Creating Permission Levels

Creating Permission Levels Tony Rockwell SharePoint Saturday Silicon Valley June 2, 2012

House Keeping • Thank our Sponsors! • This is an Interactive Session #SPSSV #PermissionLevels

Who?• Tony Rockwell • SharePoint Administration• About me: • Installation; Configuration; Upgrades • Enable OOTB features – 20+ years in IT • Implement 3rd party tools – 5 years focused on SharePoint – MCTS SharePoint 2010 • Sr. Solution Analyst at EMP Live Configuration • SharePoint-based project and work• Email: trockwell@epmlive.com management solutions that helps• Twitter: @sharepoinTony organizations increase productivity by• Blog: http://sharepoinTony.info/blog improving visibility, execution and• San Diego SharePoint Users Group: www.sanspug.org collaboration on all types of work. • PortfolioEngine • WorkEngine • ProjectEngine

• EPM Live is the Global Leader in SharePoint- based Project, Portfolio and Work Management Solutions• Experience: Project Management consulting since 1999• Standards: Best practices embedded• Fast: Pre-built solutions so you can get started today• Low Risk: Start online today and deploy onsite at anytime• Proven: Built using 100% Microsoft based software Deployment Services | Professional Services | Online Services www.emplive.com

Agenda• SharePoint Security – Why Create custom permission levels? – Inheritance – Best Practices• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References

SharePoint Security• Why create custom permission levels? – Because security matters to you – Ease security administration – Enable refined security• Terminology Permission Levels Farm Administrator Users Service Application Administrator Groups Feature Administrator Securable Objects Site Collection Administrator Inheritance & Scopes

Inheritance & Scopes Site Collection Web Object Document Library Object Folder Web Object Item Item Item Scope 2

SharePoint Security• Best Practices – Use fine-grained permissions only when business case requires it – Break permission inheritance as infrequently as possible – Use domain groups to assign permissions to sites – Assign permissions at the highest level possible – Don’t modify or delete a default permission level • Copy a default permission level & modify it – The maximum # of unique security scopes set for a list should not exceed 1,000 – Use group membership rather than individual membership in your scopes

Required AdministrativeCredentials• You are a member of the Administrators group for the site collection• You are a member of the Owners group for the site• You have the Manage Permissions permission• If you use PowerShell you also need the SharePoint_Shell_Access role in the SQL db

Scenario• Each department in company own a site• Department site owner to manage site but delegates permissions to admin assistant• Admin assistant should not modify site, pages, etc. only add/remove (manage) users• Admin assistant should also have standard “Contribute” access to site

How-to: SharePoint interface1. Navigate to top-level site2. Site Actions > Site Permissions (or Site Settings for Publishing)3. Click on Permission Levels in the Ribbon4. Select the permission level to copy – Contribute5. Scroll down & select Copy Permission Level

How-to: SharePoint interface6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)7. Select desired permissions – Check Enumerate Permissions (Manage will auto- select, Deselect it)8. Scroll down & click CreateThe custom permission level is ready to use!• Create a SharePoint group for each department; “Accounting User Managers”• Give the group the “User Manager” permission level• Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups

How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.comCreate a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinitionAdd name and descriptionPS > $plevel.Name = "Custom: User Manager"PS > $plevel.Description = “Enumerate Permissions"Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions”

How-to: PowerShellAdd the permission level to your sitePS > $spWeb.RoleDefinitions.Add($plevel)Clean upPS > $spWeb.Dispose()See base permissions that are availablePS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItemsOpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViewsManageLists ViewFormPages Open ViewPages AddAndCustomizePagesApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSiteManageSubwebs CreateGroups ManagePermissions BrowseDirectoriesBrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWebUseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfoEnumeratePermissions FullMask

Session wrap-up• Questions• Please complete a Session Survey• Help me improve• Help the organizers improve future events• Win prizes Join me June 30th , downtown at the San Diego Convention Center http://www.sharepointsaturday.org/sd

Contact me @• Email: trockwell@epmlive.com• Twitter: @sharepoinTony• Blog: http://sharepoinTony.info/blog• LinkedIn: http://www.linkedin.com/in/ajrockwell• San Diego SharePoint Users Group: www.sanspug.org• REFERENCES: – Technet - User Permissions and Permission Levels – http://technet.microsoft.com/en-us/library/cc721640.aspx – Spbasepermissions - definitions – http://technet.microsoft.com/en- us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx – SP Permission Inheritance – http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx – Best Practices for Fine-grained Permissions (White Paper) – http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx – Best Practices Center for SharePoint 2010 – http://technet.microsoft.com/en-us/sharepoint/hh189420

Join us right after the event at Firehouse Grillfor a free drink, kindly provided by AvePointand Rackspace! 1765 East Bayshore Road EastPalo Alto, CA 94303 (Next to Nordstrom Rack). Drinks to be provided by…..

Creating Permission Levels

by Tony Rockwell on Jun 04, 2012

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Creating Permission Levels Presentation Transcript