Security Groups

211
The following procedure will walk you through editing a permission level that exists on a site based
on the Team site template:

1. Follow the steps in the earlier instructions to navigate to the Permissions Level page.

2. Click the permission level you want to edit. If you select the Full Control or Limited Access
permission levels, you will notice that all of the permissions are grayed out. You will not be
able to edit these permission levels. If you select a permission level other than these two, you
can deselect current permissions and/or add permissions.

3. When fi nished, click Submit. This will save the changes you have made. Note that this change
will affect this entire site collection.
Deleting a Permission Level
In the event that you no longer wish a permission level to be available, you can remove it from the
Permission Levels page:

1. Follow the steps in the earlier instructions to navigate to the Permissions Level page.

2. Select the permission level you want to delete. For this example, the Custom Permission Level
1 will be deleted. Select this permission level and click Delete Selected Permission Levels. As
the option states, you can delete more than one permission level at a time if you so choose.

3. Once you click Delete Selected Permission
Levels, a pop-up window will appear asking
you to confi rm the deletion of the selected per-
mission level (see Figure 8-11). Click OK.

4. The selected permission level will be deleted and

will no longer be available from the Permission
Levels page.
When you delete a permission level it will no longer be available. When the
permission level is removed, any users or groups that are leveraging this permis-
sion level for access will be removed from the Site Permissions page. In order for
these users or groups to have access again, you must grant them one of the avail-
able permission levels.
SECURITY GROUPS
So far this chapter has covered the individual permissions that make up permission levels and how
these permission levels are used to grant users and groups access to SharePoint content. Now it is
time to discuss the users and groups that will be assigned the previously stated permission levels.
FIGURE 811
212

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
SharePoint Security Groups
SharePoint security groups are groups of users that are created from within the browser and can be
used within a given site collection. By default, SharePoint creates security groups (site groups) when
a new site collection is created. The groups that are created vary according to the template that is
used. The following are the site groups that may be created:
Site Collection Administrators

— This group is created for all site collection templates. It
has Full Control permissions and can do anything on this site collection. These permissions
cannot be overridden. When a new site collection is created, the creator has to specify a
value for the primary site collection administrator, and he/she will have the option to enter
a user for the secondary site collection administrator. These specified users are added to the
Site Collection Administrators group and will be able to perform the administrative tasks
associated with the site collection. These options are available from the Site Settings menu
on the top-level site collection (see Figure 8-12). These users will also be the only users

who can view the members of the Site Collection Administrators group. The Site Collection
Administrators group is also accessible from the Site Permissions page of the top-level site, as
shown in Figure 8-13.
FIGURE 812
Security Groups

213
FIGURE 813
[Site collection name] Owners

— This group is created for all site collection templates; by
default, members of this group will have Full Control.
[Site collection name] Members

— This group is created for all site collection templates; by
default, members of this group will have Contribute access.
[Site collection name] Visitors

— This group is created for all site collection templates; by
default, members of this group will have Read access.
Viewers

— This group has View Only access, and is created for Collaboration and Meeting
site templates.
Approvers

— This group has Approval access, and is created for Enterprise site templates and
Publishing site templates.
Designers


— This group has Design access, and is created for Enterprise site templates and
Publishing site templates.
Hierarchy Managers

— This group has Manage Hierarchy access, and is created for
Enterprise site templates and Publishing site templates.
Restricted Readers

— This group has Restricted Read access, and is created for Enterprise
site templates and Publishing site templates.
Configuring Permissions During Site Creation
When you create a new site, within an existing site collection, you select your template and then
you enter a name, URL, and description for your site. To configure permissions during site creation,
from the Create screen click the More Options button. The Permissions options will appear, as
shown in Figure 8-14. The default value is to Use same permissions as parent site — that is, inherit
permissions from the parent site. This means that access to the new site is the same as that used on
the parent one. No new groups will be created.
214

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
If you select Use unique permissions (as shown in Figure 8-14) and click Create, you will be prompted
to configure three new user access groups: [New site name] Owners, [New site name] Members, and
[New site name] Visitors (see Figure 8-15). This creates a customized security structure and only
users who are members of these groups will have access to the site.
FIGURE 814
FIGURE 815
Security Groups

