Windows SharePoint Services 3.0 provides security features that you as a site owner can use to help control access to and authorization on your sites. By using these security features, site owners — instead of server administrators — control who can access the site, and site owners specify what permissions are assigned to users for particular entities.
Note Site collection administrators have access to and control over all sites in the site collection. This means that they can perform the same actions as site owners, but on any site in the site collection.
Regardless of what type of site you have, the security and permissions for your site include the following elements.
- User A person with a user account that can be authenticated through the authentication method used on the Web server. Users can be added directly to a securable object or indirectly by adding them to a SharePoint group which is then added to a securable object. Although users do not have to be part of a SharePoint group, it is much easier to manage permissions for SharePoint groups than for a large number of users. On the other hand, you might find it easier to directly manage permissions for a small number of users than to manage SharePoint groups.
- Domain group A group defined by the authentication system. For example, Windows security groups for Windows authentication and ASP.NET role manager groups for Forms authentication are two types of domain groups.
- SharePoint group A group of users that you can create on a SharePoint site to manage permissions to the site and to provide an e-mail distribution list for site members. All SharePoint groups are created at the site collection level and are available to any subsite in the site collection. However, you can choose to create a SharePoint group that only has permissions on a particular subsite. SharePoint groups can contain Windows security groups (such as Department_A), ASP.NET Forms authentication groups (such as All_Managers), and individual users with a user account on the local server or a Windows domain. Although sites that are built on Windows SharePoint Services often have additional default SharePoint groups, Windows SharePoint Services 3.0 provides three default SharePoint groups. Site name Owners, Site name Members, and Site name Readers. Each of these SharePoint groups is associated with a default permission level, but you can change the permission level for any SharePoint group as needed. Anyone assigned a permission level that includes the Create Groups permission can create custom SharePoint groups.
Members of the Site name Owners group for a top-level Web site can control more options than site owners of a subsite. For example, they can perform actions such as specifying settings for Web document discussions or alerts and viewing usage and quota data.
By default, Windows SharePoint Services 3.0 creates three SharePoint groups with default permissions on the top-level site. Members of the Site name Owners SharePoint group have Full Control permissions, Members of the Site name Members SharePoint group have Contribute permissions, and Members of the Site name Visitors SharePoint group have Read permissions.
It is typically easier to manage permissions by using SharePoint groups rather than directly assigning permissions to individual users. For example, you can add all the managers in your organization to a Managers SharePoint group that you created. You want these managers to have read and write access on subsite 1, read-only access on subsite 2, and full control access on subsite 3. You can accomplish this by assigning the permissions you want for the Managers SharePoint group separately on each subsite. Note that these permission assignments only need to be done one time. Because SharePoint groups exist at the site collection level, you can add and remove users to a particular SharePoint group in one place. As managers join the team. you can add them to the Managers SharePoint group without needing to specify the permissions they have on different sites, because you have already assigned the permissions you want for this SharePoint group for all three sites. On the other hand, if you choose to add each manager directly to a site instead of using a SharePoint group, you must assign each manager the appropriate permissions on each of the three sites.
Note In earlier versions of Windows SharePoint Services, SharePoint groups were called cross-site groups.
- Permission Authorization to perform specific actions such as viewing pages, opening items, and creating subsites. Windows SharePoint Services 3.0 provides 33 pre-defined permissions that you can use to allow users to perform specific actions. For example, users assigned the View Items permission can view items in a list. Each permission has one of the following characteristics: List, Site, or Personal. Permissions are not assigned directly to users or SharePoint groups. Instead, permissions are assigned to one or more permission levels, which are in turn assigned to users and SharePoint groups. Each permission can be included in multiple permission levels.
Note Server administrators can use Central Administration to restrict which permissions are available to site collections. If a particular permission is not available on your site, talk to your server administrator.
Note In earlier versions of Windows SharePoint Services, permissions were called rights.
- Permission level A set of permissions that can be granted to users or SharePoint groups on an securable object such as a site, library, list, folder, item, or document. Permission levels enable you to assign a set of permissions to users and SharePoint groups so that they can perform specific actions on your site. With permission levels, you can control which permissions are granted to users and SharePoint groups on your site. For example, by default, the Read permission level includes the View Items, Open Items, View Pages, and View Versions permissions (among others), all of which are needed to read documents, items, and pages on a SharePoint site.
The following permission levels are provided by default: Full Control, Design, Contribute, Read, Limited Access. Anyone assigned to a permission level that includes the Manage Permissions permission can customize permission levels (except for the Full Control and Limited Access permission levels), or create new ones. Site Owners are assigned the Manage Permissions permission, by default.
Note In earlier versions of Windows SharePoint Services, permission levels were called site groups.
- Securable object An object on which permissions can be configured, such as a site, list, library, folder within a list or library, list item, or document. Permissions for users and SharePoint groups can be assigned to a specific securable object. By default, SharePoint groups and users are assigned permissions at the site level, and the lower-level securable objects (list, library, folder within a list or library, list item, and document) inherit permissions from the site level. Anyone assigned a permission level that includes the Manage Permissions permission can edit the permissions for any securable object. Site Owners have this permission by default.