Export (0) Print
Expand All

Manage permission policies for a web application in SharePoint 2013

 

Applies to: SharePoint Server 2013 Standard, SharePoint Foundation 2013

Topic Last Modified: 2013-12-18

Summary: Illustrates how to manage SharePoint 2013 web application permission policies.

A web application is composed of an Internet Information Services (IIS) web site that acts as a logical container for the site collections that you create. Before you can create a site collection, you must create a web application.

A web application can contain multiple site collections. Managing permissions for multiple collections can be difficult, especially if some users or groups need permissions other than those that apply for the whole web application.

Permission policies provide a centralized way to configure and manage a set of permissions that applies to only a subset of users or groups in a web application.

The differences between specifying user permissions for a web application and creating a permission policy for a web application are the users and groups to which the permissions apply and the scope at which the permissions apply. There is also a difference in the permissions lists where individual permissions are selected.

  • Permissions for a web application are comprehensive settings that apply to all users and groups for all site collections in a web application. The permissions list contains only one column, and all permissions are enabled by default. You must disable specific permissions individually.

  • A permission policy level for a web application contains permissions that enable a subset of users or groups to work with site collections in a specific way. For example, you might want to create a permission policy level for users of a site collection who will be able to add, edit, or delete items from a list, open a list, and view items, lists, and pages. However, you might want to prevent the same users from creating or deleting lists, which would require the Manage Lists permission.

    The permissions list contains a Grant All column and a Deny All column. You can either grant or deny all permissions as part of a permission policy level. You can also grant or deny individual permissions. By default, no permissions are enabled. If a single permission is neither granted nor denied, it can be set at the discretion of the site collection administrator or site administrator.

WarningWarning:
A permission policy differs from an information management policy. A permission policy enables centralized management of permissions for a web application. Information management policies enable you to control who can access information, what they can do with the information, and how long the information should be retained. A permission policy is also different from Group Policy, which provides an infrastructure for centralized configuration management of Windows-based computers and applications that run on them.

In this article:

  1. Manage a user permission policy

  2. Manage permission policy for anonymous users

  3. Add or delete a permission policy level

You can add users to a permission policy, edit the policy settings, and delete users from a permission policy. The following settings can be specified or changed:

  • Zone: If a website has multiple zones, you can use the zone that you want the permission policy to apply to. The default is all zones, which can be specified for Windows users only.

  • Permissions: You can specify Full Control, Full Read, Deny Write, and Deny All permissions, or you can specify a custom permission level.

  • System: This setting enables SharePoint to display SHAREPOINT\System for system-related activity regardless of the Windows user accounts that have been configured for the hosting application pool and the SharePoint farm service account. You might want to specify this setting to prevent unnecessary information disclosure to end-users and potential malicious users who would be interested in knowing more about the SharePoint deployment in the enterprise.

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

You might want to add users to a permission policy to ensure that all users are accessing content with the same set of permissions.

To add users to a permission policy
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click User Policy.

  6. In the Policy for Web Application dialog box, select the check box next to the user or group that you want to manage, and then click Add Users.

  7. In the Add Users dialog box, in the Zone list, click the zone to which you want the permission policy to apply and then click Next.

  8. In the Add Users dialog box, in the Choose Users section, type the user names, group names, or e-mail addresses that you want to add to the permission policy.

  9. In the Choose Permissions section, select the permissions that you want the users to have.

  10. In the Choose System Settings section, check Account operates as System if you want to specify whether a user account should be displayed as SHAREPOINT\System instead of the actual accounts that perform specific tasks within the SharePoint environment.

  11. Click Finish.

You can edit a user permission policy to configure the permission level or to specify whether a user account should be displayed as SHAREPOINT\System instead of the actual accounts that perform specific tasks within the SharePoint environment.

To edit a user permissions policy
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to edit.

  5. In the Policy group of the ribbon, click User Policy.

  6. In the Policy for Web Application dialog box, select the check box next to the user or group that you want to manage, and then click Edit Permissions of Selected Users.

  7. On the Edit Users page, in the Permission Policy Levels section, select the permissions that you want the users to have.

  8. In the Choose System Settings section, click Account operates as System to specify whether a user account should be displayed as SHAREPOINT\System instead of the actual accounts that perform specific tasks within the SharePoint environment.

  9. Click Save.

You might want to delete users from a permission policy when they are no longer members of the groups for which the policy applies. For example, when an employee leaves the company, that person's user account should be removed from all permission policies.

To delete users from a permission policy
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click User Policy.

  6. In the Policy for Web Application dialog box, select the check box next to the user or group that you want to manage, click Delete Selected Users, and then click OK.

You can enable or disable anonymous access for a web application. If you enable anonymous access for a web application, site administrators can then grant or deny anonymous access at the site collection, site, or item level. If anonymous access is disabled for a web application, no sites within that web application can be accessed by anonymous users.

The following permission policies can be specified for anonymous users:

  • None: No policy is specified. This setting gives anonymous users the same default permissions available to NT AUTHORITY\Authenticated Users and All Authenticated Users.

  • Deny Write: This setting enables anonymous users to read all content within the site collections in a web application. You can then restrict the Read access by site collection, site, or item.

  • Deny All: Anonymous users have no access to any part of the web application.

To manage permission policy for anonymous users
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click Anonymous Policy.

  6. In the Anonymous Access Restrictions dialog box, in the Zone list, click the zone for which you want the policy to apply.

  7. In the Permissions section, select the permission policy that you want anonymous users to have, and then click Save.

Permission policy levels contain permissions that apply to specific users or groups. You can specify a combination of List, Site, or Personal permissions. You can also specify one of the following levels of site collection permissions:

  • Site Collection Administrator: Has Full Control permission on the whole site collection and can perform any action on any object.

  • Site Collection Auditor: Has Full Read permission on the whole site collection and associated data, such as permissions and configuration information.

If you specify either or both permission levels, you cannot specify individual permissions.

You can create a permission policy level to customize a set of permissions for a specific user or group.

To add a permission policy level
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the line for the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click Permission Policy.

  6. In the Manage Permission Policy Levels dialog box, click Add Permission Policy Level.

  7. In the Add Permission Policy Level dialog box, in the Name and Description section, type the name and description for the policy that you want to create.

  8. In the Site Collection Permissions section, select the site collection permissions for this policy.

  9. In the Permissions section, select the permissions to grant or deny for this permission level.

    • Select the Grant All check box to include all available permissions in this policy.

    • Select the Deny All check box to deny all available permissions in this policy.

    • Select either the Grant or Deny check boxes to include or exclude individual List, Site, and Personal permissions from this policy.

      Do not click either Grant or Deny if you want to enable site collection or site owners to configure this permission.

  10. Click Save.

You can edit a permission policy level to add or remove individual permissions, depending on the needs of the user or group that is using the permission policy level.

To edit a permission policy level
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click Permission Policy.

  6. In the Manage Permission Policy Levels dialog box, click the link for the permission policy level that you want to edit.

  7. On the Edit Permission Policy Level page, edit the settings, and then click Save.

You might want to delete a permission policy level if the users or groups for which you created it are no longer required to use it. It is a good practice to review all existing permission policy levels to ensure that they are still required.

To delete a permission policy level
  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  4. Click to highlight the web application whose permission policy that you want to manage.

  5. In the Policy group of the ribbon, click Permission Policy.

  6. In the Manage Permission Policy Levels dialog box, select the check box of a permission policy level, click Delete Selected Permission Policy Levels, and then click OK.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft