Managing Site Groups and Permissions

When you set up a Web site, you need a way to specify who has access to it. For a typical Internet (Internet: The worldwide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another. If you have access to the Internet, you can retrieve information from millions of sources.) site, you probably want everyone who comes to the site to be able to view your content, but you don't want them to be able to change that content. For a company intranet (intranet: A private network for an organization based on Internet protocols such as TCP/IP.) site, you may want a few people controlling the structure of the site, but many more people who can add new content, or participate in group calendars or surveys (survey: A Web site component that presents users with a set of questions specified by the creator of the survey and collects user responses. Results are tallied in a graphical summary. Requires a Web server that is running Windows SharePoint Services.). For an extranet (extranet: An external Web site for an organization; usually secured so that only authorized users can gain access to it.), you want to carefully control which people can view the site at all. Generally, access to Web sites is controlled by combining user accounts with some sort of permissions structure that controls the specific actions users can perform.

Microsoft Windows SharePoint Services provides the ability to control site access through the following means:

  • Site groups

site groups (site group: A custom security group that applies to a specific Web site. Users are assigned to site groups to grant them rights on a SharePoint site.) let you specify which of your users can perform specific actions in your site. For example, a user who is a member of the Contributor site group can add content to Windows SharePoint Services lists, such as the Task list, or a document library (document library: A folder where a collection of files is stored and the files often use the same template. Each file in a library is associated with user-defined information that is displayed in the content listing for that library.).

  • Anonymous access control

You can enable anonymous access to allow users to contribute anonymously to lists and surveys, or to view pages anonymously. Most Internet Web sites allow anonymous viewing of the site, but may ask for authentication when someone wants to edit the site or buy an item on a shopping site.

 Note   You can also grant access to "all authenticated users" to allow all members of your domain to access a Web site, without having to enable anonymous access.

  • Per-list permissions

You can manage permissions more finely by setting unique permissions on a per-list basis. For example, if you have a document library containing sensitive financial data for the next fiscal year, you can restrict access to that list so that only the appropriate users can view it. Per-list permissions override site-wide permissions for the lists.

  • Subsite permissions

subsites (subsite: A complete Web site stored in a named subdirectory of the top-level Web site. Each subsite can have administration, authoring, and browsing permissions that are independent from the top-level Web site and other subsites.) can either use the same permissions as the parent Web site (inheriting both the site groups and users available on the parent Web site), or use unique permissions (so you can create your own user accounts and add them to site groups).

There are two rights that control whether users can create top-level Web site (top-level Web site: The default, top-level site provided by a Web server or virtual server. To gain access to the top-level Web site, you supply the URL of the server without specifying a page name or subsite.), subsites, or workspaces (workspace site: A subsite based on the Document Workspace or Meeting Workspace site templates.): Use Self-Service Site Creation and Create Subsites.

Defining Site Groups

Windows SharePoint Services uses site groups to manage site-wide security. Each user is a member of at least one site group. Each site group possesses corresponding rights. Rights are actions that users can perform, such as Manage Lists. With Windows SharePoint Services , you can use the following default site groups: Guest, Reader, Contributor, Web Designer, and Administrator. In addition, Windows SharePoint Services allows you to edit the rights assigned to a site group, create a new site group, or delete an unused site group. You manage site groups in Windows SharePoint Services with either HTML Administration pages or the command-line administration tool. Note that you cannot change the rights assigned to the Guest and Administrator site groups, and you cannot assign users directly to the Guest site group.

 Note   It is possible to add user accounts to a Web site without assigning them to a site group. For example, if you are creating new user accounts for the Web site, you can create the user accounts and then assign the users to site groups later. You can also remove a member from all site groups. However, a user who is not assigned to a site group has no access to the Web site.

Windows SharePoint Services includes the following site groups by default:

 Note   The owner and secondary owner of a site collection (site collection: A set of Web sites on a virtual server that have the same owner and share administration settings. Each site collection contains a top-level Web site and can contain one or more subsites.) are members of the Administrator site group for their site, but they are also identified separately in the configuration database (configuration database: The Microsoft SQL Server or MSDE database that contains the configuration information that applies across all servers in a deployment of Windows SharePoint Services, such as virtual server information.) as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform Web site administrative tasks.

These site groups are defined per Web site. Users assigned to the Administrator site group are administrators only for a particular Web site. To perform any administrative tasks that affect settings for all Web sites and virtual servers (virtual server: A virtual computer that resides on an HTTP server but appears to the user as a separate HTTP server. Several virtual servers can reside on one computer. Each virtual server can have its own domain name and IP address.) on the server computer, a user must be an administrator for the server computer (also known as a local machine administrator) or a member of the SharePoint administrators group, rather than a member of a site's Administrator site group.

For a complete list of user rights and to see which are included in each site group by default, see User Rights and Site Groups.

Customizing Rights for Site Groups

You can create a new site group or customize an existing site group (except for the Guest and Administrator site groups, which cannot be customized) to include only the rights you want. For example, if you want only the Web Designers to be able to edit lists on the site, you can remove the Edit Items right from the Contributor site group.

Some rights depend on other rights. You must be able to view items before you can edit items. If a right is deleted from a site group, any rights dependent on that right are also deleted. For example, when the View Items right is deleted, the Add Items, Edit Items, and Delete Items rights are also deleted. In the same way, if you add a right that requires another right, the required right is also added. So, if you grant the Edit Items right to a user, the View Items right is granted automatically.

 Note   For more information about dependencies in user rights, see User Rights and Site Groups.

Security and User Rights

User rights grant users the ability to perform certain actions on a Web site, and restrict other users from performing those actions. Some rights do not completely restrict certain actions. The Apply Themes and Borders and Apply Style Sheets rights allow users to make changes to an entire Web site. Any user with the Add and Customize Pages right, however, can perform the same changes on a page-by-page basis in the actual HTML code. Be aware that if you give a user the Add and Customize Pages right (by assigning them to a site group that contains the right), you are also giving them the ability to change the theme, border, and style sheets for individual pages in your Web site.

When you assign rights to site groups, be sure that you assign the appropriate rights, and do not unintentionally allow members of the site group to perform more actions that you want on your Web site. Conversely, be sure that members of the site group are not unintentionally restricted from performing the actions they need to perform.

Using HTML Administration Pages to Manage Site Groups

You can manage site groups from the Site Administration page for your Web site. To manage site groups, follow the Manage site groups link on the Site Administration page to the Manage Site Groups page. On this page, you can view a list of site groups, change which rights are included in a site group, add a new site group, or delete a site group.

View a list of site groups
  1. On the Site Settings page for your Web site, under Administration, click Go to Site Administration.
  2. On the Site Administration page, under Users and Permissions, click Manage site groups.

The site groups available for the Web site are displayed on the Manage Site Groups page.

You can add new site groups for use on your site from the Manage Site Groups page.

Add a new site group
  1. On the Manage Site Groups page, click Add a Site Group.
  2. In the Site Group Name and Description area, type the name and description for your new site group.
  3. In the Rights area, select the rights you want to include in the new site group.
  4. Click Create Site Group.

You can create a new site group based on an existing site group, and even copy the members of the existing site group into your new site group.

Copy an existing site group
  1. On the Manage Site Groups page, click the site group you want to copy.
  2. On the Members of "Site group name" page, click Edit Site Group Permissions.
  3. On the Edit Site Group "Site group name" page, click Copy Site Group.
  4. On the Copy the Site Group "Site group name" page, in the Site Group Name and Description area, type the name and description for your new site group.
  5. If you want to copy the users from the existing site group into your new site group, select the Copy users from "site group name" check box.
  6. In the Rights area, select any additional rights that you want the site group to contain, and clear any rights that you do not want the site group to contain.
  7. Click Create Site Group.

You can also edit an existing site group to change the rights assigned to that site group.

Edit an existing site group
  1. On the Manage Site Groups page, click the site group you want to change.
  2. On the Members of "Site group name" page, click Edit Site Group Permissions.
  3. On the Edit Site Group "Site group name" page, select the rights you want to include and clear any rights that you do not want.
  4. Click OK.

If you find that a site group is not used, you can delete the site group.

Delete an existing site group
  1. On the Manage Site Groups page, select the check box next to the site group you want to delete.
  2. Click Delete Selected Site Groups.

