Microsoft Office Online
Sign in to My Office Online (What's this?) | Sign in

 
 
SharePoint Portal Server 2003 IT Documentation
Search
Search
 
Check for updates: (c) Microsoft
Office downloads
 
 
 
Versions
Table of Contents
 
Warning: You are viewing this page with an unsupported Web browser. This Web site works best with Microsoft Internet Explorer 6.0 or later, Firefox 1.5, or Netscape Navigator 8.0 or later. Learn more about supported browsers.
Email this linkEmail this link Printer-Friendly VersionPrinter-Friendly Version Bookmark and ShareShare
Managing Site Groups and Permissions
 

When you set up a Web site, you need a way to specify who has access to it. For a typical Internet site, you probably want everyone who comes to the site to be able to view your content, but you don't want them to be able to change that content. For a company intranet site, you may want a few people controlling the structure of the site, but many more people who can add new content or participate in group calendars or surveys. For an extranet, you want to carefully control which people can view the site at all. Generally, access to Web sites is controlled by combining user accounts with a permissions structure that controls the specific actions users can perform.

Microsoft Office SharePoint Portal Server 2003 provides the ability to control site access through the following means:

  • Site groups

    Site groups let you specify which of your users can perform specific actions on your site. For example, a user who is a member of the Contributor site group can add SharePoint Portal Server area listings or content, such as the Task list or a document library.

  • Anonymous access control

    For SharePoint Portal Server, anonymous users can only view content and possibly perform searches, depending on how rights are configured. They cannot contribute in any way.

    Most Internet Web sites allow anonymous viewing of the site but may ask for authentication when someone wants to edit the site or buy an item on a shopping site.

    Note  You can also grant access to "all authenticated users" to allow all members of your domain to access a Web site, without having to enable anonymous access.

  • Per-area permissions

    You can manage permissions on a per-area basis. For example, if you have an area containing sensitive financial data for the next fiscal year, you can restrict access to that area so that only the appropriate users can view it. Per-area permissions override portal site–level permissions.

    Areas can either use the same permissions as the parent portal area (inheriting both the site groups and users available on the parent area) or use custom permissions assigned to site groups or individual users of that area.

  • Site creation rights

    There are three rights that control whether users can create team sites or areas: Create Sites, Create Personal Site, and Create Areas.

Defining Site Groups

SharePoint Portal Server uses site groups to manage site-wide security. Each user is a member of at least one site group. Each site group possesses corresponding rights. Rights are actions that users can perform, such as Manage Areas. With SharePoint Portal Server, you can use the following default site groups: Guest, Reader, Contributor, Member, Web Designer, Content Manager, and Administrator. In addition, SharePoint Portal Server allows you to edit the rights assigned to a site group, create a new site group, or delete an unused site group. You manage site groups in SharePoint Portal Server with either HTML Administration pages or the command-line administration tool. Note that you cannot change the rights assigned to the Guest and Administrator site groups, and you cannot assign users directly to the Guest site group.

Note  It is possible to add user accounts to an area without assigning them to a site group.

SharePoint Portal Server includes the following site groups by default:

  • Guest  Has limited rights to view pages and specific page elements. Use this site group to give users access to a particular page or list without granting them rights to view the entire site. You cannot add users explicitly to the Guest site group; users who are given access to lists or document libraries by way of per-list permissions are automatically added to the Guest site group. You cannot customize or delete the Guest site group.
  • Reader  Has rights to view items, view pages, and perform searches. A reader cannot create Web sites. The ability to create portal sites requires the Create Site permission, which a reader doesn't have. Members, however, can create their own personal sites.
  • Member  Has Reader rights, plus rights to add items, personalize Web Parts, use alerts, and create personal sites.
  • Contributor  Has all rights of the Members site group plus the following: Edit Items, Delete Items, Manage Personal Views, and Browse Directories. Contributors cannot create new areas, but they can add and edit area listings and content to existing areas. In contrast to Microsoft Windows SharePoint Services, the SharePoint Portal Server contributor cannot create cross-site groups.
  • Content Manager  Has all Contributor rights, plus the following: Cancel Checkout, Add and Customize Pages, Create Area, and Manage Area rights.
  • Web Designer  Has all Content Manager rights, plus the Apply Style Sheets and Manage Portal Site rights. Web Designers can cancel check-out, delete items, manage areas, add and customize pages, define and apply themes and borders, and link style sheets. They can modify the structure of the site and create new area listings and content (which includes SharePoint Portal Server lists and document libraries).
  • Administrator  Has all Web Designer rights, plus the following: Manage Area Permissions, Manage Alerts, Manage User Profiles, Manage Audiences, and Manage Search. The Administrator site group cannot be customized or deleted, and there must always be at least one member of the Administrator site group. Members of the Administrator site group always have access to, or can grant themselves access to, any item on the portal site.

