Security, Users, and Groups Overview

In Microsoft Windows® SharePoint™ Services 2.0, access to Web sites is controlled through a membership system by which each user is associated directly or indirectly with a permission that controls the specific actions that the user can perform. Windows SharePoint Services provides the ability to control site access through the following uses of permissions:

• Site groups specify which users can perform specific actions in a site. Each user is a member of at least one site group, and each site group possesses corresponding rights. You can edit the rights assigned to a site group, create a site group with a custom set of rights, or delete an unused site group. The rights for the Administrator site group and Guest site group cannot be modified.

  Site groups are defined per Web site. Users assigned to the Administrator site group are administrators only for a particular Web site. To perform any administrative tasks that affect settings for all Web sites and virtual servers on the server computer, a user must be an administrator for the server computer (also known as a local administrator) or a member of the SharePoint administrators group, rather than a member of the Administrator site group for the site.

• Cross-site groups consist of a group of users and are assigned to a site group on any Web site in a site collection. There are no cross-site groups defined by default in Windows SharePoint Services.

• Anonymous access allows users to contribute anonymously to lists and surveys, or to view pages anonymously. You can also grant access to "all authenticated users" to allow all members of your domain to access a Web site without having to enable anonymous access.

• Per-list permissions allow finer management of permissions by setting unique permissions on a per-list basis. Unlike for sites, you can add users together with specified permissions directly to a list, in which case the users are automatically assigned to the Guest site group on the current site if the site is unique and does not inherit permissions from a parent site. If the current site inherits permissions, the users are added to the Guest site group on the most recent unique ancestor site.

• Subsites can either use the same permissions as the parent Web site (inheriting both the site groups and users available on the parent Web site), or use unique permissions.

• Site creation rights (CreateSSCSite and ManageSubwebs) control whether users can create top-level Web sites, subsites, or workspaces.

For more information about rights and site groups, see the SPRights and SPRoleType enumerations.

The following diagram shows the means by which users become members of a site or list.

As the diagram illustrates, users become members of a site through direct or indirect membership in a site group. They can be added directly to a site group or added to a cross-site group that is a member of a site group, or they can be members of a Microsoft Windows NT® Domain Group that is added to a site group. The diagram also shows that a user can be directly added to a list in association with a specified permission. Each user, site group, or cross-site group has a unique member ID.

The permission for a user or group consists of a single right or set of rights that corresponds to values of the SPRights enumeration and that forms a permission mask. For more information, see the PermissionMask property. To run custom code that uses types and members in the SharePoint object model, users and groups must be assigned the appropriate permissions, just as when interacting with a site or list by using the user interface. However, unlike the user interface, rights are not dependent on other rights in the object model. Rights can be assigned individually without including dependent rights, and they can be assigned to users and groups in any combination. Be careful when customizing permissions through the object model, because assigning rights inappropriately can lead to an unpleasant user experience.

In addition to using the membership system to control access to sites, Windows SharePoint Services also makes use of the following technologies that affect the security of a site:

• User authentication — The process based on Internet Information Services (IIS) authentication methods that is used to validate a user account that attempts to gain access to a Web site or network resource.

• SharePoint administrators group — A Microsoft Windows user group authorized to perform administrative tasks for Windows SharePoint Services. To install Windows SharePoint Services, you must be a member of the local administrators group on the server computer. However, in addition to the local administrators group, you can identify a specific domain group to allow administrative access to Windows SharePoint Services. You can add users to this group rather than to the local administrators group, to separate administrative access to Windows SharePoint Services from administrative access to the local server computer.

  Members of the SharePoint administrators group do not have access to the IIS metabase, so they cannot perform the following actions:

  • Extend virtual servers. They can, however, create top-level Web sites or change settings for a virtual server.
  • Manage paths.
  • Change the SharePoint administrators group.
  • Change the configuration database settings.
  • Use the Stsadm.exe command-line tool.

  Members of both the SharePoint administrators group and the local administrators group have rights to view and manage all sites created on their servers. This means that a server administrator can read documents or list items, change survey settings, delete a site, or perform any action on a site that a user who is a member of the Administrator site group for a site or site collection can perform.

• Administrative port security — A means of controlling access to the administrative port for Windows SharePoint Services. You can help secure the administrative port by using Secure Sockets Layer (SSL) security or by configuring the firewall to not allow external access to the administration port, or both.

• Microsoft SQL Server™ connection security — A way to help secure data. Use either Windows NT Integrated authentication or SQL Server authentication to connect to the configuration database and content database.

• Firewall protection — A firewall helps protect data from exposure to other people and organizations on the Internet. Windows SharePoint Services can work inside or through the firewall of an organization.

For more information about the technologies that affect security in Windows SharePoint Services, see the Administrator's Guide for Windows SharePoint Services.