Export (0) Print
Expand All

Plan for security roles (Office SharePoint Server)

SharePoint 2007

Updated: April 23, 2009

Applies To: Office SharePoint Server 2007

 

Topic Last Modified: 2009-04-17

In this article:

One of the new features in Microsoft Office SharePoint Server 2007 is a three-tier administrative model that centralizes configuration and management tasks, enables administrative roles to be differentiated, and administration to be delegated and assigned to the appropriate people in your organization. The enhancements in the administrative model can help IT organizations perform administrative tasks more efficiently and effectively. You can use the administrative model and SharePoint groups to give only the permissions that are necessary to perform specific tasks based on specific roles in your organization. To more effectively work within the three-tier administrative model, many organizations designate specific administrative roles within each tier. This article discusses administrative roles within each tier that you can use to help administer your solution.

The following list describes each administrative tier.

  • Tier 1: Farm-level administrators   Administrators in this tier are the top-level administrators and have permissions to and responsibility for all servers and farm-level services in the server farm. Members can perform all administrative tasks in the SharePoint Central Administration Web site for the server or server farm.

  • Tier 2: Shared service-level administrators   Administrators in this tier are responsible for administering or for assigning administration of shared services. The following list and table describe the roles in this category:

    • Site collection administrator for the Shared Services Administration site    Has the Full Control permission level on the Shared Services Administration site and permissions to manage all shared services except People and Business Data Catalog.

      NoteNote:
      Only the account designated as the site collection administrator when the Shared Services Administration site is created is automatically granted administrative permissions to the People and Business Data Catalog shared services.
    • Shared service administrators   Added as users by the site collection administrator for the Shared Services Administration site and granted permissions associated with one or more shared services.

      The following table introduces the tier-2 security roles and permissions that are required to administer or manage a shared service. For complete descriptions of each role, see Shared service-level administration later in this article.

       

      Role name Minimum permission required Description

      Site collection administrator for the Shared Services Administration site

      Membership in the site collection administrators group on the Shared Services Administration site

      The user account that installed Office SharePoint Server 2007 can administer all settings in the Shared Services Administration site. User accounts that are granted membership after installation cannot access the following pages unless specifically granted access to those pages:

      • User profiles and properties.

      • Profile services policies.

      • My Site settings.

      Search service administrator

      Read or higher permission level on the Shared Services Administration site

      Can administer all search settings in the SSP.

      User profiles manager

      Manage User Profiles permission for Profile Services

      Can add import connections, manage user profiles, and configure My Site settings.

      Audiences manager

      Manage Audiences permission for Profile Services

      Can manage audiences settings in the SSP.

      Business Data Catalog manager

      Edit or Edit and Execute permissions for the Business Data Catalog

      Can import application definitions to the Business Data Catalog, select entities and properties for use in SharePoint sites and lists, and optionally execute methods against entity instances.

      Permissions manager for the Business Data Catalog

      Set Permissions permission for the Business Data Catalog

      Can manage permissions for the Business Data Catalog.

      Permissions manager for Profile Services

      Manage Permissions permission for Profile Services

      Can manage permissions for Profile Services.

      Excel Services administrator

      Read or higher permission level on the Shared Services Administration site.

      Can administer all Excel Services settings in the SSP.

      Usage reporting manager

      Manage Usage Analytics permission for Profile Services.

      Can administer usage reporting settings in the SSP.

  • Tier 3: Site collection administrators   Site collection administrators have the Full Control permission level on their site collections.

For more information about the three-tier administrative model, see What's new for IT professionals in Office SharePoint Server 2007.

Office SharePoint Server 2007 provides flexibility in how you assign administrative roles. In a centralized management model, you can assign many roles to one or two people in your organization. Alternatively, in a distributed management model, you can delegate specific roles to different people in your organization.

