When a save a Sharepoint site that contains custom security groups as an stp file, does that stp file retain the groups?
Can someone validate this:
I think this makes sense that the Sharepoint groups are not exported with the sts file.
The sts file represents a Site.
The Sharepoint groups are scoped at the Site Collection level.
Creating other sites within a Site Collection allows you to share the same security groups across the site collection.
They will be include in the stp file, but i'm pretty sure they'll be broken if deployed to another site collection.
If you stay inside the same collection they'll continue to work. Security information is persisted in an stp.
P.S. I will vote to close this question, since it belongs on superuser.
Related
I'm currently working on migrating a big company's data from DropBox to SharePoint and i can't quite decide on how to structure the whole SharePoint environment.
So as you may know DropBox has an admin section where you add your members, groups and content to share and it is pretty straightforward on how to implement simple things and by that, i mean that you get your members on some groups and then you share specific folders (from your content) to that group directly.
As of SharePoint now, i found out that it has more or less the same functionality but it really gets pretty inconvenient on how to implement this. I created a new site, then i created my groups and added some users to them, then i created as many document libraries as my shared folders were on DropBox, i stopped inheritance from the site and added groups directly to the document libraries. All that, took me quite a while, more than 8 hours, for 30 document libraries and 20 groups mostly due to the back and forth i had to go through settings, permissions, libraries etc.
Would it be, let's say, more practical or rather make more sense to create a new site for every shared folder i have on DropBox and add members directly from the site's homepage?
What would you do for such a case?
Thanks in advance
PS. The migration tool that SharePoint admin center provides it comes pretty handy and it works good, but transfers data quite slowly.
TLDR: Use sites, not libraries, for different user groups.
SharePoint makes the following things easy:
Sharing a whole site (by inviting people as members (edit) or visiors (read))
Sharing a single file (with a person that you don't want to have access to the other stuff on the site)
SharePoint makes the following very hard:
sharing specific libraries with distinct groups of people. This requires a lot of setup work and is a maintenance nightmare. You also need to be an administrator of the each site and know where in the depth of the SharePoint settings you can find the switch to break permissions and invite other people to a library.
It is not recommended practice to share libraries like that.
In your scenario, you would be served better with individual team sites using O365 groups. Then add members via the home page sharing button. The site should be the permission boundaries and these permissions should not be broken for any site content.
If the need arises to break permissions for certain content, it's time to move that content to a separate site with its own membership groups.
Using O365 groups, any site membership can then be viewed, managed and audited in the SharePoint admin portal and the M365 admin portal. No SharePoint knowledge or SharPoint site access is required for admins to manage membership. Membership assignment can also be automated with various tools like PowerShell or Power Automate.
Users can see only the sites they have access to, and will not suffer the bad user experience of clicking a library, only to get an error message for "You do not have access".
I created a group of users in the SharePoint subsite, i.e. pressed Create Group button on a ribbon of this particular subsite Permissions page. Nevertheless I see this group in the list of groups in my parent site.
Does this mean that all SharePoint groups are stored on the site collection level? Meaning that all groups are relevant to any site in the collection?
If this is so, what were the reasons for this design?
Yes, you can access all groups from the main site and any website in the collection. And I guess the reason is to give you the ability to use any group in any website under your collection.
We have a teamsite site collection with a number of subsites.
In the sub-sites. We usually break the inheritance and assign specific groups.
Now, our company director needs access to the all teamsites. We have over 100 teamsites. And it is difficult to assign him to each group for each teamsite. furthermore, we would have to remember to add him as a member to the teamsite each time.
Is there a way to add a specific Active directory user or group so that they can access all subsites (thereby overriding any break in the inheritance)
Any help would be greately appreciated.
Thanks,
Joseph
You need to add a web application policy.
If you head into SharePoint Central Administration --> Application Management --> Policy for Web Applications you should be able to set him up with the requisite permissions that will work across the sites within that web app.
For more information, have a look here
(I've voted to have this moved to the SharePoint StackExchange site as it's not really Dev related)
I'm curious about the best/most efficient way to do this.
I've already set up my sharepoint 2010 site, and it is configured to use FBA. What i'd like to do is allow users to create their own accounts by filling out a form (the form will sit on a public sharepoint site, and filling it out creates a user in the membership database which is used for validation to enter the FBA sharepoint site).
I'm familiar with using the asp CreateWizard tool to build user accounts as part of a .Net web application, but I'm not sure on how to develop this as a webpart for use in a sharepoint site, as a webpart doesn't have the config file to store connection string and membership/role provider info.
Can this user creation form be put in a webpart and deployed to other sites, or is there another/better way to add this functionality to sharepoint (allowing users to register/create their own FBA accounts for access)?
There's nothing not much difference between SharePoint and regular ASP.Net for this.
The membership provider will need to be configured in the SharePoint web.config, including connection strings. However, it does not actually need to be used for login, so you can still create users in that membership provide from a different site.
I use a slightly different approach though - set up an anonymously accessible page in your site (in layouts is probably easiest, though a page within a site may be better for branding) and put controls on that page to create (and log in) a new user. You will need to call EnsureUser and possibly CreateUserProfile to give the new user access to anything, but aside from that it's all standard .net.
Here's the scenareio:
I have a single site collection, with the publishing infrastucture feature activated. Seveal levels below this I have a publishing site with the publishing features turned on. I also have unique permissions for this site.
The problem is that no one except site collection administrators can "Create Page". I have given the individuals everything including full control, and they still can not create pages. They can edit pages, but not create.
Am I doing something wrong? What is the proper way to set up the taxonomy of a site? I am trying to create a hierarcy to match my organization and mostly am using unique permissions on each site/subsite. This is working ok, until i needed a publishing site, but I don't want him to be a site collection admin. I would appreciate any help or ideas with how to make the publishing site work as I have it, or guide me on the proper way to lay out the site.
The fact that you are using Publishing features shouldn't have an effect on permissions. Publishing (for the most part) really has more of an effect on how edits are handled - i.e. immediately deployed or checked in and published at a later point. That's oversimplifying it - but back to your question.
Most likely - what is happening is that you have not given the user permission to the library where the template is that they need access to in order to create the page. I'm 99% sure that is what is happening here. Makes sense - they have the rights to the site - and permissions to edit the pages that exist - but creating a page requires them to access a new file - in a different library. If they don't have permissions to that template library - you get the access denied error.
When your user tries to create a page, they get an access denied error page correct? Copy the URL of that page, and examine it closely. It should reveal the location of the template folder they are trying to access but don't have permissions for. Read-only access to that template library should get your user the access they need.
One other recommendation - check out the access checker web part in Codeplex. http://accesschecker.codeplex.com/. This web part is loaded as a solution and allows you to display a hierarchical list of the sites that a specific user has permissions to. VERY helpful in confirming that you have given the permissions you thought you had.
Finally - in terms of permissions best practices - I think you are doing fine. You've gotten a little frustrated because you took a different path on a site (i.e. publishing) and it's behaving differently. But nothing is wrong. I've been there:) You really have two options w/ SP permissions - SP based groups (visitors, members, owners etc) or pulling in AD groups. Either way, you'll be making the same decision regarding unique or inherited permissions. You either use the same permissions as the parent site - or use unique permissions. HTH