In order to understand how site groups and user assignments work together to provide full security, you must understand the overall security architecture built into Web Parts and Windows SharePoint Services.
Windows SharePoint Services handles security in order of priority:
Use object-level permissions, if they exist.
Use site-level permissions if no object-level permissions exist.
Use global-level permissions if no other permissions exist.
SharePoint assigns global permissions when a user enters SharePoint for the first time. Users receive site-level permissions when they access a site. Generally, a user who doesn't belong to the administrative group receives reader permissions when he accesses a SharePoint site.
The amount of site access a user requires depends on the tasks the user needs to perform. For example, if a user needs to add content to the team site, she requires the appropriate access rights to do so. To grant these permissions, you need to assign users to a site group to control site access.
Each site in SharePoint maintains its own permissions for users. You can manage user permissions through the Site Administration page on the team site. From this page, you can:
- Manage users
Add and delete users and control a user's access to the site.
- Manage site groups
Add, delete, and modify the permissions available to a site group.
- Manage anonymous access
Enable or disable anonymous access and decide the default site group to which users should be assigned.
- Manage cross-site groups
Add, modify, and delete cross-site groups.
- Manage access request
Allow users to send requests for access to functionality within a site to which they are denied.
To assign a user to a site group permission set for a site, you need to:
Click the Site Settings link on the top menu bar.
Select Manage Users.
Click on the user to modify access rights for the selected user.
Click the checkbox associated with the site group to assign the user to that group.
Click OK.
Figure 4-2 shows the Edit Site Group Membership page for a team site.
You can assign more than one site group to a user for a site. This is useful when you have site groups that do not inherit permissions (for example, a read-only site group, an add-only site group, and a delete-only site group).
Site-level permissions handle many of your security requirements. However, a user may require different access rights to specific content within a site. To increase the flexibility of the security model, Windows SharePoint Services allows you to assign object-level permissions.
Object-level permissions exist for all objects. You can configure permissions for:
Document libraries
Picture libraries
Lists
Discussion boards
Surveys
Object-level permissions permit a more flexible and dynamic layer of security for users and groups. Whereas a user may require the web designer permission for the entire site, that same user may be assigned reader access to a specific document library. The user can do everything allowed by the web designer group; however, once the user accesses the document library in the site, the user is restricted to the rights that apply to the reader role. This sort of scenario is quite common when you have a site developer supporting a sensitive team site (such as a financial information site or human resources site).
To control access to an object, you need to assign users a site group permission to that object. To assign a user site group permission for an object, you need to:
Select the object that requires additional permissions.
Click on the "Modify settings and columns" link.
Select "Change permissions."
Select the user to change his permissions.
Choose the appropriate permission level and click OK.
Figure 4-3 shows the Modify Permissions page for the Shared Documents object.
To prevent a user access to an object, perform the following steps on the Change Permissions screen:
Click on the checkbox beside each user you wish to remove.
Click Remove Selected Users.
Removing a user from an object only affects the user's ability to access that particular object. The user's site access permissions are not affected. You might, for example, grant the web developer role for a user who helps administer the Human Resources team site, but you might block his access to the Employee Evaluation document library.
Get SharePoint User's Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.