Controlling User Rights and Assigning Tasks

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

As a server administrator, you have control over which actions users can perform for sites on your server, such as adding users to a Web site. You control their actions by controlling their rights. With Microsoft , you control rights in the following ways:

  • Limit the rights available for any site group on the virtual server.

    You use a rights mask to specify which rights can be included in site groups.

  • Allow anonymous access.

    You can determine whether anonymous users can use a particular Web site.

  • Assign rights to customized site groups, and include users in those site groups.

    You can include a specific right, such as Manage Lists , in a custom site group for users.

  • Allow users to request access.

    You can determine whether users can request access to a site, list, or document library.

Limiting Available Rights

As an administrator, if you want to allow or limit certain actions your users perform, you can disable or enable the associated right on the virtual server. For example, if you do not want users to be able to add pages to a Web site, you can disable the Add and Customize Pages right. When you disable a right on a virtual server, it cannot be assigned to any site group and, as a result, cannot be granted to any user of a site on the virtual server. Note that if a user already has a right, and you disable that right, the right is also disabled for that user.

Use the Manage User Rights for Virtual Server page in the Virtual Server Settings pages to specify which rights are available for site groups per virtual server.

Limit the rights for a virtual server

  1. On your server computer, click Start , point to All Programs , point to Administrative Tools , and then click SharePoint Central Adminsitration .

  2. On the SharePoint Central Administration page, under Virtual Server Configuration , click Configure virtual server settings .

  3. On the Virtual Server List page, select the virtual server you want to affect.

  4. Under Security Settings , click Manage user rights for virtual server .

  5. Select the check boxes next to the rights you want to enable, and clear the check boxes next to those rights you want to disable.

    You can select all rights by selecting the Select All check box. You can clear all rights by clearing the Select All check box.

  6. Click OK .

Allowing Anonymous Access

You can control anonymous access at the virtual server level and at the Web site level. At the virtual server level, you can enable or disable anonymous access in IIS. For more information about configuring anonymous access in Internet Information Services (IIS), see Configuring Authentication .

If you have enabled anonymous access for a virtual server, you can configure anonymous access for each Web site on that virtual server. To do so, you use the Site Administration page for the Web site.

Change anonymous access for a Web site

  1. On your site, click Site Settings .

  2. Under Administration , click Go to Site Administration .

  3. Under Users and Permissions , click Manage anonymous access .

  4. To enable or disable anonymous access to the site, in the Anonymous Access section, under Anonymous users can access , select one of the following:

    • Entire Web site

    • Lists and libraries

    • Nothing

  5. Click OK .

Assigning Administration Tasks

If you manage multiple Web sites or virtual servers, you may find that performing tasks such as adding users, managing subsites, or managing check-in and check-out for each virtual server or Web site can become burdensome especially if you manage more than five Web sites. With , you can use site groups and rights to assign such administrative tasks to trusted users and keep server-level administrator tasks (such as extending a new virtual server or setting defaults) to yourself.

By default, a user who is a member of the Administrator site group can:

  • Manage the Web site

  • Create subsites.

  • Manage list permissions.

  • Manage site groups.

  • View usage data.

By default, a user who is a member of the Web Designer site group can:

  • Add and customize pages.

  • Manage lists.

  • Theme a site, add borders, and link style sheets.

  • Cancel check-outs.

If you want a user, such as a Contributor, to be able to perform a single Administrator or Web Designer task, you can either assign them to the Administrator or Web Designer site group, or assign them to another site group that has the user right needed to perform the task.

Although the simplest way to delegate Administrator or Web Designer rights is to make a user a member of the Administrator or Web Designer site group, this potentially allows the user more access than you intended. If you want to delegate only a few tasks or limit tasks, assign only the necessary user rights. To do this, create a custom site group with the necessary rights, or edit an existing site group to contain those rights.

For example, if you want a user to be able to approve items before they are added to lists, create a Moderator site group, add the Manage Lists right to that site group, and then assign the user to the site group.

Note: Users can be members of more than one site group, so you do not need to remove their old site group membership before adding them to a new one. Neither do you have to replicate all of their existing rights in the new site group. So, Joe User can be a member of both the Contributor and Moderator site groups at the same time.

The following table lists some tasks you may want to delegate, as well as the user rights required to perform those tasks.

Task to delegate

User right required

Adding users to the site

Manage Site Groups

Changing user site groups

Manage Site Groups

Adding, editing, or removing lists

Manage Lists

Approving items to be added to a list

Manage Lists

Creating, deleting, or merging subsites

Create Subsites

Adding ASP, ASPx, or HTML pages to a site

Add and Customize Pages

Break a document check-out or force a check-in

Cancel Check-Out

Allowing Users to Request Access

You determine whether users can request access to a site collection, list, or document library by configuring settings for that site collection, list, or document library. If the request access feature is enabled, when users attempt to perform an action (such as create a page or add an item to a list) for which they do not have permission, they see a page that allows them to request access to the site. When they fill in the request form and click Send Request , their request is sent as an e-mail message to the e-mail address you specified when you configured the feature. The recipient of the e-mail message can then use the links in the e-mail message to grant access to that user or change the request access settings.

If you have configured an SMTP server in SharePoint Central Administration, by default the request access feature is enabled for site collections and the reply-to address is set to the e-mail address of the user who entered the SMTP server name. If you want to use a different e-mail address, you can specify a different individual or group e-mail account to receive access requests. Note that request for access is configurable only for subsites with unique permissions. Subsites with inherited permissions also inherit the request access settings from the parent site and the Manage Access Requests link is not displayed on the Site Administration page for those sites.

Important: You must be a site collection administrator to change request access settings for a site collection.

If you are a site collection administrator, you can allow users to request access to the sites in your site collection from the Top-level Site Administration page.

Configure access requests for a site collection

  1. On the Top-level Site Administration page for your site collection, under Users and Permissions , click Manage access requests .

  2. Select the Allow requests for access check box to enable access requests, or clear the check box to disable requests.

  3. If you enabled requests, in the Send all requests for access to the following e-mail address box, type the e-mail address to use for requests.

    You can specify an individual or group e-mail address, but be sure that the address is monitored, and that the individual or members of the group are site collection administrators.

  4. Click OK .

You can allow users to request access to a particular list or document library by changing settings for that list. If access request is enabled for a site collection, by default it is enabled for all lists in that site collection. If access request is disabled for the site collection, you cannot enable it for a specific list. You cannot configure a separate e-mail address to use for access requests at the list level requests are automatically sent to the e-mail address specified on the Manage Request Access page for the site collection.

Important: You must be a member of the Web Designer or Administrator site groups for a site to change request access settings for a list.

Configure access requests for a list or document library

  1. Browse to the list, and then in the Actions list, click Modify settings and columns .

  2. Under General Settings , click Change permissions for this list/document library .

  3. On the Change Permissions: List_Name page, on the Actions list, click Manage request access .

  4. Select or clear the Allow requests for access check box to enable or disable requests.

  5. Click OK .

Related Topics

For information about creating, editing, and deleting site groups, see "Managing Site Groups and Permissions" in the Windows SharePoint Services Administrator's Guide.

For the complete list of rights available in , see User Rights and Site Groups .