Embed Size (px)
Citation preview
#SPSSAN
June 30, 2012
San Diego Convention Center
BEST PRACTICES FOR MANAGING
SHAREPOINT PERMISSION LEVELS
SharePoint 2010
Tony Rockwell
#SPSSAN
Who?
Tony Rockwell
About me:
20+ years in IT
5 years focused on SharePoint
MCTS SharePoint 2010
Configuration
• SharePoint Administration
• Installation; Configuration;
Upgrades
• Enable OOTB features
• Implement 3rd party tools
• Founding Board Member of
SANSPUG
• SPSSAN organizer
Solution Specialist at EMP Live
EPM Live is the global leader in
SharePoint-based project, portfolio &
work management solutions that help
organizations increase productivity by
improving visibility, execution and
collaboration on all types of work.
• PortfolioEngine
• WorkEngine
• ProjectEngine
#SPSSAN
House Keeping
• Thank our Sponsors!
• This is an Interactive Session
• Save questions – you choose
Twitter hashtags:
#PermissionLevels
#SPSSAN
Agenda
• SharePoint Security
• Why Create custom permission levels?
• Inheritance & Scopes
• Best Practices
• Permission Level Scenario
• How-To using the SharePoint interface
• How-To using PowerShell
• References
#SPSSAN
SharePoint Security
• Why create custom permission levels?
• Because security matters to you
• Ease security administration
• Enable refined security
• Terminology
Farm Administrator
Service Application Administrator
Feature Administrator
Site Collection Administrator
Permission Levels
Users
Groups
Securable Objects
Inheritance & Scopes
#SPSSAN
Inheritance & Scopes
Site Collection
Web Object
Document Library Object
Folder Web Object
Item
Item
ItemScope 2
#SPSSAN
Best Practices
SharePoint Permissions
• Use fine-grained permissions only when business case requires it
• Break permission inheritance infrequently as possible
• Use domain groups to assign permissions to sites when possible
• Assign permissions at the highest level possible
• Make use of appropriate SP roles
#SPSSAN
Best Practices
SharePoint Permission Levels & Scopes
• Don’t modify or delete a default permission
level
• Copy a default permission level & modify it
• The maximum # of unique security scopes set
for a list should not exceed 1,000
• Use group membership rather than individual
membership in your scopes
#SPSSAN
Scenario
• The Company
• Each department owns a site
• Department site owner to manage site… but delegates
permissions to someone else
• Delegate should not modify site, pages, etc. only
add/remove (manage) users
• Delegate should also have standard “Contribute”
access to site
#SPSSAN
Required Administrative Credentials
#SPSSAN
1. Navigate to top-level site
2. Site Actions > Site Permissions (or Site Settings for
Publishing)
3. Click on Permission Levels in the Ribbon
4. Select the permission level to copy – Contribute
5. Scroll down & select Copy Permission Level
How-to: SharePoint interface
#SPSSAN
6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)
7. Select desired permissions
• Check Enumerate Permissions (Manage will auto-select, Deselect it)
8. Scroll down & click Create
The custom permission level is ready to use!
• Create a SharePoint group for each department; i.e. “Accounting User Managers”
• Give the group the “User Manager” permission level
• Make the owner of this SP Group, the Site Owner or SCA
• Change the owner of the Member & Visitor groups
How-to: SharePoint interface
#SPSSAN
How-to: PowerShell
PS > $spWeb = Get-SPWeb http://sharepoint.contoso.com
Create a new object
PS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition
Add name and description
PS > $plevel.Name = "Custom: User Manager"
PS > $plevel.Description = “Enumerate Permissions"
Set the base permissions
PS > $plevel.BasePermissions = “EnumeratePermissions”
#SPSSAN
How-to: PowerShell
Add the permission level to your site
PS > $spWeb.RoleDefinitions.Add($plevel)
Clean up
PS > $spWeb.Dispose()
See base permissions that are available
PS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
EmptyMask ViewListItems AddListItems EditListItems DeleteListItemsApproveItems OpenItems ViewVersions DeleteVersions CancelCheckoutManagePersonalViews ManageLists ViewFormPages Open ViewPagesAddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheetsViewUsageData CreateSSCSite ManageSubwebs CreateGroupsManagePermissions BrowseDirectories BrowseUserInfoAddDelPrivateWebParts UpdatePersonalWebParts ManageWebUseClientIntegration UseRemoteAPIs ManageAlerts CreateAlertsEditMyUserInfo EnumeratePermissions FullMask
#SPSSAN
Session wrap-upQuestions
Please complete a Session Survey
Help me improve
Help the organizers improve future events
Win prizes!
#SPSSAN
Contact me @
Email: [email protected]
Twitter: @sharepoinTony
Blog: http://sharepoinTony.info/blog
LinkedIn: http://www.linkedin.com/in/ajrockwell
San Diego SharePoint Users Group: www.sanspug.org
slideshare: http://www.slideshare.net/trock2010/
REFERENCE:Technet - User Permissions and Permission Levels
http://technet.microsoft.com/en-us/library/cc721640.aspx
Spbasepermissions - definitions
http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx
SP Permission Inheritance
http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx
Best Practices for Fine-grained Permissions (White Paper)
http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx
Best Practices Center for SharePoint 2010
http://technet.microsoft.com/en-us/sharepoint/hh189420
#SPSSAN
The After-Party: SharePint
Karl Strauss Brewing Company
1157 Columbia Street
San Diego, CA 92101
Phone: 619-234-2739
Immediately following event closing & prize drawings (@6:30 pm)
Directions (.9 miles):
1. Head northeast on 1st Ave
2. Turn left onto W. B St
3. Turn left onto Columbia St
Karl Strauss will be on the left
#SPSSAN
June 30, 2012
San Diego Convention Center
THANK OUR SPONSORS
Please be sure to fill out your session evaluation!
