Upload
tony-rockwell
View
2.914
Download
0
Tags:
Embed Size (px)
DESCRIPTION
An overview of SharePoint 2010 security including best practices related to Permission Levels and how to create custom permission levels via the SharePoint interface and PowerShell.
Citation preview
Creating Permission LevelsTony RockwellSharePoint Saturday Silicon Valley June 2, 2012
House Keeping
• Thank our Sponsors!• This is an Interactive Session
#SPSSV#PermissionLevels
Who?• Tony Rockwell• About me:
– 20+ years in IT– 5 years focused on SharePoint– MCTS SharePoint 2010
Configuration• Email: [email protected]• Twitter: @sharepoinTony• Blog: http://sharepoinTony.info/blog• San Diego SharePoint Users Group: www.sanspug.org
• SharePoint Administration• Installation; Configuration; Upgrades• Enable OOTB features• Implement 3rd party tools
• Sr. Solution Analyst at EMP Live• SharePoint-based project and work
management solutions that helps organizations increase productivity by improving visibility, execution and collaboration on all types of work.
• PortfolioEngine• WorkEngine• ProjectEngine
• EPM Live is the Global Leader in SharePoint-based Project, Portfolio and Work Management Solutions
• Experience: Project Management consulting since 1999• Standards: Best practices embedded• Fast: Pre-built solutions so you can get started today• Low Risk: Start online today and deploy onsite at anytime• Proven: Built using 100% Microsoft based software
Deployment Services | Professional Services | Online Serviceswww.emplive.com
Agenda
• SharePoint Security – Why Create custom permission levels?– Inheritance– Best Practices
• Permission Level Scenario• How-To using the SharePoint interface• How-To using PowerShell• References
SharePoint Security
• Why create custom permission levels?– Because security matters to you– Ease security administration– Enable refined security
• TerminologyFarm AdministratorService Application AdministratorFeature AdministratorSite Collection Administrator
Permission LevelsUsersGroupsSecurable ObjectsInheritance & Scopes
Inheritance & Scopes
Site Collection
Web Object
Document Library Object
Folder Web Object
Item
Item
Item
Scope 1
Scope 2
SharePoint Security
• Best Practices– Use fine-grained permissions only when business case requires
it– Break permission inheritance as infrequently as possible – Use domain groups to assign permissions to sites– Assign permissions at the highest level possible– Don’t modify or delete a default permission level
• Copy a default permission level & modify it
– The maximum # of unique security scopes set for a list should not exceed 1,000
– Use group membership rather than individual membership in your scopes
Required Administrative Credentials
• You are a member of the Administrators group for the site collection
• You are a member of the Owners group for the site• You have the Manage Permissions permission
• If you use PowerShell you also need the SharePoint_Shell_Access role in the SQL db
Scenario
• Each department in company own a site• Department site owner to manage site but
delegates permissions to admin assistant• Admin assistant should not modify site, pages,
etc. only add/remove (manage) users• Admin assistant should also have standard
“Contribute” access to site
1. Navigate to top-level site2. Site Actions > Site Permissions (or Site Settings for
Publishing)
3. Click on Permission Levels in the Ribbon4. Select the permission level to copy – Contribute 5. Scroll down & select Copy Permission Level
How-to: SharePoint interface
6. Name the new permission level (User Manager) & enter a description (i.e. “ Use this permission to Manage Users”)
7. Select desired permissions – Check Enumerate Permissions (Manage will auto-select, Deselect it)
8. Scroll down & click Create
The custom permission level is ready to use!• Create a SharePoint group for each department; “Accounting User
Managers”• Give the group the “User Manager” permission level • Make the owner of this SP Group, the Site Owner or SCA• Change the owner of the Member & Visitor groups
How-to: SharePoint interface
How-to: PowerShellPS > $spWeb = Get-SPWeb http://sharepoint.contoso.com
Create a new objectPS > $plevel = New-Object Microsoft.SharePoint.SPRoleDefinition
Add name and descriptionPS > $plevel.Name = "Custom: User Manager" PS > $plevel.Description = “Enumerate Permissions"
Set the base permissionsPS > $plevel.BasePermissions = “EnumeratePermissions”
How-to: PowerShellAdd the permission level to your sitePS > $spWeb.RoleDefinitions.Add($plevel) Clean upPS > $spWeb.Dispose()
See base permissions that are availablePS > [system.enum]::GetNames("Microsoft.SharePoint.SPBasePermissions") EmptyMask ViewListItems AddListItems EditListItems DeleteListItems ApproveItems OpenItems ViewVersions DeleteVersions CancelCheckout ManagePersonalViews ManageLists ViewFormPages Open ViewPages AddAndCustomizePages ApplyThemeAndBorder ApplyStyleSheets ViewUsageData CreateSSCSite ManageSubwebs CreateGroups ManagePermissions BrowseDirectories BrowseUserInfo AddDelPrivateWebParts UpdatePersonalWebParts ManageWeb UseClientIntegration UseRemoteAPIs ManageAlerts CreateAlerts EditMyUserInfo EnumeratePermissions FullMask
Session wrap-up• Questions• Please complete a Session Survey• Help me improve• Help the organizers improve future events• Win prizes
http://www.sharepointsaturday.org/sd
Join me June 30th , downtown at the San Diego Convention Center
Contact me @• Email: [email protected]• Twitter: @sharepoinTony• Blog: http://sharepoinTony.info/blog• LinkedIn: http://www.linkedin.com/in/ajrockwell • San Diego SharePoint Users Group: www.sanspug.org• REFERENCES:
– Technet - User Permissions and Permission Levels– http://technet.microsoft.com/en-us/library/cc721640.aspx– Spbasepermissions - definitions – http://technet.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions(v=office.12)
.aspx
– SP Permission Inheritance– http://technet.microsoft.com/en-us/library/cc287792(v=office.12).aspx– Best Practices for Fine-grained Permissions (White Paper)– http://technet.microsoft.com/en-us/library/gg130816(v=office.12).aspx– Best Practices Center for SharePoint 2010– http://technet.microsoft.com/en-us/sharepoint/hh189420
Join us right after the event at Firehouse Grill for a free drink, kindly provided by AvePoint and Rackspace! 1765 East Bayshore Road East Palo Alto, CA 94303 (Next to Nordstrom Rack).
Drinks to be provided by…..
Don’t Forget SharePint
Thanks to Our Sponsors