SharePoint Portal Server maintains a list of site groups for your Web site. SharePoint Portal Server only maintains a set of site groups for the portal site. If a user is added to a site group, that user has rights to all areas that site group is assigned rights to. By default, all site groups and rights are inherited from the root area.

For a complete list of user rights and to see which are included in each site group by default, see User Rights and Site Groups.

Customizing Rights for Site Groups

You can create a new site group or customize an existing site group (except for the Guest and Administrator site groups, which cannot be customized) to include only the rights you want. For example, if you want only the Web Designers to be able to edit lists on the site, you can remove the Edit Items right from the Contributor site group.

Some rights depend on other rights. You must be able to view items before you can edit items. In the same way, if you add a right that requires another right, the required right is also added. So, if you grant the Edit Items right to a user, the View Items right is granted automatically.

Note  For more information about dependencies in user rights, see User Rights and Site Groups.

Security and User Rights

User rights grant users the ability to perform certain actions on your portal site, or in a particular area of that site, and restrict other users from performing those actions. Some rights do not completely restrict certain actions. The Apply Style Sheet right allows users to make changes to the portal site or an area of that site. Any user with the Add and Customize Pages right, however, can perform the same changes on a page-by-page basis in the actual HTML code. Be aware that if you give a user the Add and Customize Pages right (by assigning him or her to a site group that contains the right), you are also giving that user the ability to change the theme, border, and style sheets for individual pages on your portal site.

When you assign rights to site groups, be sure that you assign the appropriate rights and do not unintentionally allow members of the site group to perform more actions than you want on your portal site. Conversely, be sure that members of the site group are not unintentionally restricted from performing the actions they need to perform.

Managing Site Groups

You can manage site groups from the Manage site security and additional settings page for your portal site. To manage site groups, on the Site Settings page, follow the Manage security and additional settings link to the Manage security and additional settings page. Then, in the Users and Permissions section, click Manage site groups to get to the Manage Site Groups page. On this page, you can view a list of site groups, change which rights are included in a site group, add a new site group, or delete a site group.

View a list of site groups
  1. On the Site Settings page for your portal site, in the General Settings section, click Manage security and additional settings.
  2. On the Manage security and additional settings page, click Manage site groups.

    The site groups available for the portal site are displayed on the Manage Site Groups page.

You can add new site groups for use on your site from the Manage Site Groups page.

Add a new site group
  1. On the Manage Site Groups page, click Add a Site Group.
  2. In the Site Group Name and Description section, type the name and description for your new site group.
  3. In the Rights section, select the rights you want to include in the new site group.
  4. Click OK.

You can create a new site group based on an existing site group.

Edit an existing site group
  1. On the Manage Site Groups page, click the site group you want to change.
  2. On the Members of Site group name page, click Edit Site Group Permissions.
  3. On the Change Site Group Rights page, select the rights you want to include and clear any rights that you do not want.
  4. Click OK.

If you find that a site group is not used, you can delete the site group.

Delete an existing site group
  1. On the Manage Site Groups page, select the check box next to the site group you want to delete.
  2. Click Delete Selected Site Groups.
  3. When a confirmation dialog box appears, click OK to confirm your changes.

Assigning Per-Area Permissions

SharePoint Portal Sever provides the ability to control permissions on a per-area basis. If you have sensitive information stored in an area and you do not want to expose the information to all members of your portal site, you can set permissions for just that area to control which users can view, edit, or add items to it. You can grant permissions to area listings or content to individual users, to groups of users, or to a site group. Per-area permissions work for any area listing or content in an area (for example, Announcements, Tasks, Shared Documents, and so on).

