Best Practices with SP Permission Levels


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Best Practices with SP Permission Levels

  1. 1. June 30, 2012San Diego Convention CenterBEST PRACTICES FOR MANAGINGSHAREPOINT PERMISSION LEVELS SharePoint 2010 Tony Rockwell #SPSSAN
  2. 2. Who?Tony RockwellAbout me: 20+ years in IT Solution Specialist at EMP Live 5 years focused on SharePoint EPM Live is the global leader in MCTS SharePoint 2010 SharePoint-based project, portfolio & Configuration work management solutions that help organizations increase productivity by• SharePoint Administration improving visibility, execution and• Installation; Configuration; collaboration on all types of work. Upgrades • PortfolioEngine• Enable OOTB features • WorkEngine• Implement 3rd party tools • ProjectEngine• Founding Board Member of SANSPUG• SPSSAN organizer #SPSSAN
  3. 3. House Keeping • Thank our Sponsors! • This is an Interactive Session • Save questions – you choose Twitter hashtags: #PermissionLevels #SPSSAN
  4. 4. Agenda• SharePoint Security • Why Create custom permission levels?• Inheritance & Scopes• Best Practices• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References #SPSSAN
  5. 5. SharePoint Security• Why create custom permission levels? • Because security matters to you • Ease security administration • Enable refined security• Terminology Permission Levels Farm Administrator Users Service Application Administrator Groups Feature Administrator Securable Objects Site Collection Administrator Inheritance & Scopes #SPSSAN
  6. 6. Inheritance & Scopes Site Collection Web Object Document Library Object Folder Web Object Item Item Item Scope 2 #SPSSAN
  7. 7. Best PracticesSharePoint Permissions • Use fine-grained permissions only when business case requires it • Break permission inheritance infrequently as possible • Use domain groups to assign permissions to sites when possible • Assign permissions at the highest level possible • Make use of appropriate SP roles #SPSSAN
  8. 8. Best PracticesSharePoint Permission Levels & Scopes • Don’t modify or delete a default permission level • Copy a default permission level & modify it • The maximum # of unique security scopes set for a list should not exceed 1,000 • Use group membership rather than individual membership in your scopes #SPSSAN
  9. 9. Scenario • The Company • Each department owns a site • Department site owner to manage site… but delegates permissions to someone else • Delegate should not modify site, pages, etc. only add/remove (manage) users • Delegate should also have standard “Contribute” access to site #SPSSAN
  10. 10. Required Administrative Credentials #SPSSAN
  11. 11. How-to: SharePoint interface1. Navigate to top-level site2. Site Actions > Site Permissions (or Site Settings for Publishing)3. Click on Permission Levels in the Ribbon4. Select the permission level to copy – Contribute5. Scroll down & select Copy Permission Level #SPSSAN
  12. 12. How-to: SharePoint interface6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)7. Select desired permissions • Check Enumerate Permissions (Manage will auto-select, Deselect it)8. Scroll down & click CreateThe custom permission level is ready to use!• Create a SharePoint group for each department; i.e. “Accounting User Managers”• Give the group the “User Manager” permission level• Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups #SPSSAN
  13. 13. How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.comCreate a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinitionAdd name and descriptionPS > $plevel.Name = "Custom: User Manager"PS > $plevel.Description = “Enumerate Permissions"Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions” #SPSSAN
  14. 14. How-to: PowerShellAdd the permission level to your sitePS > $spWeb.RoleDefinitions.Add($plevel)Clean upPS > $spWeb.Dispose()See base permissions that are availablePS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")EmptyMask ViewListItems AddListItems EditListItems DeleteListItemsApproveItems OpenItems ViewVersions DeleteVersions CancelCheckoutManagePersonalViews ManageLists ViewFormPages Open ViewPagesAddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheetsViewUsageData CreateSSCSite ManageSubwebs CreateGroupsManagePermissions BrowseDirectories BrowseUserInfoAddDelPrivateWebParts UpdatePersonalWebParts ManageWebUseClientIntegration UseRemoteAPIs ManageAlerts CreateAlertsEditMyUserInfo EnumeratePermissions FullMask #SPSSAN
  15. 15. Session wrap-upQuestionsPlease complete a Session Survey Help me improve Help the organizers improve future events Win prizes! #SPSSAN
  16. 16. Contact me @Email: trockwell@epmlive.comTwitter: @sharepoinTonyBlog: Diego SharePoint Users Group: www.sanspug.orgslideshare: Technet - User Permissions and Permission Levels Spbasepermissions - definitions us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx SP Permission Inheritance Best Practices for Fine-grained Permissions (White Paper) Best Practices Center for SharePoint 2010 #SPSSAN
  17. 17. The After-Party: SharePint Karl Strauss Brewing Company 1157 Columbia Street San Diego, CA 92101 Phone: 619-234-2739Immediately following event closing & prize drawings (@6:30 pm) Directions (.9 miles): 1. Head northeast on 1st Ave 2. Turn left onto W. B St 3. Turn left onto Columbia St Karl Strauss will be on the left #SPSSAN
  18. 18. June 30, 2012 San Diego Convention Center THANK OUR SPONSORSPlease be sure to fill out your session evaluation! #SPSSAN