I've got a SharePoint application and I'm sad to say that in my SharePoint-induced excitement, I ignored a lot of the security concerns I should have been paying more attention to. Though we didn't before, now we actually need granular security, so I need to get educated. I'm mostly interested in how to best create groups and add users to those groups. We have a single main site collection and a couple dozen subsites under that collection. How can I best create a granular security world where I can independently assign rights to each of these subsites?
To have permissions vary at the "sub site" level which is the SPWeb object in object model terms you need to enable unique permission for the site.
A good article outlining the permission hierarchy in SharePoint 2007 can be found on the office web site About controlling access to sites and site content
In my experience if you are able to use permission inheritance over granular security it's much less hassle to manage.
Breaking site permission inheritance
Click "People and groups"
Click "Site permissions"
From the actions menu in the list click "Edit Permissions"
http://blog.richfinn.net/content/binary/WindowsLiveWriter/InstallandConfiguretheCommunityKitforSha_E660/image_3.png http://blog.richfinn.net/content/binary/WindowsLiveWriter/InstallandConfiguretheCommunityKitforSha_E660/image_3.png
Other references
SharePoint 2007: Permissions, permissions, permissions.
SharePoint 2007 SiteGroups - part 1 - the basics
Related
I'm currently working on migrating a big company's data from DropBox to SharePoint and i can't quite decide on how to structure the whole SharePoint environment.
So as you may know DropBox has an admin section where you add your members, groups and content to share and it is pretty straightforward on how to implement simple things and by that, i mean that you get your members on some groups and then you share specific folders (from your content) to that group directly.
As of SharePoint now, i found out that it has more or less the same functionality but it really gets pretty inconvenient on how to implement this. I created a new site, then i created my groups and added some users to them, then i created as many document libraries as my shared folders were on DropBox, i stopped inheritance from the site and added groups directly to the document libraries. All that, took me quite a while, more than 8 hours, for 30 document libraries and 20 groups mostly due to the back and forth i had to go through settings, permissions, libraries etc.
Would it be, let's say, more practical or rather make more sense to create a new site for every shared folder i have on DropBox and add members directly from the site's homepage?
What would you do for such a case?
Thanks in advance
PS. The migration tool that SharePoint admin center provides it comes pretty handy and it works good, but transfers data quite slowly.
TLDR: Use sites, not libraries, for different user groups.
SharePoint makes the following things easy:
Sharing a whole site (by inviting people as members (edit) or visiors (read))
Sharing a single file (with a person that you don't want to have access to the other stuff on the site)
SharePoint makes the following very hard:
sharing specific libraries with distinct groups of people. This requires a lot of setup work and is a maintenance nightmare. You also need to be an administrator of the each site and know where in the depth of the SharePoint settings you can find the switch to break permissions and invite other people to a library.
It is not recommended practice to share libraries like that.
In your scenario, you would be served better with individual team sites using O365 groups. Then add members via the home page sharing button. The site should be the permission boundaries and these permissions should not be broken for any site content.
If the need arises to break permissions for certain content, it's time to move that content to a separate site with its own membership groups.
Using O365 groups, any site membership can then be viewed, managed and audited in the SharePoint admin portal and the M365 admin portal. No SharePoint knowledge or SharPoint site access is required for admins to manage membership. Membership assignment can also be automated with various tools like PowerShell or Power Automate.
Users can see only the sites they have access to, and will not suffer the bad user experience of clicking a library, only to get an error message for "You do not have access".
In our SharePoint 2010 Enterprise internal company website, we have a SharePoint Admin group, say, CompanySP_Admin. We have created a 'Full Control permission level' that is a SharePoint permission level (as explained in MSDN here).
As explained in the last section of above MSDN article, users can assign this permission level to other users or groups. We want only the members of the CompanySP_Admin group to be able to assign this permission level to other users or group. How can we achieve this?
Thanks.
You can't. SharePoint uses discretionary access control, and this is just the way it is. I'm not going to argue that this isn't seriously annoying - in fact, this is the one of the most frequently asked for things by clients in my ten years of SharePoint consulting.
That said, what you really need to do is figure out if these other groups really need Full Control. Look closer at the various rights and revisit the requirements - I'll bet they don't actually need full control, just contributor plus some extra rights. If they really do need full control, then it's a question of training and following established company policies.
We have a teamsite site collection with a number of subsites.
In the sub-sites. We usually break the inheritance and assign specific groups.
Now, our company director needs access to the all teamsites. We have over 100 teamsites. And it is difficult to assign him to each group for each teamsite. furthermore, we would have to remember to add him as a member to the teamsite each time.
Is there a way to add a specific Active directory user or group so that they can access all subsites (thereby overriding any break in the inheritance)
Any help would be greately appreciated.
Thanks,
Joseph
You need to add a web application policy.
If you head into SharePoint Central Administration --> Application Management --> Policy for Web Applications you should be able to set him up with the requisite permissions that will work across the sites within that web app.
For more information, have a look here
(I've voted to have this moved to the SharePoint StackExchange site as it's not really Dev related)
I have a Sharepoint library that is too large for a central administrator to manage permissions on all items, so I want to designate a few other people who are able to allow or disallow read/write access for arbitrary items in the library to users or groups. However, I don't want to give those few people total "manage permissions" ability because I don't want them granting themselves or others full control or design permissions, etc.
Is there a way to grant "manage only read/write permission"? Or is there a better way of accomplishing what I'm trying to do?
Thanks!
This question pops up all the time, and I haven't been able to find an answer that immediately makes the asker happy.
I usually suggest that you stay away from item-level permissions, and instead create libraries pretty much mapping to groups. make a library for your Company X accountants, make a "Accountants at Company X" group, give them rights to that library. You should be able to trust them enough that they get to manage their own document library. If not, keeping the permissions on a per-library basis will make the workload much less, and the site administrator(s) can most likely handle the permissions on these libraries. If you want to make it easier for them, just create a formal workflow where a user can apply for access and an administrator grant it.
There are other ways, of course, but you're pointing at one of the major reasons you should stay away from item-level security. It's just a can of worms that you need to avoid opening if at all possible.
Maybe you can try the third party tool: SharePoint Permission Manager by SharePointBoost. You can search, analyze, manage and backup SharePoint users or group permissions on a centralized platform.
I don't think there is a specific permission that meets your needs for one site. I think your best option may be to split into sites or libraries you can allow others to manage for your central administrator.
Here's a related excerpt from the TechNet article, [Plan Permissions][1], that may help you more:
Users or groups are assigned a
permission level for a specific
securable object: site, list, library,
folder, document, or item. By default,
permissions for a list, library,
folder, document, or item are
inherited from the parent site or
parent list or library. However,
anyone assigned a permission level for
a particular securable object that
includes the Manage Permissions
permission can change the permissions
for that securable object. By default,
permissions are initially controlled
at the site level, with all lists and
libraries inheriting the site
permissions. Use list-level,
folder-level, and item-level
permissions to further control which
users can view or interact with the
site content. You can return to
inheriting permissions from a parent
list, the site as a whole, or a parent
site, at any time.
Can i program custom base permission level? There are many available in SPBasePermissions like
UseRemoteAPIs Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site.
ViewFormPages View forms, views, and application pages, and enumerate lists.
ViewListItems View items in lists, documents in document libraries, and view Web discussion comments.
However i want to make a custom one, something like:
EditItemsAssignedToMe + ViewItemsAssignedToMe + view/edit items i created.
Still finding my way out to allow users view and edit items created by them or assigned to them.
OOTB you don't have the fine-grained control and can only assign a certain set of permissions as defined on technet and this blog article.
However programmatically you can create a new SPRoleDefinition and assign it the appropriate permissions based on the SPBasePermissions enumeration as per this blog article. You might also want to read this short guide on the basics of SPBasePermissions.
If you want to go even further though and emulate the OOTB behaviour with your own custom permission set try Implementing Custom Security Rights in SharePoint.