Managing Web Site Permissions

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Each Web site and each Web server has different security requirements. An administrator with a single Web site for five users on an intranet, for example, will not need to worry as much about creating a secure Web site as an administrator at an Internet Service Provider (ISP) running several Web servers with hundreds of Web sites and thousands of users. Microsoft's SharePoint™ Team Services and Microsoft® FrontPage 2002 Server Extensions are built to be scalable, and in the area of Web site permissions you can choose to scale them to be as simple or complex as needed.

With SharePoint Team Services and FrontPage 2002 Server Extensions, you can choose to:

  • Specify which rights are available for a server.

    If you do not want to allow certain actions on your server, you can turn off the associated rights.

  • Control anonymous access to a Web site.

    You can choose whether users can contribute to your site anonymously, and determine what actions anonymous users can perform.

  • Create unique permissions for a subweb.

    If you manage multiple Web sites and subwebs, you can set separate permissions for each subweb, so that you can have unique users and assign them rights specific to your subweb.

Specifying which rights are available for a server

Server administrators can determine which user rights are available for use on the Web server. As an administrator, if you do not want to allow users of a Web site to perform certain actions, you can disable the associated right on the server. For example, if you do not want users to be able to recalculate a Web site, you can disable the Recalc Web right. When you disable a right on your server, it cannot be assigned to any role and, as a result, cannot be granted to any user of the server. Note that if a user already has a right, and you disable the right, the right is also disabled for that user.

Using the command line to specify available rights

To specify available rights on the command line, you set the GlobalRightsMask property by using the rightsmask operation and the Owsadm or Owsrmadm utilities. The rightsmask operation can only be used at the global level and takes the following parameters: command (add/set/del/delall), right (name of right or a comma-separated list of rights), and port (optional only accepts global as the value). Any right that you remove from GlobalRightsMask property is no longer available to any user on the server.

Cc768002.rule(en-us,TechNet.10).gif

Note   Use the set command if you want to reset the rights associated with a role. For example, if you want to change the Contributor role to only allow browsing, you would use the set command and specify the viewpages right. When you use the set command, any rights not specified in the syntax are removed.

Cc768002.rule(en-us,TechNet.10).gif

The following sample syntax shows how to set the GlobalRightsMask property to remove the Theme Web right:

owsadm.exe -o rightsmask -c del -r themeweb

Cc768002.rule(en-us,TechNet.10).gif

Note   For a complete lists of user rights and to see which are included in each role by default, see User Rights.

Cc768002.rule(en-us,TechNet.10).gif

Using HTML Administration pages to specify available rights

You use the Set List of Available Rights page in the Server Administration pages to specify which rights are available for roles on a server.

To specify the available rights for a server
  1. On your server computer, click Start, point to Programs, point to Administrative Tools, and then click Microsoft SharePoint Administrator.

  2. On the Server Administration page, click Set list of available rights.

  3. Select or clear the check boxes next to the rights you want to enable or disable.

    You can select all rights by selecting the Select All check box. You can clear all rights by clearing the Select All check box.

  4. Click Submit.

Controlling anonymous access to a Web site

If you want users to be able to contribute to your site anonymously, you can configure your site to allow anonymous access. Anonymous access relies on the anonymous user account on your Web server. This account is created and maintained by your Web server (either Internet Information Services or FrontPage-patched Apache Web server), not by SharePoint Team Services and FrontPage 2002 Server Extensions. On IIS, the anonymous user account is usually IUSR_ComputerName. Apache works differently than IIS. Rather than using a separate anonymous account, when an anonymous user tries to view your site, Apache accesses your data as the user it was configured to run as, resulting in anonymous access. When you turn on anonymous access in SharePoint Team Services and FrontPage 2002 Server Extensions, you are enabling that user account for your Web site.

On Microsoft Windows® operating systems, when you allow anonymous access, you must also assign the anonymous user to a role. For example, you can assign the anonymous user to the Browser role, so that anonymous users can browse pages, but not add to or change information on your Web site. Note that even though the anonymous user can be assigned to any role, even Administrator, the anonymous account is never able to use the Site Administration pages.

If you don't want to allow anonymous access to your Web site, you can turn it off. To control anonymous access, you use HTML Administration pages or the command-line utilities Owsadm or Owsrmadm.

Using the command line to control anonymous access

You can assign a role to the anonymous user by using the anonrole operation with the command-line tools. The anonrole operation takes the name and web parameters. For example, to assign the anonymous user to the Browser role, you would type:

owsadm.exe o anonrole w webname n browser 

Using HTML Administration pages to control anonymous access

You can also control anonymous access by using HTML Administration pages. The Change Anonymous Access Settings page lets you turn anonymous access on and select the role to assign to the anonymous user.

To view the Site Administration page
  • If you are a server administrator, on the server computer click Start, point to Programs, point to Administrative Tools, and then click Microsoft SharePoint Administrator, and then on the Server Administration page, click the name of the site you want to manage.

  • If you are a site administrator, on your Web site, click Site Settings, and then under Web Administration, click Go to Site Administration.

From the Site Administration page, you can manage settings for anonymous access.

To turn anonymous access on or off by using Site Administration pages
  1. On the Site Administration page for your subweb, in the Users and Roles section, click Change anonymous access settings.

  2. Under Anonymous Access is, select On or Off.

  3. On the Microsoft Windows platform, in the Assign anonymous users to the following role box, select a role.

  4. Click Submit.

Creating unique permissions for a subweb

By default, a subweb inherits all users and permissions from its parent web (the virtual server root web). Any changes to the users on the virtual server are duplicated on the subweb, and any changes to the users on the subweb are duplicated on the virtual server. This works well if you want all users to access all Web sites on a particular virtual server, but if you need different sets of users to use different subwebs on a virtual server, you need unique permissions.

When you choose to have unique permissions, the roles.ini file from the virtual server is copied into your subweb. So, you start with a duplicate of the users and permissions from the virtual server. But you can now add or delete users, or change permissions by using the command line or HTML Administration pages, and the changes will be effective for only your subweb.

You can change the setting for inheriting permissions by using the Site Administration pages or by using the command-line tools.

Using the command line to create unique permissions

You use the setperms operation to toggle whether a subweb uses unique permissions. The setperms operation takes the web and inherit parameters. For example, to set a subweb named Interns to have unique permissions, you would type:

owsadm.exe -o setperms web /Interns -inherit true

Using HTML Administration pages to create unique permissions

You can also use HTML Administration pages to set unique permissions for a subweb. Permissions for the subweb are managed from the administration page for the subweb.

To set unique permissions by using the Site Administration pages
  1. If you are a server administrator, on the server computer click Start, point to Programs, point to Administrative Tools, click Microsoft SharePoint Administrator, and then on the Server Administration page, click the name of the site you want to manage.

    If you are a site administrator, on your Web site, click Site Settings, and then under Web Administration, click Go to Site Administration.

  2. In the Subweb section, click the name of your subweb to view the Site Administration page for the subweb.

  3. In the Users and Roles section, click Change subweb permissions.

  4. Under Security permissions, click Use unique permissions for this Web site.

  5. Click Submit.

If you want to return to using the same permissions as the parent Web site, you can also change back by using HTML Administration pages.

To return to the parent Web's permissions
  1. On the Site Administration page for your subweb, in the Users and Roles section, click Change subweb permissions.

  2. Under Security permissions, click Use same permissions as parent Web site.

  3. Click Submit.

For information about creating, editing, or deleting roles, see Managing Roles.

For information about assigning users to roles, see Managing Users.

For more information about user roles and security, see Windows Security Model and FrontPage 2002 Server Extensions Security Under UNIX.