Determine permission levels and groups (SharePoint Foundation 2010)

 

Applies to: SharePoint Foundation 2010

A SharePoint group is a set of users that can be managed together. A permission level is a set of permissions that can be assigned to a specific group for a specific securable object. SharePoint groups and permission levels are defined at the site collection level and are inherited from the parent object by default. This article describes default groups and permission levels and helps you decide whether to use them as they are, customize them, or create different groups and permission levels.

In this article:

  • Review available default groups

  • Review available permission levels

  • Determine whether you need custom permission levels or groups

  • Worksheet

The most important decision about your site and content security in Microsoft SharePoint Foundation 2010 is how to group your users and which permission levels to assign.

Review available default groups

SharePoint groups enable you to manage sets of users instead of individual users. These groups can contain many individual users, or they can include the contents of any corporate identity system, including Active Directory Domain Services (AD DS), LDAPv3-based directories, application-specific databases and new user-centric identity models, such as Windows Live ID. SharePoint groups do not confer specific rights to the site; they are a way to designate a set of users. You can organize your users into any number of groups, depending on the size and complexity of your organization or Web site. SharePoint groups cannot be nested.

The following table displays default groups that are created by using team site templates in SharePoint Foundation 2010. Each default group is assigned a default permission level.

Group name Default permission level Description

Visitors

Read

Use this group to grant people Read permissions to the SharePoint site.

Members

Contribute

Use this group to grant people Contribute permissions to the SharePoint site.

Owners

Full Control

Use this group to grant people Full Control permissions to the SharePoint site.

Make most users members of the Visitors or Members groups. By default, users in the Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site. The Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

If the default groups do not map to the exact user groups in your organization, you can create custom groups. For more information about how to determine whether you need additional groups, see Determine whether you need additional permission levels or groups.

Besides the above SharePoint groups, there are also administrator groups for higher-level administration tasks. They are Windows administrators, SharePoint farm administrators, and site collection administrators.

For more information, see Choose administrators and owners for the administration hierarchy (SharePoint Foundation 2010).

Review available permission levels

The ability to view, change, or manage a site is determined by the permission level that you assign to a user or group. This permission level controls all permissions for the site and the child objects that inherit the site’s permissions. Without the appropriate permission levels, your users might be unable to perform their tasks, or they might be able to perform tasks that you did not want them to perform.

By default, the following permission levels are available:

  • **Limited Access   **Includes permissions that enable users to view specific lists, document libraries, list items, folders, or documents, without giving users access to all the elements of a site. You cannot edit this permission level directly.

    Note

    If this permission level is removed, group members might be unable to navigate the site to access items, even if they have the correct permissions for an item within the site.

  • **Read   **Includes permissions that enable users to view items on the site pages.

  • **Contribute   **Includes permissions that enable users to add or change items on the site pages or in lists and document libraries.

  • **Design   **Includes permissions that enable users to change the layout of site pages by using the browser or Microsoft SharePoint Designer 2010.

  • **Full Control   **Includes all permissions.

For more information about permissions that are included in the default permission levels, see User permissions and permission levels (SharePoint Foundation 2010).

Determine whether you need custom permission levels or groups

The default groups and permission levels provide a general framework for permissions, covering many different organization types and roles within those organizations. However, they might not map exactly to how your users are organized or to the many different tasks that your users perform on your sites. If the default groups and permission levels do not suit your organization, you can create custom groups, change the permissions included in specific permission levels, or create custom permission levels.

Do you need custom groups?

The decision to create custom groups is fairly straightforward and has little effect on your site's security. You should create custom groups instead of using the default groups if either of the following situations applies:

  • You have more (or fewer) user roles within your organization than are apparent in the default groups. For example, if in addition to Designers, you have a set of people who are tasked with publishing content to the site, you might want to create a Publishers group.

  • There are well-known names for unique roles within your organization that perform very different tasks in the sites. For example, if you are creating a public site to sell your organization's products, you might want to create a Customers group that replaces Visitors or Viewers.

  • You want to preserve a one-to-one relationship between Windows security groups and the SharePoint groups. For example, if your organization has a security group called Web Site Managers, you might want to use that name as a group name for easy identification when managing the site.

  • You prefer other group names.

Do you need custom permission levels?

The decision to customize permission levels is less straightforward than the decision to customize SharePoint groups. If you customize the permissions assigned to a permission level, you must keep track of that change, verify that it works for all groups and sites affected by the change, and ensure that the change does not negatively affect your security or your server capacity or performance.

For example, if you customize the Contribute permission level to include the Create Subsites permission that is typically part of the Full Control permission level, Contributors can create and own subsites, and can potentially invite malicious users to their subsites or post unapproved content. If you change the Read permission level to include the Create Alerts permission that is typically part of the Contribute permission level, all members of the Visitors group can create alerts, which might cause performance issues.

You should customize the default permission levels if either of the following situations applies:

  • A default permission level includes all permissions except one that your users need to do their jobs, and you want to add that permission.

  • A default permission level includes a permission that your users do not need.

    Note

    Do not customize the default permission levels if your organization has security or other concerns about a specific permission that is part of the permission level. If you want to make that permission unavailable for all users assigned to the permission level or levels that include that permission, turn off the permission for all Web applications in your server farm, rather than change all of the permission levels. To manage permissions for a Web application, see Manage permissions for a Web application (SharePoint Foundation 2010).

If you need to make several changes to a permission level, create a custom permission level that includes all of the permissions you need.

You might want to create additional permission levels if either of the following conditions applies:

  • You want to exclude several permissions from a specific permission level.

  • You want to define a unique set of permissions for a new permission level.

To create a permission level, you can create a permission level and then select the permissions that you want to include.

For more information about how to configure custom permissions, see Configure custom permissions (SharePoint Foundation 2010).

Note

Some permissions depend on other permissions. If you clear a permission that another permission depends on, the other permission is also cleared.

Worksheet

Use the following worksheet to determine permission levels and groups to use: