SharePoint Permissions 101 (text)

1,174
-1

Published on

Our SharePoint Permissions 101 presentation used for our internal SharePoint user group.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,174
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SharePoint Permissions 101 (text)

  1. 1. Page 1 SharePoint Permissions 101 SharePoint is a good tool for sharing information with others, both within a small project team or throughout the entire company. One of the most important things to understand is how to make sure that the information you share is only seen and accessible by the right people, though. In this guide, I’ll explain how SharePoint permissions work, the various permission levels you can assign, how to create and use SharePoint groups, and how to set permission levels at various levels in a SharePoint site. Contents SharePoint Permissions 101............................................................................................................................................... 1 Permissions In SharePoint................................................................................................................................................... 2 Using SharePoint Groups For Permissions................................................................................................................... 3 Why Groups Instead Of Individual People?.................................................................................................................. 5 Creating A New SharePoint Group ................................................................................................................................... 6 Adding People To A SharePoint Group........................................................................................................................... 9 Inheriting And Breaking Permissions...........................................................................................................................13 How SharePoint Groups Work When You Break Inheritance.............................................................................15 Finding What Permissions Someone Has On A Site................................................................................................16 What Is “Limited Access”?..................................................................................................................................................18 Using Email Distribution Groups As SharePoint Permission Groups..............................................................19 SharePoint Groups Vs. Active Directory Groups.......................................................................................................22
  2. 2. Page 2 Permissions in SharePoint SharePoint has the ability to assign permissions at various levels in a site (like a team site). You can assign permissions at the site level (the highest level), and everything in the site will inherit those permissions. You can “break the inheritance” for a specific list or library in the site, and that list or library could have unique permissions assigned to it. You can also take the concept of breaking inheritance down to the folder, document, or list item level, and assign unique permissions to those. However, there are benefits and drawbacks that you need to be aware of in order to make wise decisions.
  3. 3. Page 3 Using SharePoint Groups for Permissions In SharePoint, you normally have three general SharePoint permission groups that are created by default when a new site is created:  Full Control – This is assigned to the owners of a site. It means you have complete control over the site, including the ability to change permissions and delete the site.  Contribute – This is assigned to people who need to add, change, or delete content in the site. They can’t change the design of the site or change permissions for anyone.  Reader – This is assigned to people who can read content, but they are not allowed to add, change, or delete anything. If you want to let everyone in the company see the content, you would add the group “NT AUTHORITYAuthorized Users”. These three general SharePoint groups are set up automatically when a site is created. You can find those permissions by clicking on Site Actions > Site Permissions:
  4. 4. Page 4 The permission list would look like this:
  5. 5. Page 5 Why Groups Instead Of Individual People? Technically, you can add SharePoint groups or specific individuals to your site permissions. However, if you add individuals to the permission list, then you have to manage each person individually instead of managing their access as part of a SharePoint group. For example, let’s say that you have a particular department of 20 people who all need the ability to add and edit documents in a SharePoint library. You create a SharePoint group named Department X Members and assign Contribute level access to that group. You then add each person to that specific group. Each person now has Contribute access to that library. A year later, a reorganization occurs and that department should now only have the ability to read documents, not add or edit them. You can update the Department X Members group to now have Read level access, and all twenty people now have the new level of access. If you had entered each person individually into the SharePoint site permission list, you would then have to edit the permission level of each specific individual to change them from Contribute to Read access. That means you’d have 20 entries to update and keep track of, instead of just one. That would take significantly longer to accomplish, and it would be more difficult to make sure you had made all the changes correctly. As you can see, placing people in SharePoint groups and assigning permissions to the group is a much more efficient way to make sure the right people have the right access.
  6. 6. Page 6 Creating a New SharePoint Group So you know you have the three default groups created in your site, but what if you want to add a new group to manage your permissions? On the Site Permissions page from the parent site, click on the Create Group icon in the Ribbon bar: The following screen shows how to create your group: Group Owner is an important field, and it often trips people up. In the “Who can edit the membership of the group” field, you can specify whether anyone in that group can update the member list, or whether only the owner can do that. It doesn’t matter if you have Full Control on the site. Unless you are the person in the Owner field (or in the SharePoint group that is specified as the owner), you will not be able to update the group. Continuing on in the New Group screen:
  7. 7. Page 7 Once you fill out all the fields and click OK, the new group is created with you listed as the only member: In your site permission list, it appears as follows along with the permission level you assigned to the group:
  8. 8. Page 8
  9. 9. Page 9 Adding People to a SharePoint Group In order to add someone to the Members group shown above, click on the group name: To add new members, click on New > Add Users: This brings up the Grant Permissions dialog box. To add people, click on the Address Book icon:
  10. 10. Page 10 The Select People and Groups dialog box comes up. Type the last name of the person you want to add into the Find field and press Enter. Select the name of the person in the list that you want to add, click Add at the bottom of the screen, and then click on OK when you’re finished:
  11. 11. Page 11 In this example, Carol has been added to the group. I can choose to send her an email that will tell her she has access to this site. When finished, I click on OK:
  12. 12. Page 12 Carol is now part of the Members group:
  13. 13. Page 13 Inheriting and Breaking Permissions The concept of inherited and unique permissions is one of the more confusing aspects of setting SharePoint permissions properly. In this section, we’ll explain the concepts and the “gotchas” involved when you start considering whether to inherit permissions for a list or make the permissions unique by “breaking inheritance.” When you set permissions at the site level, all the lists (including document libraries) inherit their permissions from the parent site. This means that any permission changes made at the parent site will automatically apply to the lists and sub-sites. In fact, in order to change permissions, you have to go to the main parent site to do so. However, you can change a list, a folder, or even a document to have different permissions than the parent site. It’s called “breaking inheritance”. To see the permissions for a document library, click on Library Tools > Library (or List Tools > List for a SharePoint list), and then click on the Permissions icon on the far left side: To break inheritance, click on the Stop Inheriting Permissions button: Verify that you indeed want to break inheritance:
  14. 14. Page 14 The document library takes a copy of the parent permission list and then uses that as the base for the new permissions. Now any changes made to the parent site will not affect this library, and changes made to this library will not affect the parent. Individuals and/or groups can be added or removed at this point.
  15. 15. Page 15 How SharePoint Groups Work When You Break Inheritance THIS IS THE BIGGEST MISUNDERSTOOD PART OF UNIQUE PERMISSIONS! Breaking inheritance for a list or site means that the specific SharePoint groups or individuals added directly to the permission list only update and affect that unique site. The names *within* a SharePoint group are not frozen, and changes to the SharePoint group membership *will* affect any site or list that uses that group. The list shown above has unique permissions. The “Livelink To SharePoint Demo Members” group exists both at the parent site and in this list. If I add a name to that group at the parent site, it will be added anywhere that group name is referenced. If I delete a name from the group while in this list, it will be deleted anywhere that group is used. Therefore, *do not* add or delete names in a group thinking it will only affect that particular list. Also, do not *delete* a group in a list, thinking you are only removing it from the list. You are deleting it anywhere it is used. Instead, use the Remove User Permissions button to remove (not *delete*) the group from this list. Permissions can also be set at the folder and document level: By default, permissions for a folder or document will inherit from the permissions on the list where the folder or document resides. To break inheritance and give a folder or document unique permissions, follow the same steps as outlined above. BEST PRACTICE – It is recommended to only apply unique permissions down to the folder level (if it needs to be done at all). Breaking inheritance at the document level means that any changes in permissions will need to be made to each specific document by someone who has Full Control access, and there is not a good way to tell what document(s) have what permissions without accessing each one individually. While it can technically be done, it’s a bad practice from a maintainability standpoint.
  16. 16. Page 16 Finding What Permissions Someone Has On a Site You can find out what permissions a person has by going to the Site Permissions page and clicking on the Check Permissions icon in the Ribbon bar: A dialog box appears asking you to enter the name of the person to check. Enter the name and click Check Now: The following screen then shows you all the permissions the person has for the site, and how they have that permission (either through an individual entry or through a group):
  17. 17. Page 17 In the case of someone having multiple permission levels (like in the example above), the highest level of access is granted. So, in this case, I would have Full Control.
  18. 18. Page 18 What Is “Limited Access”? In some cases, you will see people or groups listed with “Limited Access”: Limited Access is a permission level that SharePoint adds automatically when unique permissions exist somewhere in a site. It is not something that you will add people to, and you shouldn’t delete it from your permission list when it exists. It allows someone to “pass through” parts of a site to get to the area that they do have access to. For instance, let’s say that you are not listed as having access to a particular site. But within that site, there’s a Document Library that you have Read access to. In order for SharePoint to allow you to get through the main site and into the Document Library, it has to use the Limited Access level of permission. When you see someone or some group with Limited Access, it does not mean they can see areas of the site that they shouldn’t be able to see. It’s only an internal mechanism for SharePoint to use unique permissions.
  19. 19. Page 19 Using Email Distribution Groups as SharePoint Permission Groups One feature you can take advantage of in terms of making it easier to have people get included in particular sites is to use Email distribution groups in your SharePoint permission groups. Generally speaking, email distribution lists are kept up to date for mailings to go out to a group. However, updating SharePoint groups may not be as visible. By using an email distribution list, you can update the group in one place, and have that take care of your SharePoint permissions also. Email distribution groups are the groups you find in your Outlook address book that start with [DL]: To add a distribution list to your permissions, you look up the group name just as you would a person in the Select People and Groups dialog box:
  20. 20. Page 20
  21. 21. Page 21 When you click OK, that group will appear in your permissions list:
  22. 22. Page 22 SharePoint Groups vs. Active Directory Groups Occasionally when you look at a site’s permissions, you may see something like this: If you click on that entry expecting to see a list of names, you’ll see this instead: These are known as Active Directory groups. They work like SharePoint permission groups, except that they are controlled and managed by the Security Access Management team. You will most likely find these on various Spark intranet sites. To find out who is in the group, call to ask for a list of members. There are pros and cons to using Active Directory groups vs. SharePoint permission groups. We are still discussing how we want to handle those in the future, so I can’t give you much more information at this time. The main thing to remember here is that if you see a group that looks like this, you will need to call to have them assist you in working with the group.

×