Area permissions can be changed by any user who has the Manage Area Permissions right (by default, included in the Administrator site group) or Full Control permissions for that area. By default, all members of an area (all users assigned to a site group, except for the Guest site group) have access to all area content, including portal listings, lists, and document libraries. Each site group has a predefined level of permissions for all area listings and content. The default area-level permissions are:

  • View listings (given to the Reader site group by default)
  • View, insert, edit, delete listings (given to the Contributor site group by default)
  • View, insert, edit, delete listings; change area and list settings (given to the Web Designer site group by default)
  • View, insert, edit, delete listings; change area and list settings; change area security

In addition, you can set advanced permissions, which allows you to grant any of the following rights for a user or site group:

  • View Area: View an area and its contents. Given to the Reader site group by default.
  • View Pages: View pages in an area.
  • Add Items: Add items to lists, add documents to document libraries, add Web Discussion comments. Given to the Contributor site group by default.
  • Edit Items: Edit items in lists, edit documents in document libraries, customize Web Part pages in document libraries. Given to the Contributor site group by default.
  • Delete items from a list, documents from a document library, and Web discussion comments in documents. Given to the Contributor site group by default.
  • Manage Personal Views: Create, change, and delete personal views of lists. Given to the Contributor site group by default.
  • Add/Remove Personal Web Parts: Add or remove Web Parts on a personalized Web Part Page.
  • Update Personal Web Parts: Update Web Parts to display personalized information.
  • Cancel Check-Out: Check in a document without saving the current changes. Applies only to document libraries. Given to the Web Designer site group by default.
  • Add and Customize Pages: Add, change, or delete HTML pages or Web Part Pages; edit the portal site by using a Windows SharePoint Services–compatible editor.
  • Create Area: Create an area on the portal site.
  • Manage Area: Delete or edit the properties for an area on the portal site. Given to the Web Designer site group by default.
  • Manage Area Permissions: Add, remove, or change user rights for an area.
  • Apply Style Sheets: Apply a style sheet (.css file) to an area or the portal site.
  • Browse Directories: Browse directories in an area.

Note  Members of the Administrator site group always have the highest level of permissions for all area content including portal site listings, lists, and document libraries. You cannot change list or document library permissions for the Administrator site group. Also, any site group that has the View Items right (such as Reader) can continue to see the list name, description, number of items, and time when the list was last modified, even though they cannot view the list contents directly.

To control permissions for an area, go to the area itself or to the Manage Security Settings for Area Area Name page.

View permissions for an area
  1. Navigate to the area for which you want to view permissions, and then in the Actions list, click Manage Security.

  2. The Manage Security Settings for Area Area Name page displays the users and groups that have access to the area, and shows the permissions level each user or group is assigned.

You can change the area permissions for all members of a particular site group or for a user by modifying site group or user permissions.

Change area permissions for a particular site group
  1. Navigate to the portal area for which you want to change permissions, and then in the Actions list, click Manage Security.
  2. On the Manage Security Settings for Area Area Name page, select the check box next to the site group you want to change.
  3. Click Edit.
  4. On the Edit Rights on Area Area Name page, select the level of permissions to allow, and then click OK.

You can also grant permissions to individual users, or to user groups, instead of to all members of a site group. Remember that when you grant users or groups permissions to a specific area on your portal site, they are added to the Guest site group if they are not already members of the site. Note that members of the Guest site group cannot navigate to a page within the site unless you give them the exact page URL.

Assign area permissions to a specific user or group
  1. From your site, navigate to the area for which you want to assign permissions, and then in the Actions list, click Manage Security.
  2. On the Manage Security Settings for Area Area Name page, click New User.
  3. In the Users or Groups section, type the network domain name or e-mail address for the user or group you want to assign permissions.
  4. In the Rights section, select the level of permissions for the user or group.
  5. Click OK.

If you want to restrict your area to a specific set of users, you must both grant access to the individual users and remove access from other site members.

Remove area permissions for a user, group, or site group
  1. Navigate to the area for which you want to remove permissions, and then in the Actions list, click Manage Security.
  2. On the Manage Security Settings for Area Area Name page, select the check box next to the site group, user, or group you want to remove permissions for, click Remove Permissions, and then click OK.

If you no longer want to use custom permissions for a particular area, you can reset the permissions to use the portal site's general permissions.

Controlling Anonymous Access to a Portal Site

If you want all authenticated users of your intranet to be able to access your portal site, rather than adding each user individually or in groups, you can configure your site to allow all users on your network rights to use the site. You can also specify which site group (either Reader or Contributor) to assign to all authenticated users.

If you want users to be able to access your site anonymously, you can configure your site to allow anonymous access. Anonymous access is used to allow users to browse sites without authenticating (a standard Internet scenario).

