An overview of SharePoint 2010 security including best practices related to Permission Levels and how to create custom permission levels via the SharePoint interface and PowerShell.
3. House Keeping
• Thank our Sponsors!
• This is an Interactive Session
#SPSSV
#PermissionLevels
4. Who?
• Tony Rockwell • SharePoint Administration
• About me: • Installation; Configuration; Upgrades
• Enable OOTB features
– 20+ years in IT
• Implement 3rd party tools
– 5 years focused on SharePoint
– MCTS SharePoint 2010 • Sr. Solution Analyst at EMP Live
Configuration • SharePoint-based project and work
• Email: trockwell@epmlive.com management solutions that helps
• Twitter: @sharepoinTony organizations increase productivity by
• Blog: http://sharepoinTony.info/blog improving visibility, execution and
• San Diego SharePoint Users Group: www.sanspug.org collaboration on all types of work.
• PortfolioEngine
• WorkEngine
• ProjectEngine
5. • EPM Live is the Global Leader in SharePoint-
based Project, Portfolio and Work Management
Solutions
• Experience: Project Management consulting since 1999
• Standards: Best practices embedded
• Fast: Pre-built solutions so you can get started today
• Low Risk: Start online today and deploy onsite at
anytime
• Proven: Built using 100% Microsoft based software
Deployment Services | Professional Services | Online Services
www.emplive.com
6. Agenda
• SharePoint Security
– Why Create custom permission levels?
– Inheritance
– Best Practices
• Permission Level Scenario
• How-To using the SharePoint interface
• How-To using PowerShell
• References
7. SharePoint Security
• Why create custom permission levels?
– Because security matters to you
– Ease security administration
– Enable refined security
• Terminology
Permission Levels Farm Administrator
Users Service Application Administrator
Groups Feature Administrator
Securable Objects Site Collection Administrator
Inheritance & Scopes
8. Inheritance & Scopes
Site Collection
Web Object
Document Library Object
Folder Web
Object
Item
Item
Item
Scope 2
9. SharePoint Security
• Best Practices
– Use fine-grained permissions only when business case
requires it
– Break permission inheritance as infrequently as possible
– Use domain groups to assign permissions to sites
– Assign permissions at the highest level possible
– Don’t modify or delete a default permission level
• Copy a default permission level & modify it
– The maximum # of unique security scopes set for a list
should not exceed 1,000
– Use group membership rather than individual membership
in your scopes
10. Required Administrative
Credentials
• You are a member of the Administrators group for
the site collection
• You are a member of the Owners group for the site
• You have the Manage Permissions permission
• If you use PowerShell you also need the
SharePoint_Shell_Access role in the SQL db
11. Scenario
• Each department in company own a site
• Department site owner to manage site but
delegates permissions to admin assistant
• Admin assistant should not modify
site, pages, etc. only add/remove (manage)
users
• Admin assistant should also have standard
“Contribute” access to site
12. How-to: SharePoint interface
1. Navigate to top-level site
2. Site Actions > Site Permissions (or Site Settings for
Publishing)
3. Click on Permission Levels in the Ribbon
4. Select the permission level to copy – Contribute
5. Scroll down & select Copy Permission Level
13. How-to: SharePoint interface
6. Name the new permission level (User Manager) & enter a
description (i.e. “ Use this permission to Manage Users”)
7. Select desired permissions
– Check Enumerate Permissions (Manage will auto-
select, Deselect it)
8. Scroll down & click Create
The custom permission level is ready to use!
• Create a SharePoint group for each department; “Accounting User
Managers”
• Give the group the “User Manager” permission level
• Make the owner of this SP Group, the Site Owner or SCA
• Change the owner of the Member & Visitor groups
14. How-to: PowerShell
PS > $spWeb = Get-SPWeb http://sharepoint.contoso.com
Create a new object
PS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition
Add name and description
PS > $plevel.Name = "Custom: User Manager"
PS > $plevel.Description = “Enumerate Permissions"
Set the base permissions
PS > $plevel.BasePermissions = “EnumeratePermissions”
15. How-to: PowerShell
Add the permission level to your site
PS > $spWeb.RoleDefinitions.Add($plevel)
Clean up
PS > $spWeb.Dispose()
See base permissions that are available
PS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems
OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews
ManageLists ViewFormPages Open ViewPages AddAndCustomizePages
ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite
ManageSubwebs CreateGroups ManagePermissions BrowseDirectories
BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb
UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo
EnumeratePermissions FullMask
16. Session wrap-up
• Questions
• Please complete a Session Survey
• Help me improve
• Help the organizers improve future events
• Win prizes
Join me June 30th , downtown at the San Diego Convention Center
http://www.sharepointsaturday.org/sd
17. Contact me @
• Email: trockwell@epmlive.com
• Twitter: @sharepoinTony
• Blog: http://sharepoinTony.info/blog
• LinkedIn: http://www.linkedin.com/in/ajrockwell
• San Diego SharePoint Users Group: www.sanspug.org
• REFERENCES:
– Technet - User Permissions and Permission Levels
– http://technet.microsoft.com/en-us/library/cc721640.aspx
– Spbasepermissions - definitions
– http://technet.microsoft.com/en-
us/library/microsoft.sharepoint.spbasepermissions(v=office.12).aspx
– SP Permission Inheritance
– http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx
– Best Practices for Fine-grained Permissions (White Paper)
– http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx
– Best Practices Center for SharePoint 2010
– http://technet.microsoft.com/en-us/sharepoint/hh189420
18. Join us right after the event at Firehouse Grill
for a free drink, kindly provided by AvePoint
and Rackspace! 1765 East Bayshore Road East
Palo Alto, CA 94303 (Next to Nordstrom Rack).
