|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Microsoft's SharePoint™ Team Services and Microsoft® FrontPage 2002 Server Extensions use roles to manage user rights. Each user is a member of at least one role that possesses corresponding rights. FrontPage 2000 Server Extensions supported three levels of user permissions: Browser, Author, and Administrator. SharePoint Team Services adds two roles to these permission levels, Contributor and Advanced Author. In addition, SharePoint Team Services and FrontPage 2002 Server Extensions allow you to edit the rights assigned to a role, create a new role, or delete an unused role.
Note It is possible to add users to a Web site without assigning them to a role. For example, if you are creating new user accounts for the Web site, you can create the user accounts and then assign the users to roles later. You can also remove a member from all roles.
Not only do SharePoint Team Services and FrontPage 2002 Server Extensions offer greater flexibility in assigning roles, they provide user-friendly management tools. Previously, user roles for FrontPage Server Extensions were managed from within the Microsoft FrontPage client, using the Security option on the Tools menu. Now you can manage roles with either the command-line administration tool or HTML Administration pages.
Defining SharePoint Team Services and FrontPage 2002 Server Extensions roles
SharePoint Team Services and FrontPage 2002 Server Extensions include the following roles by default:
Browser Has rights to view pages, view Web document discussions, and read lists.
Contributor Has Browser rights, plus rights to participate in Web document discussions and subscribe to documents and lists. SharePoint Team Services only. This role is named "collab" on the command line.
Author Has Contributor rights, plus rights to edit pages and directories, and edit lists.
Advanced Author Has Author rights, plus rights to define and apply themes and borders, link style sheets, and recalculate a Web site. This role is named "advauthor" on the command line.
Administrator Has all rights from other roles, plus rights to configure roles, create local machine user accounts, manage source control, create subwebs, manage Web document discussions and subscriptions, manage server health, and manage usage analysis. This role is named "admin" on the command line.
All of these roles are per-Web site in scope. So, the administrators in this list are Web site administrators. To perform some administrative tasks that affect settings for all Web sites and virtual servers on the server computer, you must be both a Web site administrator and an administrator for the server computer (also known as machine administrators).
Note For a complete lists of user rights and to see which are included in each role by default, see User Rights.
Upgrading from FrontPage 2000 roles
When you upgrade from Microsoft FrontPage 2000, your users are automatically sorted into three of the new roles:
FrontPage 2000 Browsers are placed in the Browser role.
FrontPage 2000 Authors are placed in the Advanced Author role.
FrontPage 2000 Administrators are placed in the Administrators role.
You can continue to use the FrontPage 2000 user interface to manage users in these three roles. However, you cannot change the rights assigned to the roles or create new roles using the FrontPage 2000 user interface; those processes must be done through the command-line interface or HTML Administration pages.
Also, in FrontPage 2000, a user could only be a member of a single role. In SharePoint Team Services and FrontPage 2002 Server Extensions, a user can be added to multiple roles. Because the old interface only allows you to assign a user to a single role, you might end up with conflicting permissions by using the old interface to manage a user who is a member of the new roles structure. To use the full functionality of SharePoint Team Services and FrontPage 2002 Server Extensions roles, use the new HTML Administration pages or the command-line interface to manage users for your Web sites.
Customizing rights for roles
You can create a role or customize an existing role to include only the rights you want. For example, if you want only the Advanced Author to be able to edit lists on the site, you can remove the Author Lists right from the Author role.
Some rights, however, depend on other rights. For example, you must be able to edit a page before you can apply a theme. So if you delete the Author Pages right from a role, even though a user in that role might still have the Theme Web right, the user would be unable to open a page and apply a theme.
To prevent such inconsistencies, if a right is deleted from a role, any rights dependent on that right are also deleted, as in the above example. When the Author Pages right is deleted, the Theme Web right is also deleted. In the same way, if you add a right that requires another right, the required right is also added. So, if you grant the Theme Web right to a user, the Author Pages right is granted automatically.
Note For more information about dependencies in user rights, see User Rights.
Security and user rights
User rights are used to give users permission to perform certain actions on a Web site, and to restrict other users from performing those actions. Some rights, however, do not provide complete security. The Theme Web, Border Web, and Link Style Sheets rights allow users to make changes to an entire Web site. Any user with Author Pages rights, however, can perform the same changes on a page-by-page basis in the actual HTML code. Be aware, that if you give a user the Author Pages right (by assigning them to a role that contains the right), you are also giving them the ability to change the theme, border, and style sheet for individual pages in your Web site.
Another right that does not provide strict security is the Manage Usage Analysis right, because any user running a SharePoint Team Servicescompatible Web page editor, such as FrontPage 2002, can run usage analysis reports. The Manage Usage Analysis right simply provides security for scheduling the usage analysis processes.
