Plan for security roles (Windows SharePoint Services)

Applies To: Windows SharePoint Services 3.0

 

Topic Last Modified: 2009-04-15

In this article:

  • Farm-level administration

  • Site-level administration

  • Worksheet

One of the new features in Windows SharePoint Services 3.0 is a two-tier administrative model that centralizes configuration and management tasks, allows administrative roles to be differentiated, and administration to be delegated and assigned to the appropriate people in your organization. The enhancements in the administrative model can help IT organizations perform administrative tasks more efficiently and effectively. You can use the administrative model and SharePoint groups to give only the permissions that are necessary to perform specific tasks based on specific roles in your organization. To more effectively work within the two-tier administrative model, many organizations designate specific administrative roles within each tier. This article discusses administrative roles within each tier that you can use to help administer your solution.

The following list describes each administrative tier.

  • Tier 1: Farm-level administrators   Administrators in this tier are the top-level administrators and have permissions to and responsibility for all servers in the server farm. Members can perform all administrative tasks in the SharePoint Central Administration Web site for the server or server farm.

  • Tier 2: Site collection administrators   Site collection administrators have the Full Control permission level on their site collections.

Windows SharePoint Services 3.0 provides flexibility in how you assign administrative roles. In a centralized management model, you can assign many roles to one or two people in your organization. Alternatively, in a distributed management model, you can delegate specific roles to different people in your organization.

Farm-level administration

Farm-level administration typically is performed by the following roles:

  • Farm administrators

  • Server-level administrators

Farm administrators

The farm administrator has permissions to and responsibility for all servers in the server farm. The Farm Administrators SharePoint group replaces the SharePoint Administrators group that was used in Windows SharePoint Services version 2.0. Members of the Farm Administrators group do not need to be added to the Administrators group for each server. Farm administrators are members of the WSS_WPG and WSS_RESTRICTED_WPG groups on the computers where Central Administration is hosted and have the Full Control permission level on all servers in the environment. By default, members of the Administrators group are members of the Farm Administrators SharePoint group.

Members of the Farm Administrators group have broad ability to manage the Central Administration site, but are restricted in performing some actions (that is, create Internet Information Services (IIS) Web sites, create or delete SharePoint Web applications, update account passwords or Windows services) due to certain constraints in IIS and the Microsoft .NET Framework. Members of the Farm Administrators group have no administrative access to individual sites or their content by default. However, they can take control of a specific site collection to view any content. For example, if a site collection administrator leaves the organization and a new administrator must be added, farm administrators can add themselves as site collection administrators, which action is recorded in the audit logs. As a best practice, we recommend that you remove farm administrators' permissions to the site collection after the necessary site-level activity is completed. The Farm Administrators group is used in Central Administration only, and is not available for any sites.

Note

Although anyone with the Full Control permission level on the Central Administration site can delete the SSP Web application from the Central Administration site, doing so is strongly discouraged because it renders the SSP non-functional. If the Web application is deleted, the only resolution is to restore the SSP from a recent backup. For more information about how to restore from a backup, see Back up and restore the entire farm (Windows SharePoint Services 3.0 technology).

Note

Carefully choose to whom you grant memberships in the Administrators group on the local database server computer and to whom you grant memberships in fixed database roles and fixed server roles in Microsoft SQL Server. This is because this group and these roles have the Full Control permission level on the SharePoint Products and Technologies configuration database.

The following table lists tasks that members of the Farm Administrators group can perform.

SharePoint group Does role exist by default? Can do this Cannot do this

Farm Administrators

Yes

Perform administrative tasks in Central Administration

Take ownership of any content site.

Administer individual sites or site content unless they take ownership of the site.

For more information about the Farm Administrators group, see Choose administrators and owners for the administration hierarchy (Windows SharePoint Services).

Server-level administrators

Members of the Administrators group on the local server computer are automatically added to the Farm Administrators group and can perform all farm administrator actions. The Administrators group is a Windows group, not a SharePoint group, but the Administrators group on the local computer performs certain administrative tasks in Windows SharePoint Services 3.0. Like farm administrators, members of the Administrators group on the local computer have no administrative access to site content, by default. However, they can take control of specific site collections, if needed. To take control, they can add themselves as site collection administrators by using the Site Collection Administrators page in Central Administration.

The following table describes the server-level administrator role.

Group Does role exist by default? Can do this Cannot do this

Administrators

Yes. Windows group that exists by default; not a SharePoint group.

Install products.

Create new Web applications and new Internet Information Services (IIS) Web sites.

Start services.

Deploy Web Parts and new features to the global assembly cache.

Perform all farm-level tasks in Central Administration (provided that the Central Administration site is located on the local computer).

Run the Stsadm command-line tool.

Note

Being a server-level administrator is a pre-requisite of running the Stsadm command-line tool. Depending on which command you actually run, you might need additional permissions. For example, if you run stsadm.exe –o deleteweb, the command requires that the account have write access to the content database that contains the Web application.

Administer individual sites or site content.

Administer databases.

Site-level administration

Site-level administration includes the following roles:

  • Site collection administrators

  • Site owners

Site collection administrators

Site collection administrators have the Full Control permission level on all Web sites and content within a site collection. From the site collection level, site collection administrators manage settings (such as site collection features, site collection audit settings, and site collection policies) from the Site Settings page for the top-level site. When you create a site collection, you can specify the primary and secondary site collection administrators. A site collection administrator is a user with a flag in the content database that states they can perform all tasks within a site collection, including all tasks for specific sites with a site collection. This flag can be changed by using the Site Collection Administrators page in Central Administration, by using the Site Settings page on a top-level site, or using the site owner operation with the Stsadm command-line tool. Generally, you designate site collection administrators when you create the site, but you can change them as needed in Central Administration or by using Site Settings pages.

The following table describes the site collection administrator role.

SharePoint group Does role exist by default? Can do this Cannot do this

Site collection administrator

Yes

  • Perform all administration tasks for sites within the site collection.

Access the Central Administration site.

Site owners

Site owners are those who have been specifically granted the Full Control permission level on the site, either directly or by being a member of a SharePoint group —for example, the Owners group — that has the Full Control permission level on the site. Site owners can perform tasks related to the site only, not the entire site collection.

Note

The user that creates the site is automatically added to the Owners group for the site.

The following table illustrates tasks that site owners can perform.

SharePoint group Does role exist by default? Can do this Cannot do this

Site name Owners

Yes

Perform administration for the site only, not the entire site collection.

Perform administrative tasks for documents, lists, and libraries.

Access the Central Administration site.

Perform site collection administration tasks, such as restoring items from the second-stage Recycle Bin and managing the site hierarchy.

For more information about site-level administration, see Choose administrators and owners for the administration hierarchy (Windows SharePoint Services).

Worksheet

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable books for Windows SharePoint Services.

See Also

Concepts

Determine permission levels and groups to use (Windows SharePoint Services)