Drinks to be provided by…..
Editor's Notes
Introduction slide
If you are here for an Administration session talking about security and permission levels you are in the right place.
You may hear this a lot, but without sponsors we wouldn’t be here. Visit their booths, say thanks.I am an informal guy, so this will be an interactive session if you want it that way. Please call me Mr. Rockwell, raise your hand if you would like to be the audience representative gathering questions. Ha, Ask questions throughout or there will be time at the end.Interject your knowledge & experience on the topic, that is what SPS is about – people sharing SharePoint knowledge.Tweet using #spssvhashtag & share with those who were not fortunate enough to attend this session or this event. ;-) #permissionlevels
Doing sp (top bullets) for past 5 yearsFounding board member of the sanspug & proud to say one of the organizers of SPSSAN last year and for this upcoming eventWork at epmlive, provider of project, portfolio & work mgmt products built on SP
Managed Microsoft PartnerSince 2000500+ deployments of Microsoft EPM/PPM SolutionsMicrosoft Technical Advisor for EPM 2002, 03, 07 and 10Implemented in over 35 different CountriesWide range of industry experienceOver 125 EPM Live PartnersIn Over 33 CountriesExperience – 5,000+ Customers
Contact information & reference links will be in the slides at the end & I will post this slide set after the eventoh I will need to ask for everyone’s ID’s before I begin…this is a security related session afterall
Users & Business Units are empowered to manage their own content -completely control the structure and functionality *nightmare SP AdminsHow do you protect corporate data, allow your end-users to manage themselves, and keep them from shooting themselves? Learn about SP Security.Permission levels are pre-defined sets of permissions used to grant users access to content in SP.Users…Groups(set of users)Securable Objects-levels within SP that can be secured; sites, lists, libraries, items.Inheritance next slideService App Admin-delegated by farm admin, manage specific svc app only, cannot create new svc appsFeature Admin-delegated by farm or svc admin, manage subset of svc app settings for specific feature (UPS-manage audiences or profiles e.g.)Site Collection Admin-full control all sites in collection cannot be overridden except w/web app policy.
Inheritance – used to describe how user access is created by default in SP. A Scopeis the security boundary for a securable object and any of its children that do not have a separate security boundary defined.Securable objects w/in SP inherit the scope of its parent; When s.o. is created it is w/same user access as its parent. So Inheritance means that Permissions & access are managed at the ‘top’/parent level: any updates to parent s.o. will also update the child s.o.
FGP – “expensive” in admin oversight & performancebuilt-in limit of 50,000 scopes for a List or Library – addition of scopes after that limit is prohibited (can be changed w/PS) *Effective limit is 1-2kLittle known best practice: remove all users from your system & your security concerns will significantly diminish
Before you start, know that you have a login with the appropriate credentials to allow you to accomplish the task.Farm Admin can add themselves or you to these groups. SP Farm account or your SQL dba can be used to give you the PS role.It is always good if you have a sqldba to lean on and if you can use them unmercifully when things go wrong.
Anyone have another scenario?
We will walk thru the steps first then Demo after these two slidesIf you don’t have Permission Levels in the Ribbon then guess what, you don’t have permissions to do this task…you are not a SCA.Why do I have “copy” in step 4? Remember our Best Practices? Don’t modify or delete a default permission level…copy it.There are places within SP where it is difficult to do some tasks, this isn’t one of them. Click the nice button
Edit the Permissions of a group, add the “Manage Users” permission level for the site. Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups. [allows them to CHANGE their own permissions]Enumerate Permissions - Enumerate permissions on the Web site, list, folder, document, or list item. Alternatively, you may create the Permission Level with ONLY Enumerate Permissions (Create new rather than Copy Contribute) and then add this permission level to the SP group, along with their normal permissions (Contribute or whatever).We will use this alternate method in the PowerShell example, but first let’s look at these previous steps again in SharePoint. DEMO Create “My New Group”
Create a new object of the type Microsoft.SharePoint.SPRoleDefinition. Then, add a name and description and set the base permissions that you want to useRemember, we are demonstrating the “2 permission level” option here. If you want to use a single PL then additional permissions will be needed for the users to View the site, list, library, items etc. and browse around. Look at the visitor PL to get an idea of how many permissions are required.
PS > [enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") also worksFor a full list of the base permissions in alphabetic order use the following:[Microsoft.SharePoint.SPBasePermissions] | gm –Static –MemberType Property | select NameDemo PS here Talk about adding the PL to a group/user using PS, in the text file on vm
Provide me with one-liners to make my sessions more fun. Ask me to quit, I will take it personal and hunt you down.
How fast can you take notes?Great Books:Automating Microsoft SharePoint 2010 Administration with Windows PowerShell 2.0 – Gary Lapointe and Shannon Bray (Sybex)Professional SharePoint 2010 Administration – Todd Klindt, Shane Young, Steve Caravajal (Wrox)Microsoft SharePoint 2010 Administrator’s Companion and/or Pocket Consultant – Bill English, Brian Alderman, Ferraz/ Ben Curry (MS Press)Microsoft SharePoint Foundation 2010 Inside Out –O’Connor, Coventry, Lanphier, Lightfoot, Resing, Michael Doyle (MS Press)SharePoint 2010 Administration Instant Reference – Randy Williams, Gross (Sybex)