Setting Up Anonymous Access for Your Portal Site

Anonymous access is disabled by default and is set up at the portal site level. However, you can configure each individual area for anonymous access. For example, after setting up anonymous access for the portal site and turning it on at the portal site level, the administrator has the option of setting individual areas to be anonymously accessible.

By default, if the inheritance is not broken, an area allows anonymous access. If you want to allow anonymous access (such as for an Internet site, where you want visitors to be able to browse without authenticating), you must enable anonymous access by assigning rights to the anonymous user. After creating your portal site, if you want to enable users to access your portal site anonymously, you must first create a virtual server using Internet Information Services (IIS) and then extend and map the original authenticated server to the new one. All authenticated users use the original server, while the anonymous server is used by anonymous users only.

Anonymous access in SharePoint Portal Server works differently than in Windows SharePoint Services. In Windows SharePoint Services, you enable anonymous access for your site by first enabling it in IIS, and then by navigating to the SharePoint Central Administration page and enabling anonymous access. Users are then able to access the home page of the portal site without being authenticated. Site administrators can choose whether to log on and activate an authentication dialog box for new users.

In contrast, to enable anonymous access with SharePoint Portal Server, you must create a second virtual server, extend it, map it to the original portal site, and configure it to be anonymous. To access a SharePoint Portal Server site configured for anonymous access, users have a separate URL and are not prompted for authentication credentials. They can just browse the portal site, and also search if the search feature is configured for anonymous access.

Create a virtual server in IIS
  1. Log on as a local administrator.
  2. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  3. Expand local computer.
  4. Right-click Web Sites, click New, and then click Web Site.

    The Web Site Creation Wizard appears.

  5. Click Next.
  6. On the Web Site Description page, type a description (for example, vserver1), and then click Next.
  7. On the IP Address and Port Setting page, enter a TCP port name (for example, 8080), and then click Next.
  8. On the Web Site Home Directory page, click Browse to select the folder you want to put the virtual server in (for example, <root>\inetpub\wwwroot).
  9. In the Browse For Folder dialog box, click Make New Folder, and then name the new folder (for example, Anonymous). Click OK, and then click Next.
  10. On the Web Site Access Permissions page, select a check box to set the access permissions for the site, click Next, and then click Finish.

You may need to restart IIS for this change to take effect. After anonymous access has been turned on for the virtual server in IIS, you can enable anonymous access for a specific area.

Extend the site and map to another virtual server
  1. On your site, click Site Settings.
  2. In the General Settings section, click Go to SharePoint Portal Server central administration.
  3. On the SharePoint Portal Server Central Administration page, in the Portal Site and Virtual Server Configuration section, click Extend an existing virtual server from the Virtual Server List page.
  4. On the Virtual Server List page, click the virtual server you created in the previous procedure.
  5. On the Extend Virtual Server page, in the Provisioning Options section, click Extend and map to another virtual server.
  6. On the Extend and Map to Another Virtual Server page, in the Server Mapping section, select the original portal you want to configure anonymous access for (for example, Default Web Site). In the Application Pool section, click Use an existing application pool, and then select MSSharePointPortalAppPool.
  7. Click OK. If an authentication dialog box appears prompting you for credentials, type the user name and password of the account used by MSSharePointPortalAppPool, and then click OK. Repeat this step for any subsequent authentication dialogs that appear.
Enable anonymous access for the virtual server in IIS
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand local computer, and then click Web Sites.
  3. Right-click the Web site you just created for anonymous access, and then click Properties.
  4. Click the Directory Security tab.
  5. In the Authentication and access control section, click Edit.
  6. In the Authentication Methods dialog box, select the Enable anonymous access check box.
  7. Click OK to apply the change, and then close the Authentication Methods dialog box.
  8. Click OK again to close the properties dialog box.
Enable anonymous access for the portal site
  1. On your portal site, click Site Settings.
  2. On the Site Setting page, in the General Settings section, click Manage security and additional settings.
  3. On the Manage security and additional settings page, in the Users and Permissions section, click Change anonymous access settings.
  4. On the Anonymous Access page, select a level of access to allow. Ensure that the setting is not set to Nothing.
  5. Click OK.
Configure alternate access mapping
  1. On your portal site, click Site Settings.
  2. On the Site Settings page, in the General Settings section, click Go to SharePoint Portal Server central administration.
  3. On the SharePoint Portal Server Central Administration page, in the Portal Site and Virtual Server Configuration section, click Configure alternate portal site URLs for intranet, extranet, and custom access.
  4. On the Configure Alternate Portal Access Settings page, rest the pointer on the site for which you want to change the access settings, click the arrow that appears, and then click Edit.
  5. On the Change Alternate Access Setting page, in the Custom URL box, type the anonymous access URL (for example, http://portal name:anonymous port number), and then click OK to save the changes.