Using the Command Line to View Site Groups

You can view the list of site groups from the command line in Windows SharePoint Services by using the enumroles operation. This operation takes the -url parameter, and then simply lists the names of the site groups for that Uniform Resource Locator (URL) (Uniform Resource Locator (URL): An address that specifies a protocol (such as HTTP or FTP) and a location of an object, document, World Wide Web page, or other destination on the Internet or an intranet. Example: http://www.microsoft.com/.), so you can use the correct site group name when assigning permissions to users. For example, to view the list of site groups for a site at http://myserver/site1, you would type the following command:

stsadm -o enumroles -url http://myserver/site1

Assigning Per-List Permissions

Windows SharePoint Services provides the ability to control permissions on a per-list basis. If you have sensitive information stored in a list, and you do not want to expose the information to all members of your site, you can set permissions for just that list to control which users can view, edit, or add items to that list. You can grant permissions to a list or document library to individual users, to groups of users, or to a site group. Per-list permissions work for any list or document library in a Web site based on Windows SharePoint Services (for example, Announcements, Tasks, Shared Documents, and so on).

List permissions can be changed by any user who has the Manage List Permissions right (by default, included in the Administrator site group) or Full Control permissions for that list. By default, all members of a Web site (all users assigned to a site group, except for the Guest site group) have access to all lists and document libraries on that Web site. Each site group has a predefined level of permissions for all lists and document libraries. The default list permissions are:

  • View items (given to the Reader site group by default)
  • View, insert, edit, delete items (given to the Contributor site group by default)
  • View, insert, edit, delete items; change list settings (given to the Web Designer site group by default)
  • View, insert, edit, delete items; change list settings; change list security

In addition, you can set advanced permissions, which allows you to grant any of the following rights for a user or site group:

  • Manage Lists (given to the Web Designer site group by default)
  • Manage List Permissions
  • Manage Personal Views (given to the Contributor site group by default)
  • Cancel Check-Out (applies only to document libraries; given to the Web Designer site group by default)
  • Add List Items, Edit List Items, and Delete List Items (given to the Contributor site group by default)
  • View List Items (given to the Reader site group by default)

 Note   Members of the Administrator site group always have the highest level of permissions for all lists and document libraries. You cannot change list or document library permissions for the Administrator site group. Also, any site group that has the View List Items right (such as Reader) can continue to see the list name, description, number of items, and time when the list was last modified, even though they cannot view the list contents directly.

To control permissions for a list, go to the list itself or to the Customize "Listname" page for the list.

View permissions for a list
  1. Navigate to the list, and then in the left pane, click Modify settings and columns.
  2. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.

The Change Permissions:"Listname" page displays the users and groups that have access to the list, and shows the permissions level each user or group is assigned.

You can change the list permissions for all members of a particular site group by modifying that site group's permissions.

Change list permissions for a particular site group
  1. Navigate to the list, and then in the left pane, click Modify settings and columns.
  2. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.
  3. Select the check box next to the site group you want to change.

For example, click the check box next to Web Designer to change the permissions for all members of the Web Designer site group.

  1. Click Edit Permissions of Selected Users.
  2. In the Choose Permissions section, select the level of permissions to allow, and then click OK.

You can also grant permissions to individual users, or to user groups, instead of to all members of a site group. Remember that when you grant a user or group permissions to a specific list in your site, they are added to the Guest site group if they are not already members of the site. Note that members of the Guest site group cannot navigate to a page within the site unless you give them the exact page URL.

Assign list permissions to a specific user or group
  1. Navigate to the list, and then in the left pane, click Modify settings and columns.
  2. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.
  3. On the list toolbar, click Add Users.
  4. In the Step 1: Choose Users section, in the Users area, in the text box, type the network domain name (network domain name: A group of users in a network who share a common set of shared resources, such as server disk drives and printers. A large network may have several domains based upon the needs of each set of users.) or e-mail address for the user or group you want to assign permissions.
  5. In the Step 2: Choose Permissions section, under Permissions, select the level of permissions for the user or group, and then click Next.
  6. In the Step 3: Confirm Users section, verify that the e-mail address, user name, and display name for the user or group are correct.
  7. If you want to notify the user or group of their permissions with an e-mail message, in the Step 4: Send E-Mail section, select the Send the following e-mail to let these users know they've been added check box, and fill in the text you want to send.
  8. Click Finish.