Farm-level administration typically is performed by the following roles:

  • Farm administrators

  • Single sign-on administrators (includes Enterprise application definition administrators)

  • Server-level administrators

The farm administrator has permissions to and responsibility for all servers in the server farm. The Farm Administrators SharePoint group replaces the SharePoint Administrators group that was used in Windows SharePoint Services version 2.0. Members of the Farm Administrators group do not need to be added to the Administrators group for each server. Farm administrators are members of the WSS_WPG and WSS_RESTRICTED_WPG groups on the computers where Central Administration is hosted and have the Full Control permission level on all servers in the environment. By default, members of the Administrators group are members of the Farm Administrators SharePoint group.

Members of the Farm Administrators group have broad ability to manage the Central Administration site, but are restricted in performing some actions (that is, create Internet Information Services (IIS) Web sites, create or delete SharePoint Web applications, update account passwords or Windows services) due to certain constraints in IIS and the Microsoft .NET Framework. Members of the Farm Administrators group have no administrative access to individual sites or their content by default. However, they can take control of a specific site collection to view any content. For example, if a site collection administrator leaves the organization and a new administrator must be added, farm administrators can add themselves as site collection administrators, which action is recorded in the audit logs. As a best practice, we recommend that you remove farm administrators' permissions to the site collection after the necessary site-level activity is completed. The Farm Administrators group is used in Central Administration only, and is not available for any sites.

NoteNote:
Although anyone with the Full Control permission level on the Central Administration site can delete the SSP Web application from the Central Administration site, doing so is strongly discouraged because it renders the SSP non-functional. If the Web application is deleted, the only resolution is to restore the SSP from a recent backup. For more information about how to restore from a backup, see Back up and restore an entire farm (Office SharePoint Server 2007).
NoteNote:
Carefully choose to whom you grant memberships in the Administrators group on the local database server computer and to whom you grant memberships in fixed database roles and fixed server roles in Microsoft SQL Server. This is because this group and these roles have the Full Control permission level on the SharePoint Products and Technologies configuration database.

The following table lists tasks that members of the Farm Administrators group can perform.

 

SharePoint group Does role exist by default? Can do this Cannot do this

Farm Administrators

Yes

Perform administrative tasks in Central Administration.

Take ownership of any content site.

Administer individual sites or site content unless they take ownership.

Administer My Sites.

Access the Shared Services Administration site.

Create or delete SharePoint Web applications.

Update the accounts or passwords for existing Web applications and NT services.

Deploy solutions that require updating the global assembly cache (GAC).

Restore from backup.

For more information about the Farm Administrators group, see Choose administrators and owners for the administration hierarchy (Office SharePoint Server).

Single sign-on (SSO) administrators set up, configure, and manage SSO accounts, back up the encryption key, and create and change the encryption key. For security reasons, SSO administrators are required to log on to the encryption-key server locally to set up, configure, and manage SSO and are prohibited from remotely managing SSO Server settings. The SSO administrator account can also back up the encryption key.

The following table describes the SSO administrator role.

 

SharePoint group Does role exist by default? Can do this Cannot do this

SSO Administrators

No. Need to enable the SSO service for administration to occur, and then the SharePoint group needs to be created.

Configure and manage the SSO service in Office SharePoint Server 2007, including managing the encryption key.

Create, modify, or delete enterprise application definitions within Office SharePoint Server 2007.

Redeem SSO tickets. In scenarios in which credentials pass through an intermediary service (such as Microsoft BizTalk Server) before reaching the enterprise application definition, this group is used to give intermediary services permissions to redeem SSO tickets.

Administer individual sites or site content.

Administer My Sites.

Use the Shared Services Administration Web site.

Use Central Administration.

For more information about single sign-on, see Plan for single sign-on.

In an SSO environment, the back-end external data sources and systems are referred to as enterprise applications. After the SSO environment is configured, you can create enterprise application definitions. Enterprise application definition administrators perform the following tasks:

  • Create, delete, and manage enterprise application definitions.

  • Update accounts and credentials that are used to access enterprise applications.

Enterprise application definition administrators can manage enterprise application definitions remotely. For additional information about enterprise application definitions, see the "Enterprise Application Definitions" section in Plan for single sign-on.

The following table describes the enterprise application definition administrator role.