Aside from these non-secure rights, some rights depend on others to perform a complete action. For example, if you have the Manage Subwebs right, you still cannot delete a particular subweb unless you have permissions on that subweb. So, if you are not listed as a user of that subweb, you may not be able to delete it, even though you have the Manage Subwebs right. Similarly, if you do not have the Design Lists right, but you do have the Author Pages right, you can potentially edit the page and break the lists (by deleting the view files and other files required for the list to work properly).
When you assign rights to users, be sure that you assign the appropriate rights, and do not unintentionally allow users to perform more actions that you want on your Web site. Conversely, be sure that users are not unintentionally restricted from performing the actions they need to perform.
Using the command line to manage roles
There are several command-line operations that you use to manage roles for SharePoint Team Services and FrontPage 2002 Server Extensions. You use the roles operation to add or delete a role, and the rolerights operation to add, delete, or set rights for a role.
Creating a new role
You can create a new role from the command line. To do so, you use the roles operation to create the role. For example, to create a new role called Interns for a Web site named InternWeb, you would type the following command:
owsadm.exe -o roles web /internweb c add -name Interns
This command creates a role called Interns but does not assign any rights to that role. To assign rights, you must use the rolerights operation.
Setting rights for a role
To set rights for a role, you use the rolerights operation. This operation takes the command parameter with the following values: add, del, and delall. You choose the value based on which action you want to perform. For example, if you wanted to give the Interns role the rights to view pages in the Web site, you would type the following command:
owsadm.exe -o rolerights -w internweb -n Interns -c add -r ViewPages
Note For the complete list of user rights, with definitions and information about which roles include those rights by default, see User Rights.
You can add multiple rights to a single role by using the rolerights operation. For example, if you had not yet assigned any rights to the role and you wanted give the interns the ability to view and edit pages, you would type the following command:
owsadm.exe -o rolerights -web /internweb -name Interns -c add -r viewpages,authorpages
If you want to delete a single right from a role, you use the del (delete) value with the command (-c) parameter. For example, to remove the Author Pages right from the Interns role, you would type the following command:
owsadm.exe -o rolerights web /internweb -name Interns c del -r authorpages
If you want to delete all rights from a role, in preparation for adding a different right, you can use the delall value with the command (-c) parameter. For example, to delete all rights in the Interns role, you would type:
owsadm.exe -o rolerights web /internweb -name Interns c delall
Deleting an existing role
If you want to delete a role, you use the roles operation with the del value with the -c parameter. For example, when you are done with the Interns role, you can delete it by typing the following command:
owsadm.exe -o roles web /internweb c del -name Interns
Cloning a role
You can also clone a role from the command line. For either the Microsoft Windows or UNIX operating systems, you can clone both the role and the users at the same time. To clone a role, you use the clonerights (-cr) parameter. You can also clone the users of that role by using the optional cloneusers (-cu) parameter. Note that when you use the cloneusers parameter, it must be the last parameter in the command. For example, to clone the Interns role and make a new Staff role and duplicate the role's members, you would type:
owsadm.exe -o roles web /internweb -c add -name staff -cr Interns -cu
Using HTML Administration pages to manage roles
You can manage roles from the Site Administration page for your Web site. To manage roles, you follow the Manage roles link on the Site Administration page to the Manage Roles page. By using this page, you can view a list of roles, change which rights are included in a role, add a new role, or delete a role.
To view the Site Administration page
If you are a server administrator, on the server computer click Start, point to Programs, point to Administrative Tools, and click Microsoft SharePoint Administrator, and then on the Server Administration page, click the name of the site you want to manage.
If you are a site administrator, on your Web site, click Site Settings, and then under Web Administration, click Go to Site Administration.
If you want to add a new role, you use the Manage Roles page.
To view a list of roles
On the Site Administration page for your Web site, under Users and Roles, click Manage Roles.
The roles available for the Web site are displayed on the Manage Roles page.
You can add new roles for use on your site from the Manage Roles page.
To add a new role
On the Manage Roles page, click Add a role.
In the Role Name and Description area, type the name and description for your new role.
In the Rights area, select the rights you want to include in the new role.
Click Create Role.
You can create a new role based on an existing role, and even copy the users of the existing role into your new role.
To copy an existing role
On the Manage Roles page, click the role you want to copy.
On the Edit Role <Rolename> page, click Copy Role.
On the Copy the role <Rolename> page, in the Role Name and Description area, type the name and description for your new role.
If you want to copy the users from the existing role into your new role, select the Copy users from <rolename> check box.
In the Rights area, select any additional rights you want the role to contain.
Click Create Role.
You can also edit an existing role to change the rights assigned to that role.
To edit an existing role
On the Manage Roles page, click the role you want to change.
On the Edit Role <Rolename> page, select the rights you want to include and clear any rights that you do not want.
If you find that a role is not used, you can delete the role.
To delete an existing role
On the Manage Roles page, select the check box next to the role you want to delete.
Click Delete selected role(s).
For information about assigning users to roles, see Managing Users.
For more information about permissions, see Managing Web Site Permissions.
For more information about user roles and security, see Windows Security Model and FrontPage 2002 Server Extensions Security Under UNIX.