About site groups
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Microsoft uses site groups to manage security across a SharePoint site. Each user must be a member of at least one site group in order to view or access a SharePoint site. Each site group possesses corresponding rights. Rights are rules associated with the system as a whole, granted to local groups, global groups, and users. A right within may be actions that users can perform, such as Manage Lists . In addition, you can edit the rights assigned to a specific site group, create an additional site group, or delete an unused site group. You manage site groups in from SharePoint Central Administration or by using the command-line administration tool.
Note: You can add user accounts to a SharePoint site without assigning them to a site group. For example, you can create the user accounts and then assign the users to site groups later. You can also remove a user from all site groups. When you remove a user from all site groups, the user has no access to the Web site.
includes the following site groups by default:
Guest Has limited rights to view pages and specific page elements. Use this site group to give users access to a particular page, or list, without granting them rights to view the entire site. You cannot add users explicitly to the Guest site group; users who are given access to lists or document libraries by way of per-list permissions are automatically added to the Guest site group. You cannot customize or delete the Guest site group.
Reader Has rights to view items, view pages, and create a top-level Web site using the Self-Service Site Creation feature. Readers can only view pages on a SharePoint site; they cannot add content.
Note: When a member of the Reader site group creates a site using the Self-Service Site Creation feature, he or she becomes the site owner and a member of the Administrator site group for the new site. This does not affect the site group membership of the user for any other site.
Contributor Has Reader rights and rights to add, edit, and delete items, browse directories, manage personal views, add, remove, or update personal Web Parts, and create cross-site groups. Members of the Contributor site group cannot create lists or document libraries, but they can add content to existing lists and document libraries.
Web Designer Has Contributor rights and rights to cancel check-out, manage lists, add and customize pages, define and apply themes and borders, and apply style sheets. Members of the Web Designer site group can modify the structure of the site and create lists or document libraries.
Administrator Has all rights from other site groups and rights to manage site groups, manage list permissions, create SharePoint sites, and view usage analysis data. You cannot customize or delete the Administrator site group. In addition, there must always be at least one member of the Administrator site group. Members of the Administrator site group always have access to, or can grant themselves access to, any item in the Web site.
Note: The owner and secondary owner of a site collection are members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in SharePoint Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform site collection administrative tasks.
Note: These site groups are defined per SharePoint site. Users assigned to the Administrator site group are administrators only for a particular SharePoint site. To perform any administrative tasks that affect settings for all SharePoint sites and virtual servers on the server computer, a user must be an administrator for the server computer (also known as a local machine administrator) or a member of the SharePoint administrators group, rather than a member of an Administrator site group for a specific SharePoint site.
Customizing rights for site groups
You can create a site group or customize an existing site group to include only the rights you want (except for the Guest and Administrator site groups, which cannot be customized). For example, to allow only the Web Designers to be able to edit lists on the site, you can remove the Edit Items right from the Contributor site group.
Note: Some rights depend on other rights. You must be able to view items before you can edit items. If a right is deleted from a site group, any rights dependent on that right are also deleted. For example, when the View Items right is deleted, the Add Items , Edit Items , and Delete Items rights are also deleted. In the same way, if you add a right that requires another right, the required right is also added. So, if you grant the Edit Items right to a user, the View Items right is granted automatically.
Security and user rights
User rights grant users the ability to perform certain actions on a Web site, and restrict other users from performing those actions. Some rights do not completely restrict certain actions. The Apply Themes and Borders and Apply Style Sheets rights allow users to make changes to an entire Web site. Any user with the Add and Customize Pages right, however, can perform the same changes on a page-by-page basis in the actual HTML code. Be aware that if you give users the Add and Customize Pages right by assigning them to a site group that contains the right, you also give them the ability to change the theme, border, and style sheets for individual pages in the SharePoint site.
When you assign rights to site groups, ensure that you assign the appropriate rights, and do not unintentionally allow members of the site group to perform more actions that you want on the SharePoint site. Conversely, ensure that members of the site group are not unintentionally restricted from performing the actions they need to perform.
About site owners and secondary owners
When a user creates a site, the user is listed as the site owner. Depending on your configuration, the user may also be required to specify a secondary contact for the site. Confirmation notifications are automatically sent to the site owner and to the secondary contact, if one exists.
The owner and secondary owner of a site collection are members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform Web site administrative tasks.