About managing SharePoint groups and users

A fundamental responsibility concerning site security is to manage who can access resources on your site. Windows SharePoint Services 3.0 enables you, as a site owner, to control what users or groups of users can access your SharePoint sites. This effectively transfers the task of managing users from the server administrator to site owners.

Windows SharePoint Services 3.0 uses Windows users and domain groups and Windows authentication mechanisms to manage and authenticate users. As a site owner, you can either add Windows user accounts directly to your site or add them to SharePoint groups to manage user accounts at the top-level Web site or subsite level. Conversely, you can also remove Windows user accounts and domain groups from your site and SharePoint groups.

Inside an organization, this typically means that site owners select Windows user accounts and Windows security groups from the organization's list (typically users or groups on the Windows domain) and add them to the site or a SharePoint group of their choice. For example, SharePoint groups can contain Windows domain groups (such as domain name\Department_A, where domain name is the name of the Windows domain) or individual users with a user account on the local server or in a Windows domain (such as domain name\user name).

Default SharePoint groups

Three SharePoint groups are provided by default, as shown in the following table. Note that you can customize them by assigning any permission level to them that you want, and you can also create new SharePoint groups with the permission levels that you want.

SharePoint group name Default permission level
Site name Owners Full Control
Site name Members Contribute
Site name Visitors Read

 Note   Sites that are built on Windows SharePoint Services often have additional default SharePoint groups.

Customizing SharePoint groups

To meet the needs of your organization, many options are available for customizing SharePoint groups. For example, you can:

  • Create a new SharePoint group or customize an existing one to include only the permission levels you want (except for the Limited Access permission level). Note that you can also create custom permission levels which you can then assign to your SharePoint groups.

 Notes 

  • If your organization has people who should all have the same permissions on one or more securable objects, you should consider creating a SharePoint group for them. For example, you could create a SharePoint group for leads called SharePoint Leads, and one for analysts called SharePoint Analysts, and so on.
  • Anyone assigned a permission level that includes the Create Groups permission can create new SharePoint groups. Site collection administrators and site owners have this permission, by default.
  • Delete an unneeded SharePoint group.
  • Add Windows user accounts and Windows security groups to your SharePoint groups.
  • Remove Windows user accounts and Windows security groups from your SharePoint groups.

 Note   Although you can, for example, assign the Design permission level to the Site name Readers SharePoint group, it is more practical to create a new custom SharePoint group and assign the permission level you need to that new group. This way, you won't have SharePoint group names that imply a different permission level than they actually have.

Assigning users and groups

If the purpose of your Web site is for members of a particular workgroup to share documents and information, you typically add members of that workgroup (that is, their Windows user accounts or Windows groups) to an appropriate SharePoint group on your site. For example, you can add workgroup members that you want to allow to contribute to your Web site to the Site name Members SharePoint group. This way they can add documents and update lists. You can also add other members of the workgroup to the Site name Visitors SharePoint group so that they can read documents and view lists, but not contribute to the site. You might also want help managing the site, so you can assign some members to the Site name Owners SharePoint group.

In addition to adding Windows user accounts and domain groups to SharePoint groups, you can also add them directly to your site. Users that you add directly to your site can be individually granted permission to a securable object on your site. Although this might work for a small number of users, individually assigning users to securable objects, and individually assigning a permission level to each user can quickly become difficult and time-consuming to manage. Therefore, we recommend that you use SharePoint groups when working with a large number of securable objects.

 
 
Applies to:
SharePoint Server 2007, Windows SharePoint Services 3.0