If you want to restrict your list to a specific set of users, you must both grant access to the individual users and remove access from other site members.

Remove list permissions for a user, group, or site group
  1. Navigate to the list, and then in the left pane, click Modify settings and columns.
  2. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.
  3. Select the check box next to the site group, user, or group you want to remove permissions for, and then click Remove Selected Users.

If you no longer want to use unique permissions for a particular list, you can reset the permissions to use the Web site's general permissions.

Reset permissions to the default state
  1. Navigate to the list, and then in the left pane, click Modify settings and columns.
  2. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.
  3. Click Inherit permissions from the parent Web site.
  4. Click OK to change to inherited permissions.

 Note   The Inherit permissions from the parent Web site link does not appear unless the list permissions have already been customized.

Controlling Access for All Authenticated Users

If you want all authenticated users of your intranet to be able to access your Web site, rather than adding each user individually or in groups, you can configure your site to allow all users on your network rights to use the site. You can also specify which site group (either Reader or Contributor) to assign to all authenticated users.

Allow all authenticated users rights to a top-level Web site
  1. On your site, click Site Settings.
  2. Under Administration, click Go to Site Administration.
  3. On the Site Administration page, under Users and Permissions, click Manage anonymous access.
  4. In the All Authenticated Users section, under Allow all authenticated users to access site, select Yes.
  5. Under Assign these users to the following site group, select a site group.
  6. Click OK.

Controlling Anonymous Access to a Web Site

If you want users to be able to contribute to your site anonymously, you can configure your site to allow anonymous access. Anonymous access is used to allow users to browse sites without authenticating (a standard Internet scenario), respond anonymously to surveys, or even contribute to a list or document library anonymously.

Anonymous access relies on the anonymous user account on your Web server (Web server: A computer that hosts Web pages and responds to requests from browsers. Also known as an HTTP server, a Web server stores files whose URLs begin with http://.). This account is created and maintained by your Web server (Internet Information Services (IIS) (Internet Information Services (IIS): Software services from Microsoft that support Web site creation, configuration, and management, along with other Internet functions.)), not by Windows SharePoint Services. On IIS, the anonymous user account is usually IUSR_ComputerName. When you enable anonymous access in Windows SharePoint Services, you are enabling that user account for your Web site.

Enabling Anonymous Access

Anonymous access is disabled by default, and is controlled at the site level. If you want to allow anonymous access (such as for an Internet site, where you want visitors to be able to browse without authenticating), you must enable anonymous access by assigning rights to the anonymous user. To enable anonymous access, you must first be sure that IIS is configured to allow anonymous access, and then on the Site Administration pages for your Web site, you can enable anonymous access.

Allow anonymous access for a virtual server in Internet Information Services
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Right-click the virtual server you want to enable anonymous access for, and then click Properties.
  3. Click the Directory Security tab.
  4. In the Authentication and access control section, click Edit.

The Authentication Methods dialog box appears.

  1. Select the Enable anonymous access check box.
  2. Click OK to close the Authentication Methods dialog box.
  3. Click OK to close the Properties dialog box.

You may need to restart IIS for this change to take effect. After anonymous access has been turned on for the virtual server in IIS, you can enable anonymous access for a specific top-level Web site.

Enable anonymous access for a top-level Web site
  1. On your site, click Site Settings.
  2. Under Administration, click Go to Site Administration.
  3. On the Site Administration page, under Users and Permissions, click Manage anonymous access.
  4. In the Anonymous Access section, select a level of access to allow:
    • Entire Web site
    • Lists and libraries
    • Nothing
  5. Click OK.

Per-List Permissions and Anonymous Access

You can control anonymous access for your entire site by using the Manage Anonymous Access page, or you can control anonymous access for specific lists by using the per-list permissions feature. If anonymous access is disabled for your site, it cannot be enabled for a particular list in the site.

