We have a teamsite site collection with a number of subsites.
In the sub-sites. We usually break the inheritance and assign specific groups.
Now, our company director needs access to the all teamsites. We have over 100 teamsites. And it is difficult to assign him to each group for each teamsite. furthermore, we would have to remember to add him as a member to the teamsite each time.
Is there a way to add a specific Active directory user or group so that they can access all subsites (thereby overriding any break in the inheritance)
Any help would be greately appreciated.
Thanks,
Joseph
You need to add a web application policy.
If you head into SharePoint Central Administration --> Application Management --> Policy for Web Applications you should be able to set him up with the requisite permissions that will work across the sites within that web app.
For more information, have a look here
(I've voted to have this moved to the SharePoint StackExchange site as it's not really Dev related)
Related
I'm currently working on migrating a big company's data from DropBox to SharePoint and i can't quite decide on how to structure the whole SharePoint environment.
So as you may know DropBox has an admin section where you add your members, groups and content to share and it is pretty straightforward on how to implement simple things and by that, i mean that you get your members on some groups and then you share specific folders (from your content) to that group directly.
As of SharePoint now, i found out that it has more or less the same functionality but it really gets pretty inconvenient on how to implement this. I created a new site, then i created my groups and added some users to them, then i created as many document libraries as my shared folders were on DropBox, i stopped inheritance from the site and added groups directly to the document libraries. All that, took me quite a while, more than 8 hours, for 30 document libraries and 20 groups mostly due to the back and forth i had to go through settings, permissions, libraries etc.
Would it be, let's say, more practical or rather make more sense to create a new site for every shared folder i have on DropBox and add members directly from the site's homepage?
What would you do for such a case?
Thanks in advance
PS. The migration tool that SharePoint admin center provides it comes pretty handy and it works good, but transfers data quite slowly.
TLDR: Use sites, not libraries, for different user groups.
SharePoint makes the following things easy:
Sharing a whole site (by inviting people as members (edit) or visiors (read))
Sharing a single file (with a person that you don't want to have access to the other stuff on the site)
SharePoint makes the following very hard:
sharing specific libraries with distinct groups of people. This requires a lot of setup work and is a maintenance nightmare. You also need to be an administrator of the each site and know where in the depth of the SharePoint settings you can find the switch to break permissions and invite other people to a library.
It is not recommended practice to share libraries like that.
In your scenario, you would be served better with individual team sites using O365 groups. Then add members via the home page sharing button. The site should be the permission boundaries and these permissions should not be broken for any site content.
If the need arises to break permissions for certain content, it's time to move that content to a separate site with its own membership groups.
Using O365 groups, any site membership can then be viewed, managed and audited in the SharePoint admin portal and the M365 admin portal. No SharePoint knowledge or SharPoint site access is required for admins to manage membership. Membership assignment can also be automated with various tools like PowerShell or Power Automate.
Users can see only the sites they have access to, and will not suffer the bad user experience of clicking a library, only to get an error message for "You do not have access".
I am looking to set up a new security group called Head Company which will include existing security groups on my SharePoint like Child Company 1, Child Company 2 etc. This is to allow say the Company Group CEO manager access to all the Companies the Head Company owns.
Unfortunately SharePoint does not seem to allow it ?
Error: SharePoint Groups cannot contain other SharePoint Groups. Remove the SharePoint Group from the Users box and try again.
Is this something you guys have done on SharePoint, or something perhaps you have been able to work round?
This problem messes up my master plan in terms of how I was going to set this up ! Double drat !
SHAREPOINT 2010
If you could switch to using AD groups then you can put AD groups within each other however this also has drawbacks trying to manage it all.
A restructure may be time consuming but would make it easier to manage in the future. And i am sure you can move sites within subsite fairly easily now Check this out
http://movesites.codeplex.com/
What are the minimum SharePoint 2010 permissions required to allow a user to personalize a web part page, allowing updates and adding web parts to the page but completely restrict the user modifying the shared version?
I initially copied the built-in “Read” permission level and added the “Manage Personal Views”, “Add/Remove Personal Web Parts” and “Update Personal Web Parts” permissions from the Personal Permissions group. This custom permission level was then applied to a user who then viewed a web part page created by the Administrator, which contained only a very simple prototype SharePoint web part. This web part contained a modifiable label which was edited using the “Miscellaneous” section from the Edit Web Part from the standard SharePoint chrome.
With the custom permission level applied the “Miscellaneous” option it is not available to the user upon personalizing the page and selecting Edit Web Part. The “Miscellaneous” option only becomes available to the user when the permission level is further modified to have the “Edit Items” from the List Permissions group. This has the undesired effect of allowing the user to be able to modify the shared version of the page.
Is what I’m trying to achieve even possible?
Many thanks
Check this out: http://akifkamalsyed.wordpress.com/2011/01/17/personalizable-web-part-custom-property-not-shown-for-users-with-contribute-permission-level/
It's probably because you don't have a safecontrol for the webpart with the attribute SafeAgainstScript
Just need to use find a simple way to have AD authenticate as the login for a Sharepoint site. This fairly quick and simple to get going ?
Thanks!
For SharePoint 2007, see this article. You probably want to set it up to do Windows integrated authentication with NTLM. Getting authentication working is probably not too hard, getting your site setup the way you want with permissions/authorization working probably isn't. Depends on how complex your site is. I wasn't directly involved but I know that it took a few months to get our intranet up and bug free.
One recommendation that I would have is to use AD groups or SharePoint groups that contain AD groups rather than individuals to control access. It's much easier to clean up AD group membership when an individual leaves than to track down all the places where you've given them individual access (including membership in SharePoint groups).
You need your server to be part of the domain before installing SharePoint.
If you do that, the default configuration will be AD authentication.
Here is a decent discussion of SharePoint security links
http://blogs.msdn.com/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx
Essentially, you will either need to add users to the appropriate SharePoint group. The defaults for a site are generally xxx_Visitor, xxx_Members and xxx_Owners, with each group having increasing security rights.
You can either add an AD domain to these groups or else add individual AD users
I've got a SharePoint application and I'm sad to say that in my SharePoint-induced excitement, I ignored a lot of the security concerns I should have been paying more attention to. Though we didn't before, now we actually need granular security, so I need to get educated. I'm mostly interested in how to best create groups and add users to those groups. We have a single main site collection and a couple dozen subsites under that collection. How can I best create a granular security world where I can independently assign rights to each of these subsites?
To have permissions vary at the "sub site" level which is the SPWeb object in object model terms you need to enable unique permission for the site.
A good article outlining the permission hierarchy in SharePoint 2007 can be found on the office web site About controlling access to sites and site content
In my experience if you are able to use permission inheritance over granular security it's much less hassle to manage.
Breaking site permission inheritance
Click "People and groups"
Click "Site permissions"
From the actions menu in the list click "Edit Permissions"
http://blog.richfinn.net/content/binary/WindowsLiveWriter/InstallandConfiguretheCommunityKitforSha_E660/image_3.png http://blog.richfinn.net/content/binary/WindowsLiveWriter/InstallandConfiguretheCommunityKitforSha_E660/image_3.png
Other references
SharePoint 2007: Permissions, permissions, permissions.
SharePoint 2007 SiteGroups - part 1 - the basics