Windows SharePoint Services, which is available as a free download for Windows Server 2003, packs a lot of functionality—especially for small-to-midsized businesses (SMBs) that want an inexpensive collaboration application. Often, such organizations start out using the application as a public space in which users can collaborate, share information, and track projects. Too often, limiting or securing user access to this data comes as an afterthought to management—and to administrators who are new to Windows SharePoint Services.
Has the time come to tighten up access to certain areas within your Windows SharePoint Services implementation—perhaps to document libraries that hold confidential data or to calendars that require limited distribution? Are you unsure of how to begin? If so, you'll be happy to know that Windows SharePoint Services provides an access-control model that gives you granular control over the resources that users can access and the ways in which they can do so. Let me show you the basics of how this access control works—and share some Windows SharePoint Services security tricks that I've learned along the way.
The Basic Plan
Windows SharePoint Services access control boils down to linking Windows user accounts (either accounts in the Windows SharePoint Services server's local SAM or domain accounts in Active Directory—AD) to SharePoint document libraries and lists, then defining the types of access that users can employ on the items that those libraries and lists contain. Using domain accounts is usually more efficient than using local accounts, but local accounts are viable under special circumstances (for example, if you don't have AD). Better yet, you can use Windows domain groups to further simplify the process of granting access to Windows SharePoint Services resources; this is the approach I describe in this article. When you add (aka register) users or groups to Windows SharePoint Services, you must make the user or group a member of a SharePoint site group or cross-site group. (Cross-site groups are similar to site groups; the primary difference is that you can grant cross-site groups access to any site in a SharePoint site collection, whereas site groups can access resources only in the SharePoint site in which the group is created.) You can then grant access at the site level (a SharePoint site being a group of related SharePoint Web pages), which gives users the specified rights to every list or library in the site, or at the list or library level. The basic rights that govern user access to SharePoint lists and document libraries are Add, Edit, Delete, and View Items. Additional rights, such as Manage Site Groups, Usage Data, Cancel Check-In, and Personalize Views, govern access to the site itself.
Simplify with Groups
Typically, administrators who are new to Windows SharePoint Services grant users access to SharePoint sites on an individual basis by adding user accounts to the sites that the user needs to access. However, a more practical approach is to add Windows domain groups rather than adding individual Windows user accounts. Using Windows groups lets you leverage existing groups (e.g., department groups) whose members need similar levels of access to the same resources. Adding groups is quicker and easier than having to add many individual user accounts. And when a user leaves the organization or transfers to a different department and thus changes Windows group membership, the user's access to Windows SharePoint Services will adjust accordingly; you won't need to remember to update individual Windows SharePoint Services permissions.
To grant a Windows group access to a SharePoint site, open the SharePoint site in a Web browser while logged on as a local Administrator, click the Site Settings option from the home page menu bar, then click the Site Administration link. On the Site Administration page, click the Manage Users link. On the Manage Users page, click Add Users and enter the name of the Windows group (you can add multiple groups by using semicolons to delimit the group names). The Windows group will appear under the Manage Users page's Domain Groups heading, as Figure 1 shows.
When you first add a Windows group to Windows SharePoint Services, you must select at least one SharePoint site or cross-site group to which the Windows group will belong. Site groups are specific to and exist strictly within Windows SharePoint Services and all site groups require at least View access to resources in the site. To view the site groups that are defined for a given SharePoint site, go back to the Site Administration page and click the Manage Site Groups link. Windows SharePoint services automatically creates several default site groups: Guest, Reader, Contributor, Web Designer, and Administrator. To view the permissions that have been granted to a site group, click the desired group name; doing so displays the Members page for the group. Then, click the Edit Site Group Permissions link. The Contributor site group, for example, grants members rights to Add, Edit, Delete, View Items, Browse Directories, View Pages, and all four personal rights (i.e., Manage Personal Views, Add/Remove Private Web Parts, Update Personal Web Parts, and Create Cross-Site Groups.) When you add a new Windows group to a SharePoint site group, all the Windows group members will automatically gain access to the corresponding SharePoint site resources. For example, Figure 2 shows that the marketingstaff Windows group is a member of the Contributors site group. Now, any member of marketingstaff will have all the permissions assigned to Contributors; I don't need to add each member of marketingstaff to the site. If you add a Windows group to multiple site groups, members of the Windows group gain all the permissions granted to all those site groups combined. To edit a site group's permissions or membership, click the site group name on the Manage Site Groups page to open the Edit Site Group page. This page shows you the current membership of the site group and lets you add or delete members. This page also lets you create custom site groups that function like the prebuilt groups.
Previous
Register
