Embed Size (px)
Citation preview
#SPSSAN
June 30, 2012 San Diego Convention Center
BEST PRACTICES FOR MANAGING SHAREPOINT PERMISSION LEVELS
SharePoint 2010
Tony Rockwell
#SPSSAN
Who?
Tony Rockwell
About me:
20+ years in IT
5 years focused on SharePoint
MCTS SharePoint 2010 Configuration
• SharePoint Administration• Installation; Configuration;
Upgrades• Enable OOTB features• Implement 3rd party tools• Founding Board Member of
SANSPUG• SPSSAN organizer
Solution Specialist at EMP Live
EPM Live is the global leader in SharePoint-based project, portfolio & work management solutions that help organizations increase productivity by improving visibility, execution and collaboration on all types of work.• PortfolioEngine• WorkEngine• ProjectEngine
#SPSSAN
House Keeping• Thank our Sponsors!• This is an Interactive Session• Save questions – you choose
Twitter hashtags:#PermissionLevels
#SPSSAN
Agenda• SharePoint Security
• Why Create custom permission levels?
• Inheritance & Scopes• Best Practices• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References
#SPSSAN
SharePoint Security• Why create custom permission levels?
• Because security matters to you• Ease security administration• Enable refined security
• Terminology
Farm AdministratorService Application AdministratorFeature AdministratorSite Collection Administrator
Permission LevelsUsersGroupsSecurable ObjectsInheritance & Scopes
#SPSSAN
Inheritance & Scopes
Site Collection
Web Object
Document Library Object
Folder Web Object
Item
Item
Item
Scope 1
Scope 2
#SPSSAN
Best Practices
SharePoint Permissions
• Use fine-grained permissions only when business case requires it
• Break permission inheritance infrequently as possible
• Use domain groups to assign permissions to sites when possible
• Assign permissions at the highest level possible
• Make use of appropriate SP roles
#SPSSAN
Best Practices
SharePoint Permission Levels & Scopes
• Don’t modify or delete a default permission level• Copy a default permission level & modify it
• The maximum # of unique security scopes set for a list should not exceed 1,000
• Use group membership rather than individual membership in your scopes
#SPSSAN
Scenario• The Company• Each department owns a site• Department site owner to manage site… but delegates
permissions to someone else• Delegate should not modify site, pages, etc. only
add/remove (manage) users• Delegate should also have standard “Contribute”
access to site
#SPSSAN
Required Administrative Credentials• You are a member of the Administrators
group for the site collection
• You are a member of the Owners group for the
site• You have the Manage Permissions
permissionIf you use PowerShell you also need the
SharePoint_Shell_Access role in the SQL db
#SPSSAN
1. Navigate to top-level site
2. Site Actions > Site Permissions (or Site Settings for Publishing)
3. Click on Permission Levels in the Ribbon
4. Select the permission level to copy – Contribute
5. Scroll down & select Copy Permission Level
How-to: SharePoint interface
#SPSSAN
6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)
7. Select desired permissions • Check Enumerate Permissions (Manage will auto-select,
Deselect it)
8. Scroll down & click Create
The custom permission level is ready to use!• Create a SharePoint group for each department; i.e. “Accounting
User Managers”• Give the group the “User Manager” permission level • Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups
How-to: SharePoint interface
#SPSSAN
How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.com
Create a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition
Add name and descriptionPS > $plevel.Name = "Custom: User Manager"
PS > $plevel.Description = “Enumerate Permissions"
Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions”
#SPSSAN
How-to: PowerShellAdd the permission level to your site
PS > $spWeb.RoleDefinitions.Add($plevel)
Clean up
PS > $spWeb.Dispose()
See base permissions that are available
PS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews ManageLists ViewFormPages Open ViewPages AddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite ManageSubwebs CreateGroups ManagePermissions BrowseDirectories BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo EnumeratePermissions FullMask
#SPSSAN
Session wrap-upQuestions
Please complete a Session Survey
Help me improve
Help the organizers improve future events
Win prizes!
#SPSSAN
Contact me @Email: [email protected]: @sharepoinTonyBlog: http://sharepoinTony.info/blogLinkedIn: http://www.linkedin.com/in/ajrockwell San Diego SharePoint Users Group: www.sanspug.orgslideshare: http://www.slideshare.net/trock2010/
REFERENCE:Technet - User Permissions and Permission Levels
http://technet.microsoft.com/en-us/library/cc721640.aspx
Spbasepermissions - definitions
http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx
SP Permission Inheritance
http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx
Best Practices for Fine-grained Permissions (White Paper)
http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx
Best Practices Center for SharePoint 2010
http://technet.microsoft.com/en-us/sharepoint/hh189420
#SPSSAN
The After-Party: SharePint
Karl Strauss Brewing Company
1157 Columbia Street
San Diego, CA 92101Phone: 619-234-2739
Immediately following event closing & prize drawings (@6:30 pm)
Directions (.9 miles):1. Head northeast on 1st Ave2. Turn left onto W. B St 3. Turn left onto Columbia StKarl Strauss will be on the left
#SPSSAN
June 30, 2012 San Diego Convention Center
THANK OUR SPONSORS
Please be sure to fill out your session evaluation!