Note  You check your anonymous access settings by opening your browser and typing http://portal:8080. You should not be prompted for credentials.

Perform an iisreset
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. In the command prompt window, type iisreset, and press ENTER.

Changing Anonymous Access Settings for Your Portal Site

After anonymous access is set up for your portal site, you must turn on anonymous access settings for the portal site so users can access the portal site anonymously. There are three anonymous settings:

  • Areas and content  The user has View Area and View Pages rights for specific areas.
  • Areas, content and search  The user has View Area and View Pages rights for specific areas and also has search rights for the portal site.
  • Nothing  Anonymous access for the entire portal site is turned off: users cannot access the portal site anonymously, although it is configured.
Change anonymous access for the portal site
  1. On your portal site, click Site Settings.
  2. On the Site Settings page, in the General Settings section, click Manage security and additional settings.
  3. On the Manage security and additional settings page, in the Users and Permissions section, click Change anonymous access settings.

    Note  This link only appears after anonymous access is configured for the portal site.

  4. On the Change Anonymous Access Settings page, in the Anonymous Access section, specify the parts of your site that anonymous users can access. Choose either areas and content, or areas, content, and search.
  5. Click OK.
  6. Perform an iisreset.

Note  You always configure anonymous access to the portal site or enable anonymous access to an individual area from the original authenticated server. The anonymous virtual server is used for anonymous access only.

Setting Per-Area Anonymous Access

You can control anonymous access for your entire portal site by using the Manage Anonymous Access page, or you can control anonymous access for specific areas by using the per-area permissions feature. It is important to note, however, that permissions are inherited. Even if anonymous access is enabled for a child area, anonymous users will not be able access that area if anonymous access is disabled for the parent area; in this case, the child area will not display in the navigational hierarchy. For area-level anonymous access to work in this case, you must access the child area using a direct URL.

Change anonymous access for an area
  1. Verify that anonymous access is turned on for your portal site.
  2. Log on as a user who has the Manage Area Permissions right.
  3. Navigate to the area for which you want to change the anonymous access setting.
  4. In the Actions list, click Manage Security.
  5. On the Manage Security for Area Area Name page, toggle the Enable/Disable anonymous access to the contents of this portal area and all areas that inherit from this area as required.

Configuring Security Settings for an Area

When you create an area, it automatically inherits the security settings from the parent area. When an area inherits security settings from its parent area, any changes in the security settings of the parent area will also apply to the child area.

If you then change the security settings for your area in any way (for example, by adding, deleting, or modifying existing settings), the pattern of inheritance between the parent and child areas is broken. If you choose to restore the default settings and revert back to security settings from the parent area, any modifications to the area security settings are then lost.

Set custom permissions for an area
  1. Log on as a user with Manage Area Permissions right to the area.
  2. Navigate to the area for which you need to modify permissions.
  3. In the Actions list, click Manage Security.
  4. On the Manage Security Settings for Area Area Name page, select the check box next to the site group for which you want to customize permissions, and then click Edit.
  5. On the Edit Rights on Area Area Name page, select the permissions you want to assign to the users and groups, and then click OK.

The Manage Security Settings for Area Area Name page appears, and the site group or user for which you customized the permissions is listed as having Custom rights to the area.

If you want to return to using the same permissions as the parent area, you can use the Manage Security Settings for Area Area Name page.

Reset permissions to the default state
  1. Log on as a user with Manage Area Permissions rights to the area.
  2. Navigate to the area for which you want to reset permissions.
  3. In the Actions list, click Manage Security.
  4. On the Manage Security Settings for Area Area Name page, click Inherit permissions from the parent Web site.

Note  The Inherit permissions from the parent Web site link does not appear unless the area permissions have already been customized.

Related Topics

For information about assigning users to site groups, see Managing Users and Cross-Site Groups.

For more information about self-service site creation, see Configuring Self-Service Site Creation.

advertisement
Printer-Friendly VersionPrinter-Friendly Version