Enable anonymous access for a list
  1. Verify that anonymous access is enabled for your site.
  2. Navigate to the list, and then in the left pane, click Modify settings and columns.
  3. On the Customize "Listname" page, in the General Settings section, click Change permissions for this <list/document library>.
  4. In the Action pane, click Change anonymous access.
  5. On the Change Anonymous Access Settings page, click the check box for the level of permissions that you want to grant to anonymous users.

 Note   If Internet Information Services (IIS) is not configured to allow anonymous access, these check boxes are unavailable.

  1. Click OK.

Creating Unique Permissions for a Subsite

When you create a subsite, you can choose whether to inherit the permissions from the parent Web site or to create unique permissions for your subsite. Depending on your choice, you get different results:

  • If you choose unique permissions, the default site groups are created (Guest, Reader, Contributor, Web Designer), but are not populated. The Administrator site group is also created, and the subsite creator is assigned to this site group. You can add users to the subsite and assign them to site groups, and they will have permissions only on your subsite, not on the parent Web site.
  • If you choose to inherit permissions, all of the security from the parent Web site is used for the subsite, with the exception of per-list permissions. If you add a user to a list, the user is added to the parent Web site.

Switching to a Different Permissions Model

If you set up your subsite with unique permissions, but find that you need to share permissions with your parent Web site instead, you can switch to inherited permissions. There are some drawbacks to making this switch, however, such as:

  • Switching from unique to inherited permissions is not reversible. The users and site groups from your subsite are deleted when you switch to inherited, and your subsite reverts to the permissions set for the parent Web site.
  • Items that have per-list permissions set lose those permissions. All lists revert to the site-wide permissions.

You can also switch from using inherited permissions to using unique permissions. In this case, the transition is simpler. The current permissions are duplicated when you switch, and the link to the parent Web site's permissions structure is broken. From that point on any changes you make to the permissions affect only the subsite. When you switch from inherited to unique permissions, per-list permission settings remain intact.

 Note   Switching between permissions models can create some strange scenarios. For example, any user who has the Create Subsites right can create a subsite. By default this right is included only in the Administrator site group, but if you assign it to another site group, members of that group can create subsites with unique permissions and become administrators of the new subsites. If such a user then chooses to switch to using the parent Web site's permissions, the user will no longer be an administrator of the subsite.

You use the Site Administration page for your subsite to switch to a different permissions model.

Set unique permissions by using HTML Administration pages
  1. On the subsite, click Site Settings.
  2. Under Administration, click Go to Site Administration.
  3. On the Site Administration page, under Users and Permissions, click Manage permission inheritance.
  4. In the Permissions section, select Use unique permissions.
  5. Click OK.

If you want to return to using the same permissions as the parent Web site, you can also change back by using HTML Administration pages.

Return to the parent Web site's permissions
  1. On the subsite, click Site Settings.
  2. Under Administration, click Go to Site Administration.
  3. On the Site Administration page, under Users and Permissions, click Manage permission inheritance.
  4. In the Permissions section, select Use the same permissions as the parent site.
  5. Click OK.
  6. Click OK to verify the change of permissions.

Managing Site Creation Rights

By default, when Self-Service Site Creation is enabled, all members of the Reader, Contributor, Web Designer, and Administrator site groups have the Use Self-Service Site Creation right. They can use this right to create a top-level Web site on a virtual server from the Create Web Site page. Another right, the Create Subsites right, is available to members of the Administrator site group by default. This right allows the user to create a subsite or a Workspace site from the Create page or the Manage Sites and Workspaces page.

You control which users have the Use Self-Service Site Creation right by changing the rights in a site group. You can control which users have the ability to create sites and Workspace sites by changing which site groups have the Create Subsites right, or by using the Configure Site and Workspace Creation page in Site Settings. You must be a member of the Administrator site group for a site to control these rights.

Specify which users can create subsites
  1. On a site, click Site Settings.
  2. On the Site Settings page, click Configure site and workspace creation.
  3. On the Configure Site and Workspace Creation page, select the check boxes next to the site groups you want to be able to create subsites.
  4. Click OK.

Related Topics

For information about assigning users to site groups, see Managing Users and Cross-Site Groups.

For more information about security, see Windows SharePoint Services Security Model.

For more information about Self-Service Site Creation, see Configuring Self-Service Site Creation.

 
 
Applies to:
Deployment Center 2003