Creating Permission LevelsTony RockwellSharePoint Saturday Silicon Valley June 2, 2012

House Keeping

• Thank our Sponsors!• This is an Interactive Session

#SPSSV#PermissionLevels

Who?• Tony Rockwell• About me:

– 20+ years in IT– 5 years focused on SharePoint– MCTS SharePoint 2010

Configuration• Email: trockwell@epmlive.com• Twitter: @sharepoinTony• Blog: http://sharepoinTony.info/blog• San Diego SharePoint Users Group: www.sanspug.org

• SharePoint Administration• Installation; Configuration; Upgrades• Enable OOTB features• Implement 3rd party tools

• Sr. Solution Analyst at EMP Live• SharePoint-based project and work

management solutions that helps organizations increase productivity by improving visibility, execution and collaboration on all types of work.

• PortfolioEngine• WorkEngine• ProjectEngine

• EPM Live is the Global Leader in SharePoint-based Project, Portfolio and Work Management Solutions

• Experience: Project Management consulting since 1999• Standards: Best practices embedded• Fast: Pre-built solutions so you can get started today• Low Risk: Start online today and deploy onsite at anytime• Proven: Built using 100% Microsoft based software

Deployment Services | Professional Services | Online Serviceswww.emplive.com

Agenda

• SharePoint Security – Why Create custom permission levels?– Inheritance– Best Practices

• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References

SharePoint Security

• Why create custom permission levels?– Because security matters to you– Ease security administration– Enable refined security

• TerminologyFarm AdministratorService Application AdministratorFeature AdministratorSite Collection Administrator

Permission LevelsUsersGroupsSecurable ObjectsInheritance & Scopes

Inheritance & Scopes

Site Collection

Web Object

Document Library Object

Folder Web Object

Item

Item

Item

Scope 1

Scope 2

SharePoint Security

• Best Practices– Use fine-grained permissions only when business case requires

it– Break permission inheritance as infrequently as possible – Use domain groups to assign permissions to sites– Assign permissions at the highest level possible– Don’t modify or delete a default permission level

• Copy a default permission level & modify it

– The maximum # of unique security scopes set for a list should not exceed 1,000

– Use group membership rather than individual membership in your scopes

Required Administrative Credentials

• You are a member of the Administrators group for the site collection

• You are a member of the Owners group for the site• You have the Manage Permissions permission

• If you use PowerShell you also need the SharePoint_Shell_Access role in the SQL db

Scenario

• Each department in company own a site• Department site owner to manage site but

delegates permissions to admin assistant• Admin assistant should not modify site, pages,

etc. only add/remove (manage) users• Admin assistant should also have standard

“Contribute” access to site

1. Navigate to top-level site2. Site Actions > Site Permissions (or Site Settings for

Publishing)

3. Click on Permission Levels in the Ribbon4. Select the permission level to copy – Contribute 5. Scroll down & select Copy Permission Level

How-to: SharePoint interface

6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)

7. Select desired permissions – Check Enumerate Permissions (Manage will auto-select, Deselect it)

8. Scroll down & click Create

The custom permission level is ready to use!• Create a SharePoint group for each department; “Accounting User

Managers”• Give the group the “User Manager” permission level • Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups

How-to: SharePoint interface

How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.com

Create a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition

Add name and descriptionPS > $plevel.Name = "Custom: User Manager" PS > $plevel.Description = “Enumerate Permissions"

Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions”

How-to: PowerShellAdd the permission level to your sitePS > $spWeb.RoleDefinitions.Add($plevel) Clean upPS > $spWeb.Dispose()

See base permissions that are availablePS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews ManageLists ViewFormPages Open ViewPages AddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite ManageSubwebs CreateGroups ManagePermissions BrowseDirectories BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo EnumeratePermissions FullMask

Session wrap-up• Questions• Please complete a Session Survey• Help me improve• Help the organizers improve future events• Win prizes

http://www.sharepointsaturday.org/sd

Join me June 30th , downtown at the San Diego Convention Center

Contact me @• Email: trockwell@epmlive.com• Twitter: @sharepoinTony• Blog: http://sharepoinTony.info/blog• LinkedIn: http://www.linkedin.com/in/ajrockwell • San Diego SharePoint Users Group: www.sanspug.org• REFERENCES:

– Technet - User Permissions and Permission Levels– http://technet.microsoft.com/en-us/library/cc721640.aspx– Spbasepermissions - definitions – http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12)

.aspx

– SP Permission Inheritance– http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx– Best Practices for Fine-grained Permissions (White Paper)– http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx– Best Practices Center for SharePoint 2010– http://technet.microsoft.com/en-us/sharepoint/hh189420

Join us right after the event at Firehouse Grill for a free drink, kindly provided by AvePoint and Rackspace! 1765 East Bayshore Road East Palo Alto, CA 94303 (Next to Nordstrom Rack).

Drinks to be provided by…..

Don’t Forget SharePint

Thanks to Our Sponsors