Friday, April 15, 2011

Sharepoint Permissions, Assigments and Level

To understand SharePoint Permissions need to know its language.

Terminology:

Securable object - web site,lists, libraries, folders, items, and documents

Permission    Authorization to perform specific actions such as viewing pages, opening items, and creating subsites.

Permission level - Each permission level has a specific set of individual permissions.


SharePoint groups -  at the site collection level contain the users. Groups have no permissions until they are assigned a permission level for a specific securable object.
All SharePoint groups are created at the site collection level and are available to any subsite in the site collection.  This means that all SharePoint groups are available to all sites within the site collection.



A permission assignment is created on a particular securable object. This permission assignment includes a user or SharePoint group and a permission level.

Permission inheritance 

You can configure subsites to inherit permissions from a parent site or break the inheritance and create unique permissions for a particular site. Inheriting permissions is the easiest way to manage a group of Web sites.


By default, permissions on lists, libraries, folders, items, and documents are inherited from the parent site. However, you can break this inheritance for any securable object at a lower level in the hierarchy by editing the permissions on that securable object (that is, creating a unique permission assignment) . For example, you can edit the permissions for a document library, which breaks the permissions inheritance from the site.




When you break the inheritance from the parent, the securable object from which you broke the inheritance receives a copy of the parent's permissions. You can then edit those permissions to be unique — meaning that any changes you make to the permissions on that securable object do not affect the parent.

When you enable anonymous access to a Web site, you allow anonymous users (and authenticated users who have not been granted access to the site) to browse the entire Web site, including any list, library, folder within a list or library, list item, or document that inherits its permissions from the Web site. More about it - here

Audience is NOT a security feature. It targets a content to  the specific group.

Tips:
. 1. Because permissions inheritance can be broken at any of several levels, it can be difficult to determine exactly which permissions a specific user or group has to an object such as a SharePoint site, list, or item.
       Microsoft SharePoint Administration Toolkit - a great tool to analyze SharePoint performance and also ships with check permissions tool which is handy in case you have a complicated permission logic with breaking inheritance. More about it here

  2. Instead of pure anonymous access you may consider more safe way - to add all AD users to the group - NT AUTHORITY\authenticated users

  3.When users are removed from a site's permission groups, they can no longer browse to the site (assuming they do not have individual rights to the site). They also no longer receive alerts on anything from the site. However, they still exist in the UserData table, and their alerts are still present. A site administrator can still see their alerts on the User Alerts page.
  To permanently delete a user from the UserData table and permanently delete all of the user's alerts, you need to delete the user from the site collection.

Reading:
Joe Oleson on SharePoint Groups, Permissions, Site Security
Joe Oleson on Web Application Policies