215
The available default permissions will vary with the version of SharePoint 2010

you are running. SharePoint Foundation 2010 does not have all the same per-
missions that SharePoint Server 2010 has.
Adding a SharePoint Security Group
In addition to site groups and groups that are created when a new site is created using unique per-
missions, you can create your own SharePoint security groups, assuming you have suffi cient permis-
sions. This group will be usable within the entire site collection, not just within the site in which
it was created. When you assign a permission level to the group, that access applies to the current
securable object and all child securable objects.
This is an area where people are easily confused. When you create a SharePoint
group, you can specify the group’s permission level or you can leave it blank.
If you leave it blank, you can always confi gure the group’s access to another
securable object. If you confi gure the group’s access, the access will only be for
that securable object and any securable objects that inherit permissions from the
parent. Once the SharePoint security group is created, you can navigate to any
securable object’s permission settings page and add access for the group.
To add a SharePoint security group, follow these steps:

1. Navigate to the People and Groups page in any site within your site collection by clicking Site
Actions Site Settings.

2. Under the Users and Permission header, click People and Groups. By default, the page will
display the fi rst SharePoint group that is listed in the Current Navigation under Groups. To
see all groups within the site collection, click on the link for Groups (see Figure 8-16) to open
the All Groups page.
FIGURE 816
216

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
3. Click the New drop-down menu and select New Group, as shown in Figure 8-17.
FIGURE 817

4. Enter a name and description for the new group. For this example the name will be New
Group 1, with no description. Specify the Group Owner (only one user can be the group
owner). Typically, the only people who can view the membership of the group are the mem-
bers of that group. Additionally, only the Group Owner can edit the membership of the
group. For obvious reasons, it is not a good idea to give several users this capability. You can
also configure if and how you want to receive membership requests.

5. Click Create. Your group will now be created.
Deleting a SharePoint Security Group
Deleting a SharePoint security group is simple:

1. Navigate to the All Groups page (see steps 1 and 2 of the preceding “Adding a SharePoint
Security Group” procedure).

2. When viewing the available groups, click the Edit icon for the desired security group.

3. Scroll down and click Delete.
Managing SharePoint Security Groups in Current Navigation
To manage SharePoint security groups, follow these steps:

1. Navigate to the People and Groups page (follow steps 1 and 2 of the “Adding a SharePoint
Security Group” procedure). This procedure describes how to edit the groups displayed here.

2. Select Settings Edit Group Quick Launch, as shown in Figure 8-18.
Security Groups

217
FIGURE 818
3. Enter or remove one or more security groups from the displayed groups.
Adding Users to SharePoint Security Groups

To add users to SharePoint security groups, follow these steps:

1. Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security
Group” procedure).

2. Select a group by clicking on the name of the group.

3. Click the New drop-down menu and select Add Users.

4. Enter the user’s name and validate.

5. Select whether or not you want to have an e-mail sent to the user informing them of their new
access.

6. Click OK.
Deleting Users from SharePoint Security Groups
To delete users from SharePoint security groups, follow these steps:

1. Navigate to the All Groups page (follow steps 1 and 2 of the “Adding a SharePoint Security
Group” procedure).

2. Select a group by clicking on the name of the group.

3. Select the users you want to remove.

4. Click Remove Users From Group.
218

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
The two preceding procedures are for adding and deleting users, but you can

follow the same steps to add an Active Directory group to a SharePoint group.
In the people picker, specify the Active Directory group, rather than the name
of a user, and then validate the name. You can search for an Active Directory
group the same way you search for a user.
Active Directory Groups
In addition to using SharePoint security groups, you can also use Active Directory (AD) groups.
For security, you must use AD e-mail-enabled security groups. Distribution lists cannot be used. In
order for an object to be used in security it must have a Security ID (SID) in Active Directory. User
accounts have SIDs, so they can be used. Distribution lists do not have SIDs, which is why they can-
not be used as security objects in SharePoint. AD groups and individual users are granted permis-
sions in similar fashion. As such, their use is covered later in this chapter.
SharePoint Security Groups versus Active Directory Groups
Because you can use either SharePoint security groups or Active Directory groups, let’s discuss the
benefi ts and downsides to using either option. In most cases, it really depends on the environment
and the governance policy in place.
In most environments, the AD structure is much older than the SharePoint implementation and
already setup. If your SharePoint security structure needs match those of the current AD setup, then
it will be much easier to deploy AD groups, rather than recreate the same structure and add users
to SharePoint security groups. If this is not the case, and your SharePoint site structure has com-
pletely different user access confi guration needs, this is a picture-perfect example of when to choose
SharePoint security groups over AD groups.
Another thing to consider is the user who will be managing the security structure and user access. With
AD, it is almost always an information technology specialist, who may or may not have SharePoint
access. With SharePoint, the site collection administrator or site owner may be an IT professional, but
there is a good chance that it will be a manager or power user, who will not have AD access. Most
organizations avoid turning control of IT application security over to a non-IT professional. In situ-
ations where the site collection administrator and/or site owners are non-IT members, a combined
approach is common. One signifi cant drawback to AD groups is discoverability. There is no way in
SharePoint to see the members of an AD group, making it diffi cult or impossible to know who has
access to something if AD groups are used.

Special Groups and Authentication Options
There might not always be a user or group that exactly fi ts the bill when you want to add permissions
at a large level. If you need to provide access to a large group of people that is dynamic, you may need
to employ some special tactics to open your content to everyone that needs access.
All Authenticated Users

— One AD group that can be very useful is the NT AUTHORITY\
Authenticated Users group. This group represents any and all users who authenticate to your
Security Groups

219
AD domain. The advantage to using this group is that for environments that will be acces-
sible by all your domain users, this guarantees access for all your users and is easy to manage.
The downside is that this group represents all your users, granting them all access. Imagine
if this group were given access to secure content. As such, this option should be used with
caution. This also includes trusted domains, not just the domain your SharePoint servers are
in. If you are using a trusted domain for extranet users, for instance, they will all also have
access to any content secured with NT AUTHORITY\Authenticated Users.
NT AUTHORITY\Authenticated Users is an Active Directory group. Use of
this group requires Windows Integrated Security.
Anonymous Access

— This authentication method allows any user(s) to access your SharePoint
sites. Primarily seen with Internet sites, this option is useful when the users who will be access-
ing your content do not have corresponding user accounts in your domain. Anonymous Access
can only be enabled at the web application level. Once enabled, it can be available for all site
collections and sites within the web application. Since this is confi gurable at the site level, it is
up to the site collection and site administrators whether they want this enabled in their environ-
ments. Similar to using the NT AUTHORITY\Authenticate Users group, this option should
be used with caution. Anonymous access can be confi gured from the Site Permissions page, as

shown in Figures 8-19 and 8-20.
Anonymous Access can only be confi gured at the site level once it is enabled in
Central Administration in the authentication settings.
FIGURE 819
220

CHAPTER 8 secUriNg aNd maNagiNg site coNteNt
FIGURE 820
GRANTING PERMISSIONS
Giving users access can be achieved in three ways: You can grant access to SharePoint security groups,
to AD groups, or directly to users. Fortunately, the same procedure is used for each option. As previ-
ously stated, you must grant access to the specific securable object. For many environments, users will
have different access for the various sites in the SharePoint environment.
For the following procedures, you will follow the first two steps to start:

1. Navigate to the securable object. In this example, the securable object will be a site.

2. Select Site Actions Site Permissions.
Granting Access to a Top-Level Site
To grant access to a top-level site, continue with the following steps:

1. Because this is at the top-level site, you do not have to worry about inheritance. Select Site
Actions  Site Permissions.

2. Click Grant Access.

3. Enter the user name(s), AD group name, or SharePoint group name and validate.

4. When granting permissions, you can add the desired user or AD group to an existing SharePoint
group or you can give permission directly. The drop-down menu of existing SharePoint groups

also shows the corresponding permission level for each group. Adding a new entry to this
group gives that user the listed permission level. If you select Grant users permission directly,
the permission levels options will be displayed and you can select the desired access (see
Figure 8-21).