALO! (thank you!)http://tiny.cc/danholmepresentationshttp://bit.ly/danholmearticleshttp://bit.ly/danholmebooks
A HUI HO! (‘til next time!)[email protected]@danholme
Related contentBreakout Sessions (session codes and titles)
SES-B312: The Only Way to Go Is Up! Upgrade to Microsoft SharePoint 2013
Hands-on Labs (session codes and titles)SES-H313: Deferred Site Collection Upgrade in Microsoft SharePoint Server 2013
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Complete an evaluation on CommNet and enter to win!
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.