Determine permission levels and groups to use (Windows SharePoint Services)
Updated: April 16, 2009
Applies To: Windows SharePoint Services 3.0
In this article:
The most important decision about your site and content security in Windows SharePoint Services 3.0 is to decide how to categorize your users and what permission levels to assign.
There are several default SharePoint groups that are intended to help you categorize your users based on the types of actions they need to perform, but you might have unique requirements or other ways of looking at sets of users. Likewise, there are default permission levels, but they might not always align exactly with the tasks that your groups need to perform.
In this article, you review the default groups and permission levels and decide whether to use them as they are, customize them, or create different groups and permission levels.
Review available default groups
With SharePoint groups, you manage sets of users rather than individual users. SharePoint groups can be composed of many individual users, can hold a single Windows security group, or can be some combination of the two. SharePoint groups confer no specific rights to the site; they are merely a means to contain a set of users. Depending on the size and complexity of your organization or Web site, you can organize your users into several groups, or just a few.
The default SharePoint groups that are created for sites in Windows SharePoint Services 3.0 are listed in the following table.
|Group name||Default permission level|
<Site name> Visitors
<Site name> Members
<Site name> Owners
In addition, the following special users and groups are available for higher-level administration tasks:
Site collection administrators You can designate one or more users as primary and secondary site collection administrators. These users are recorded in the database as the contacts for the site collection, have full control of all sites within the site collection, can audit all site content, and receive any administrative alerts (such as verifying whether the site is still in use). Generally, you designate site collection administrators when you create the site, but you can change them as needed by using the Central Administration site or Site Settings pages.
Farm administrators Controls which users can manage server and server farm settings. The Farm Administrators group replaces the need for adding users to the Administrators group for the server, or to the SharePoint Administrators group that was used in Windows SharePoint Services version 2.0. Farm administrators have no access to site content by default; they must take ownership of the site to view any content. They do this by adding themselves as site collection administrators, which action is recorded in the audit logs. The Farm Administrators group is used in Central Administration only, and is not available for any sites.
Administrators Members of the Administrators group on the local server can perform all farm administrator actions and more, including:
Installing new products or applications.
Deploying Web Parts and new features to the global assembly cache.
Creating new Web applications and new IIS Web sites.
Like the Farm Administrators group, members of the Administrators group on the local server have no access to site content, by default.
After you identify the groups you need, determine the permission levels to assign to each group on your site.
Use the Custom permission levels and groups worksheet (http://go.microsoft.com/fwlink/?LinkId=73133&clcid=0x409) to record any groups you need to create.
Review available permission levels
The ability to view, change, or manage a particular site is determined by the permission level that you assign to a user or group. This permission level controls all permissions for the site and for any subsites, lists, document libraries, folders, and items or documents that inherit the site's permissions. Without the appropriate permission levels, your users might not be able to perform their tasks, or they might be able to perform tasks that you did not intend them to perform.
By default, the following permission levels are available:
Limited Access Includes permissions that allow users to view specific lists, document libraries, list items, folders, or documents when given permissions.
Read Includes permissions that allow users to view items on the site pages.
Contribute Includes permissions that allow users to add or change items on the site pages or in lists and document libraries.
Design Includes permissions that allow users to change the layout of site pages by using the browser or Microsoft Office SharePoint Designer 2007.
Full Control Includes all permissions.
For more information about permissions that are included in the default permission levels, see User permissions and permission levels.
Determine whether you need additional permission levels or groups
The default groups and permission levels are designed to provide a general framework for permissions, covering a wide range of organization types and roles within those organizations. However, they might not map exactly to how your users are organized or to the variety of tasks that your users perform on your sites. If the default groups and permission levels do not suit your organization, you can create custom groups, change the permissions included in specific permission levels, or create custom permission levels.
Do you need custom groups?
The decision to create custom groups is fairly straightforward and has little impact on your site's security. Essentially, you should create custom groups instead of using the default groups if any of the following applies:
You have more (or fewer) user roles within your organization than are apparent in the default groups. For example, if in addition to Designers, you have a set of people who are tasked with publishing content to the site, you might want to create a Publishers group.
There are well-known names for unique roles within your organization that perform very different tasks in the sites. For example, if you are creating a public site to sell your organization's products, you might want to create a Customers group that replaces Visitors or Viewers.
You want to preserve a one-to-one relationship between Windows security groups and the SharePoint groups. (For example, your organization has a security group for Web Site Managers, and you want to use that name as a group name for easy identification when managing the site).
You prefer other group names.
Do you need custom permission levels?
The decision to customize permission levels is less straightforward than the decision to customize SharePoint groups. If you customize the permissions assigned to a particular permission level, you must keep track of that change, verify that it works for all groups and sites affected by that change, and ensure that the change does not negatively affect your security or your server capacity or performance.
For example, regarding security, if you customize the Contribute permission level to include the Create Subsites permission that is typically part of the Full Control permission level, Contributors can create and own subsites, potentially inviting malicious users to their subsites or posting unapproved content. Or, regarding capacity, if you change the Read permission level to include the Create Alerts permission that is typically part of the Contribute permission level, all members of the Visitors group can create alerts, which might overload your servers.
You should customize the default permission levels if either of the following applies:
A default permission level includes all permissions except one that your users need to do their jobs, and you want to add that permission.
A default permission level includes a permission that your users do not need.
You should not customize the default permission levels if your organization has security or other concerns about a particular permission and wants to make that permission unavailable for all users assigned to the permission level or levels that include that permission. In this case, you should turn off this permission for all Web applications in your server farm, rather than change all of the permission levels. To manage permissions for a Web application, in Central Administration, on the Application Management page, in the Application Security section, click User permissions for Web application.
If you need to make several changes to a particular permission level, it is better to create a custom permission level that includes all of the permissions you need.
You might want to create additional permission levels if any of the following applies:
You want to exclude several permissions from a particular permission level.
You want to define a unique set of permissions for a new permission level.
To create a permission level, you can copy an existing permission level and then make changes, or you can create a permission level and then select the permissions that you want to include.
Some permissions are dependent on other permissions. If you clear a permission that another permission depends on, the other permission is also cleared.
Use the Custom permission levels and groups worksheet (http://go.microsoft.com/fwlink/?LinkId=73133&clcid=0x409) to record any permission levels you want to customize or create.
Use the following worksheet to determine permission levels and groups to use:
Custom permission levels and groups worksheet (http://go.microsoft.com/fwlink/?LinkId=73133&clcid=0x409)
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable books for Windows SharePoint Services.