1 / 46

SharePoint Security: Permissions , Identities, and Objects

Required Slide. SESSION CODE: OSP214. SharePoint Security: Permissions , Identities, and Objects . Dan Holme Director of Training & Consulting Intelliem. Dan Holme. MVP: SharePoint Server Consultant & Trainer at Intelliem www.intelliem.com Fortune-caliber business, academic & government

zoe
Download Presentation

SharePoint Security: Permissions , Identities, and Objects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: OSP214 SharePoint Security:Permissions, Identities, and Objects Dan Holme Director of Training & Consulting Intelliem

  2. Dan Holme • MVP: SharePoint Server • Consultant & Trainer at Intelliem • www.intelliem.com • Fortune-caliber business, academic & government • Microsoft Technologies Consultant, NBC Olympics • Community Lead, www.SharePointProConnections.com • Contributing Editor, Windows IT Pro and SharePoint Pro Connections magazines • Author: Microsoft Press • SharePoint 2010 Training Kit, Technical Specialist Exam 70-667 • @danholme • danh@intelliem.com

  3. SharePoint Security in a Nutshell • Authentication • Users and groups • Web application policy • Securable object • Roles (permission levels) • Role assignments (“assigning permissions”) • Record policies • Auditing Policy Identity/Claim Group Role (permission level) Securable Object Record Authentication Authorization

  4. SharePoint Security in a Nutshell • Authentication Identity/Claim Authentication Authorization

  5. Authentication • Authentication providers • Defined the web application • Claims-based identity allows a web application to utilizemultiple authentication providers (e.g. Windows and Forms)without extending the web app • Verify identity of user • Role providers • Identify the roles (groups) of user

  6. SharePoint Security in a Nutshell • Authentication • Securable object Identity/Claim Securable Object Authentication

  7. SharePoint Logical Structure Web Application Site CollectionTop-LevelSite Site CollectionTop-LevelSite Site List Library Site [Folder] [Folder] Item Document

  8. SharePoint Security in a Nutshell • Authentication • Users and groups • Securable object • Roles (permission levels) • Role assignments (“assigning permissions”) Identity/Claim Group Role (permission level) Securable Object Authentication Authorization

  9. Default Groups • Owners: Full Control • Visitors: Read • Members: Contribute • Features add more groups (Designers, etc.) • The Members group is the “default members group”

  10. Site security • Groups are defined at the site collection • Can be given permission at the site level • Permission inherits down from there • When you create a group you do not have to assign a permission • A group without a permission at the site can still be assigned permissions to another securable object • Create a sub-site • Inherited or unique permissions Site Collection Top-LevelSite Site Library/List [Folder] Document/Item

  11. List or Library Security • Change permissions on a library • Library (or List) Settings Permissions for this document library (or list) • Stop Inheriting Permissions • Copies inherited permissions as initial explicit permissions • Can reset with Inherit Permissions button • Ribbon actions for selected group(s)/user(s) • Grant Permissions • Remove User (or group) Permissions • Edit User (or group) Permissions • Check Permissions: Resultant set of permissions • Anonymous Access

  12. Folder and Item Security • Change permissions on a folder or item • Point at item  arrow  Manage Permissions • If you are viewing the item properties in SharePoint, Edit Permissions • Item level permissions on pages in a page library • Problem: A web part displays items • Users don’t see items they don’t have access to • The crawler sees all items in the web partand indexes them • Web Part content on ASPX pages is not indexed by default • Site Settings  Search and Offline Availability  Indexing ASPX Page Content Site Collection Top-LevelSite Site Library/List [Folder] Document/Item

  13. Inheritance • Permissions (role assignments) are inherited from the parent object • Inheritance can be broken • All permissions are explicit • Any changes to parent do not affect the object • Inheritance can be reinstated • All customizations (explicit permissions) are lost • Use inheritance wherever possible • No “traverse” permissions are necessary • All that matters is the permission on the item specified by the URI Site Collection Top-LevelSite Site Library/List [Folder] Document/Item

  14. Permission Levels • Permission levels are collections of permissions • Defined at the site collection • How To • Customize an existing permission level • Copy an existing permission level and edit the copy • Create a new permission level “from scratch”

  15. Permission Levels • Permission levels are collectionsof permissions • Default • Read • Contribute • Design • Full Control • Limited Access • Publishing feature • Manage hierarchy • Approve • Restricted read

  16. Permission Levels • Permission levels are collections of permissions • Defined at the site collection • How To • Customize an existing permission level • Copy an existing permission level and edit the copy • Create a new permission level “from scratch”

  17. Override Check-Out Permission • Allows • Check-in a document checked out by another user • Discard check-out • A SharePoint permission • Included in Full Control • Create a permission level ("role") • Perhaps with only Override Check Out • Create a role assignment • Assign the permission level to a SharePoint or Active Directory group

  18. SharePoint Groups • Members group has two roles • Contribute • Exposes site in SharePoint and Office interfaces • My Site: Memberships (2010) or My SharePoint Sites (2007) • Office 2010: Save to SharePoint interfece • Office 2007: Open/Save dialog  My SharePoint Sites • Tip: Split up these two roles with a custom group • One group is the “contribute” permission: Members • One group is the “default group”: Site Visibility • No permissions given to this group • Choose the “Make Default Group” command (2010)or assign as the Members group (2007)

  19. SharePoint Groups • Enable hierarchical membership management • Site Managers. Membership managed bysite collection administrators • Site Members. Owned by Site Managers. Membership managed by owner. • Enable access requests • Optionally enable auto-accept of requests • Control membership visibility

  20. Group Management Comparison • Active Directory • Technical user interface (AD Users & Computers) • No provisioning (requests, workflows) • Difficult delegation of membership management • Centralized security (group membership) management • SharePoint • Non-technical user interface (compared to ADUC) • Easy delegation of group membership management • Optional provisioning of membership requests • Unified view of SharePoint groups & users • Only applies to SharePoint

  21. Using Active Directory Groups • Assigning permissions directly to AD groups • Possible but not recommended • Assumes that content will always be hosted in aweb application using AD as its auth provider • Nest Active Directory groups in SharePoint groups • Add to a SharePoint group and give permissions (recommended) • User  Active Directory group  SharePoint group • Must be a security group (not a distribution group) • Distribution groups can be used to create audiences

  22. User Information List • Group information list: Site Settings  People and Groups • User Information List • /_catalogs/users/simple.aspx • This list exists at the site collection level • Visible only to administrators with the URL • No longer has a link in the UI in 2010 • Users appear when • Added explicitly to the User Information List • Given an explicit permission within the site collection • Contribute to the site • e.g. able to contribute based on membership in an AD group • Configure an alert

  23. To Nest or Not To Nest • User  Active Directory group  SharePoint group • Advantages • Disadvantages • Recommendations

  24. To Nest or Not To Nest • User  Active Directory group  SharePoint group • Advantages • Provides authentication • Don’t assign SP permissions directly to AD groups. Not manageable in the long term. • Centralized management of groups and security • One AD group can provide access to SharePoint, shared folders, etc. • User removed from AD group is automatically out of SP groups • Disadvantages • Recommendations

  25. To Nest or Not To Nest • User  Active Directory group  SharePoint group • Advantages • Disadvantages • Limited visibility of what’s really happening • Site will not appear in the users’ My Sites • User Information List will not show individual users until they have contributed to the site • AD groups with deep nesting or contacts can break SP • Recommendations

  26. To Nest or Not To Nest • User  Active Directory group  SharePoint group • Advantages • Disadvantages • Recommendation: Based on governance plan • Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code) • “Intranet” sites: AD groups  SP groups to define access • Add site to users’ My Sites with personalization site links • “Collab” sites: Add users directly to SP groups • Provide My Site visibility • Provide visibility of user in user information list

  27. Administrative Groups • Windows Administrators • SharePoint (Farm) Administrators • Site Collection Administrators

  28. Windows Administrators • Windows Administrators • Can perform all farm administrator actions plus… • Install new products and applications • Deploy web parts and features to the global assembly cache • Create new web applications and IIS sites • Start and stop services • Like farm administrators, no access to site content

  29. SharePoint (Farm) Administrators • Farm Administrators • Can use Central Administration site to perform administrative tasks • Manage server and farm settings • Provides access to Central Administration • Not used for any other access • Does not permit use of PowerShell to administer SharePoint • No access to site content granted, by default • Possible for the admin to give themselves permissionsthrough auditable actions • Service application administrators • Capabilities vary by service applications • Central Administration is security trimmed

  30. Site Collection Administrators • Responsibilities • Manage all sites in a site collection • Assist with user access • Access second stage recycle bin to recover items • Permissions • Contacts for the site collection • Full Control access of all sites in the site collection • Audit all site content • Receive any administrative alert • Creating a site collection • 1 site collection administrator required, 2nd recommended • After creating site collection, can add more • Site Settings  Site collection administrators

  31. SharePoint Security in a Nutshell • Authentication • Users and groups • Web application policy • Securable object • Roles (permission levels) • Role assignments (“assigning permissions”) Policy Identity/Claim Group Role (permission level) Securable Object Authentication Authorization

  32. Anonymous Access • Disabled by default • Authentication of anonymous users • Enable for web application: Central Administration  Application Management  Manage Web Applications  Select web app  Authentication Providers  Click the link for the Zone. • Authorization of access by anonymous users to site • Site settings  Advanced permissions  Settings  Anonymous Access • Enable access to Entire Web Site • or Enable access to selected Lists & Libraries • Then enable anonymous access to selected lists and libraries • or None • For intranet: Add Domain Users to group

  33. Web Application Security • Central Administration  Application Management  Manage Web Applications • User Policy • Bound to web application AAM zone • Permissions • Full Control • Full Read • Deny Write • Deny All • Permission policy allows you to create your own policies • Scenarios

  34. Managing Permissions • Defined at the web application • Not typical to modify or disable the permissions at the web app • Central Administration  Web Application Management  User Permissions • Example: prevent changes to branding • Deselect Apply Style Sheets and Apply Themes and Borders

  35. SharePoint Security in a Nutshell • Authentication • Users and groups • Web application policy • Securable object • Roles (permission levels) • Role assignments (“assigning permissions”) • Record policies • Auditing Policy Identity/Claim Group Role (permission level) Securable Object Record Authentication Authorization

  36. Auditing • Configured at the site collection level • Site Settings  Site Collection Administration: Site collection audit settings • Audit log reports

  37. Records Management • New in SharePoint 2010: in-place records management • Enable the feature at the site collection level • Declare records management attributes • Site collection • Folder • Content type • Supports security at the document level without permissions

  38. More Information • Dan Holme: dan.holme@intelliem.com • @danholme • www.sharepointproconnections.com • Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 2010 • 70-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)

  39. Play the Microsoft Office & SharePoint Track Tag Contest Download the Microsoft Tag Reader Open the internet browser on your mobile phone and visit http://gettag.mobi Grand Prize (1) Xbox 360 Prize Package and Microsoft® Office 2010 Daily Prizes 40 copies of Microsoft® Office 2010 Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall!

  40. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Track Resources • For More Information – http://sharepoint.microsoft.com • SharePoint Developer Center – http://msdn.microsoft.com/sharepoint • SharePoint Tech Center – http://technet.microsoft.com/sharepoint • Official SharePoint Team Blog – http://blogs.msdn.com/sharepoint

  41. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT • Hands-on Labs – OSP01-HOL – OSP20-HOL • Product Demo Stations – Yellow Section, OSP • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks and demos

  42. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  43. Required Slide Complete an evaluation on CommNet and enter to win!

  44. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  45. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  46. Required Slide

More Related