 

SharePoint group Does role exist by default? Can do this Cannot do this

Enterprise application definition administrators

No. Need to enable the SSO service for administration to occur. Must be global group account or individual user account. This account cannot be a domain local group or a distribution list.

Create, manage, and delete enterprise application definitions.

Update enterprise application accounts and credentials.

Administer individual sites or content.

NoteNote:
Able to administer site only if Read permissions are explicitly granted. By default, Read permissions are not granted.

Administer My Sites.

Access the Shared Services Administration Web site.

Access Central Administration.

Members of the Administrators group on the local server computer are automatically added to the Farm Administrators SharePoint group and can perform all farm administrator actions. The Administrators group is a Windows group, not a SharePoint group, but the Administrators group on the local computer performs certain administrative tasks in Office SharePoint Server 2007. Like farm administrators, members of the Administrators group on the local computer have no administrative access to site content, by default. However, they can take control of specific site collections, if needed. To take control, they can add themselves as site collection administrators by using the Site Collection Administrators page in Central Administration.

The following table describes the server-level administrator role.

 

Group Does role exist by default? Can do this Cannot do this

Administrators

Yes. Windows group that exists by default; not a SharePoint group.

Install products.

Create new Web applications and new Internet Information Services (IIS) Web sites.

Start services.

Deploy Web Parts and new features to the global assembly cache.

Perform all farm-level tasks in Central Administration (provided that the Central Administration site is located on the local computer).

Run the Stsadm command-line tool.

NoteNote:
Being a server-level administrator is a pre-requisite of running the Stsadm command-line tool. Depending on which command you actually run, you might need additional permissions. For example, if you run stsadm.exe –o deleteweb, the command requires that the account have write access to the content database that contains the Web application.

Administer individual sites or site content.

Administer My Sites.

Administer databases.

One of the new features of the administrative model in Office SharePoint Server 2007 is to enable organizations to assign administration of one or more shared services. For large organizations, assigning the administration of a shared service can be beneficial. In such a case, the site collection administrator for the Shared Services Administration site has the discretion to assign these tasks to one or many shared service administrators. For small organizations, delegation of services might not practical, so a single administrator would administer all the shared services.

Shared services-level administration includes the following roles:

  • Site collection administrator for the Shared Services Administration site

  • Shared service administrator

The site collection administrator has the Full Control permission level on the Shared Services Administration site. A farm administrator account is required to install Office SharePoint Server 2007 and to create an SSP. By default, the farm administrator account that created the SSP is the site collection administrator for the Shared Services Administration site and has the ability to manage permissions to the People and Business Data Catalog shared services.

  • The following table describes the site collection administrator role.

 

Administrative role How to add to role? Can do this Cannot do this

Site collection administrator for the Shared Services Administration site

The farm administrator user account that created the SSP is automatically added as the site collection administrator and can administer all settings in the Shared Services Administration site.

Use the Shared Services Administration Web site with the Full Control permission level.

Configure usage reporting.

Add users to the default Readers group for sites containing My Sites and profiles.

Create personal sites.

Manage sites and user profiles.

Configure permissions for specific services or assign administration of shared services to other users.

Administer individual sites or site content.

Additional user accounts that are granted membership after installation cannot access the following pages unless specifically granted access:

  • User profiles and properties.

  • Profile services policies.

  • My Site settings.

  • Import application definition for Business Data Catalog

  • Enable or disable usage reporting

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Site collection administrator for the Shared Services Administration site, and then list the users or accounts to assign.

You can assign administration for a shared service. To do this, the site collection administrator for the Shared Services Administration site adds users to the Shared Services Administration site. Any user added to the Visitors group in the Shared Services Administration site has Read permissions and can manage Search, Excel Services, User profiles and properties, Profile services policies, and My Site settings. Additionally, a user added to the Shared Services Administration site as a shared service administrator can grant the permission to administer the People shared service by using the Personalization services permissions link or to administer the Business Data Catalog shared service by using the Business Data Catalog permissions link. Therefore, you want to carefully select the users whom you will add to the Shared Services Administration site.

ImportantImportant:
To manage a shared service, a user must first be added to the Shared Services Administration site by the site collection administrator for the Shared Services Administration site. After a user is added to the Shared Services Administration site, the user is automatically granted permissions to manage Excel Services, Search, User profiles and properties, Profile Services policies, and My Site settings. Additional permissions to manage the People or Business Data Catalog services are granted to individual users on the Manage Permissions pages for the appropriate services.

The following sections describe the various shared service administrator and shared service manager roles.

Search service administrators manage several aspects of the search system that fundamentally support the use of search in sites. These aspects include crawling content to create an index and creating shared search scopes, which enable users to perform searches over subsets of content. Search service administrators are concerned with the structure of the content in a site — that is, they want to make it easy for users to find, contribute, and work with the content in a site.

ImportantImportant:
By default, any user who is granted a minimum of Read permissions to the Shared Services Administration site has permissions to manage search settings, search usage reports, Excel Services, User profiles and properties, Profile Services policies, and My Site settings.

The following table describes tasks that a search service administrator can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Search service administrator

The site collection administrator for the Shared Services Administration site adds a user to the Shared Services Administration site.

Create and manage content sources and crawl schedules.

Manage file types.

Create and manage the default content access account.

Create server name mappings.

Activate or deactivate search-based alerts.

Create and manage search scopes.

Specify authoritative Web pages.

Manage metadata properties.

Access the Central Administration site.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Search service administrator, and then list the users or accounts to assign.

Profile Services is the shared service for people and personalization features. Profile Services connects to databases of information about people from various sources and integrates that information into user profiles that are the basis for powerful personalization features. User profiles managers import information about users from directory services, such as the Active Directory directory service and Lightweight Directory Access Protocol (LDAP), and from line-of-business applications such as SAP by using the Business Data Catalog.

You can tailor content to each user in any organization, while enabling administrators to set policies to protect privacy. The following table describes the user profiles manager role.

 

Administrative role How to add to role? Can do this Cannot do this

User profiles manager

The site collection administrator grants access to a user to the Shared Services Administration site, and then the user profiles manager grants the Manage User Profiles permission to a user on the Manage Permissions: Shared Service Rights page. This page is available by clicking the Personalization services permissions link.

Configure and manage user profiles.

View and edit user profile properties.

Customize and configure My Sites settings and permissions

Configure Profile Services policies.

Manage personalization links, trusted My Site host links, and links from Office client applications.

Access the search service and Excel Services pages, though these tasks are not associated with this role.

Access the Central Administration site.

Manage audiences, unless specifically granted the Manage Audiences permission by the permissions manager for Profile Services.

Manage permissions, unless specifically granted the Manage Permissions permission by the permissions manager for Profile Services.

Manage usage reporting, unless specifically granted the Manage Usage Analytics permission.

.

In Office SharePoint Server 2007, you can build audiences using data from user profiles by using rules. These rules can be defined by using user profile properties such as department or responsibilities; relational information such as reporting hierarchy; or user membership in a distribution list and security group. The following table describes the audiences manager role.

 

Administrative role How to add to role? Can do this Cannot do this

Audiences manager

The permissions manager for Profile Services grants the Manage Audiences permission to a user on the Manage Permissions: Shared Service Rights page. This page is available by clicking the Personalization services permissions link.

Create, compile, and manage audiences and audience rules.

View membership of audiences.

Manage personalization links, trusted My Site host links, and links from Office client applications.

Access search service and Excel Services administration pages.

Manage user profiles or My Sites, unless specifically granted the Manage User Profiles permission.

Manage the Business Data Catalog, unless specifically granted one or more of the permissions for the Business Data Catalog.

Manage permissions, unless specifically granted the Manage Permissions permission.

Manage usage reporting, unless specifically granted the Manage Usage Analytics permission.

Access the Central Administration page.

For more information about how to configure personalization settings and permissions, see Configure personalization permissions.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type either User profiles manager or Audiences manager, and then list the users or accounts to assign.

The Business Data Catalog manager is responsible for registering line-of-business applications and selected business data types and properties of those applications. The Business Data Catalog is managed from the Shared Services Administration site for each SSP. For each line-of-business application used by the Web applications and site collections of an SSP, you must first register the line-of-business application and the business data types and properties that you want to expose to users by importing an application definition for the application.

The following table describes tasks that a Business Data Catalog manager can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Business Data Catalog manager

The permissions manager for the Business Data Catalog grants the Edit permission or the Edit and Execute permissions to a user on the Manage Permissions page for the Business Data Catalog.

Import application definitions to the Business Data Catalog for line-of-business applications.

Configure business data types (entities) and properties for each application.

With the Execute permission, execute methods on entity instances.

View applications and entities, and edit the profile page template and create custom business actions.

Manage search for business data content sources. Manage personalization links, trusted My Site host links, and links from Office client applications, though these tasks are not associated with this role.

Access the Excel Services pages, though these tasks are not associated with this role.

Manage permissions to the Business Data Catalog, unless the Set Permissions permission has been specifically granted by the permissions manager for the Business Data Catalog.

Customize business data lists, Web Parts, and sites, unless the user is also a site collection administrator or site owner and has been specifically granted the Select in Clients permission by the permissions manager for the Business Data Catalog.

Manage usage reporting, unless specifically granted the Manage Usage Analytics permission.

Access any other shared services except Excel Services and Search.

Access the Central Administration site.

For more information about business intelligence features, see Configure business intelligence features.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Business Data Catalog manager, and then list the users or accounts to assign.

The permissions manager for the Business Data Catalog is responsible for managing permissions to all of the Business Data Catalog settings. In order for a user to use the Business Data Catalog shared service, Set Permissions must be selected on the Modify Permissions: Business Data Catalog page. The following table describes tasks that a permissions manager for the Business Data Catalog can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Permissions manager for the Business Data Catalog

The default site collection administrator for the Shared Services Administration site, who is granted the Set Permissions permission during installation, grants the Set Permissions permission to another user on the Modify Permissions: Business Data Catalog page. This page is available by clicking the Business Data Catalog permissions link.

Configure the Business Data Catalog.

Manage personalization links, trusted My Site host links, and links from Office client applications, though these tasks are not associated with this role.

Access the search service and Excel Services pages, though these tasks are not associated with this role.

Access the Central Administration site.

Manage permissions for Profile Services.

Manage user profiles or My Sites, unless specifically granted the Manage User Profiles permission.

Manage audiences, unless specifically granted the Manage Audiences permission by the site collection administrator.

Manage usage reporting, unless specifically granted the Manage Usage Analytics permission.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Permissions manager for the Business Data Catalog, and then list the users or accounts to assign.

The permissions manager for Profile Services is responsible for administering permissions for Profile Services. The manager uses the Personalization services permission link on the Shared Services Administration site to set permissions. The following table describes tasks that a permissions manager for Profile Services can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Permissions manager for Profile Services

The default site collection administrator for the Shared Services Administration site, who is granted the Manage Permissions permission during installation, grants the Manage Permissions permission to another user on the Manage Permissions: Shared Service Rights page. This page is available by clicking the Personalization services permissions link.

Configure personalization services permissions

Manage personalization links, trusted My Site host links, and links from Office client applications, though these tasks are available to any user with access to the Shared Services Administration site.

Access the search service and Excel Services pages, though these tasks are not associated with this role.

Manage permissions for the Business Data Catalog.

Manage user profiles or My Sites, unless specifically granted the Manage User Profiles permission.

Manage audiences, unless specifically granted the Manage Audiences permission by the site collection administrator for the Shared Services Administration site.

Manage usage reporting, unless specifically granted the Manage Usage Analytics permission.

Manage the Business Data Catalog, unless specifically granted one or more of the permissions for the Business Data Catalog.

Access the Central Administration site.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Permissions manager for Profile Services, and then list the users or accounts to assign.

Excel Services enables users to leverage server-side workbook calculations, and provides administrators with the ability to control access to workbooks and to secure private data and intellectual property. This ensures that data within your workbooks is protected while users can take full advantage of data refresh and recalculation functionality.

The following table describes tasks that an Excel Services administrator can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Excel Services administrator

The site collection administrator for the Shared Services Administration site must add a user to the Shared Services Administration site.

Add trusted file locations.

Add trusted data providers.

Add trusted data connection libraries.

Add user-defined function assemblies.

Modify Excel Services settings.

Access other administration pages — for example, the Business Data Catalog Applications page.

Access the Central Administration site.

Start and manage the SSO service.

Start or stop Excel Calculation Services or other services.

Run Stsadm command-line administrative operations.

For more information about Excel Services, see Plan Excel Services security.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Excel Services administrator, and then list the users or accounts to assign.

Usage reporting is a service that enables site collection administrators, site owners, and shared service administrators to monitor statistics about the use of their sites. Usage reporting also includes usage reporting for search queries that can be viewed by search service administrators and site collection administrators. The following procedure shows the three-step process to configure usage reporting.

Configure usage reporting
  1. A farm administrator enables Windows SharePoint Services usage logging for the farm that hosts the Web application that contains the SSP.

  2. The usage reporting manager enables and configures the usage reporting service.

  3. Site collection administrators can activate the reporting feature to enable usage reports on their site collections.

The following table describes tasks that a Usage reporting manager can perform.

 

Administrative role How to add to role? Can do this Cannot do this

Usage reporting manager

The permissions manager for Profile Services grants the Manage Usage Analytics permission to a user.

Enable usage reporting service by using the Shared Services Administration site. To view or edit a site or site collection usage is a task granted to the site owner or site collection administrators. It cannot be granted until the usage reporting manager enables usage reporting.

Enable search query logging.

Access any other shared service, except those available to all users with Read access to the Shared Services Administration site.

Access the Central Administration site.

For more information about the usage reporting service, see Configure usage reporting.

 

Worksheet action

In the Administrators and owners worksheet (http://go.microsoft.com/fwlink/?LinkId=73126&clcid=0x409), in the SSP or service name column, type Usage reporting manager, and then list the users or accounts to assign.

Site-level administration includes the following roles:

  • Site collection administrators

  • Site owners

Site collection administrators have the Full Control permission level on all Web sites and content within a site collection. From the site collection level, site collection administrators manage settings (such as site collection features, site collection audit settings, and site collection policies) from the Site Settings page for the top-level site. When you create a site collection, you can specify the primary and secondary site collection administrators. A site collection administrator is a user with a flag in the content database that states they can perform all tasks within a site collection, including all tasks for specific sites with a site collection. This flag can be changed by using the Site Collection Administrators page in Central Administration, by using the Site Settings page on a top-level site, or by using the site owner operation with the Stsadm command-line tool. Generally, you designate site collection administrators when you create the site, but you can change them as needed in Central Administration or by using Site Settings pages.

The following table describes the site collection administrator role.

 

SharePoint group Does role exist by default? Can do this Cannot do this

Site collection administrator

Yes

Perform all administration tasks for sites within the site collection.

Access the Central Administration site.

Site owners are those who have been specifically granted the Full Control permission level on the site, either directly or by being a member of a SharePoint group —for example, the Owners group — that has the Full Control permission level on the site. Site owners can perform tasks related to the site only, not the entire site collection.

NoteNote:
The user that creates the site is automatically added to the Owners group for the site.

The following table describes tasks that site owners can perform.

 

SharePoint group Does role exist by default? Can do this Cannot do this

<Site name> Owners

Yes

Perform administration for the site only, not the entire site collection.

Perform administrative tasks for documents, lists, and libraries.

Access the Central Administration site.

Access the Shared Services Administration site.

Perform site collection administration tasks, such as restoring items from the second-stage Recycle Bin and managing the site hierarchy.

For more information about site-level administration, see Choose administrators and owners for the administration hierarchy (Office SharePoint Server).

Use the following worksheet to plan for security roles.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Office SharePoint Server 2007.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft