Manage Web Parts in SharePoint 2013


Applies to: SharePoint Foundation 2013, SharePoint Server 2013

Topic Last Modified: 2016-12-16

Summary: Helps you prepare to manage security for Web Parts pages and controls that are used with SharePoint 2013.

In SharePoint 2013, a Web Parts page is a collection of Web Parts that combines list data, timely information, or useful graphics into a dynamic web page. The layout and content of a Web Parts page can be set for all users and then, optionally, personalized for individual users. A site owner or a site member with the appropriate permissions can create and customize Web Parts pages by using a browser to add, reconfigure, or remove Web Parts.

You can use Web Parts on Web Parts pages, wiki pages, content pages, and publishing pages.

The Web Parts infrastructure in SharePoint 2013 exists on a layer above the ASP.NET Web Parts infrastructure. To effectively protect SharePoint sites, server administrators must be familiar with security guidelines and best practices for ASP.NET. For more information, see Security Guidelines: ASP.NET in the MSDN Library Online.

The apps for SharePoint are a new way to add functionality to a site. Site owners can add apps for SharePoint to SharePoint sites so that they and other users of the site can use the application. For more information, see Add apps for SharePoint to a SharePoint 2013 site.

Protecting Web Parts pages and controls is a collaborative effort. Developers, site administrators, and server administrators must work together to improve security for Web Parts and Web Parts pages. Developers should validate Web Part input to prevent server attacks. Server administrators must configure Internet Information Services (IIS) to use an appropriate authentication method.

Server administrators also configure and deploy Web Parts solutions to a web server or web farm. After the solution is deployed, site administrators or server administrators define the permission levels and permissions that allow access to Web Parts pages.

The following table shows the security roles that are responsible for configuring permissions on Web Parts pages and Web Parts.

Table: Security roles to configure Web Parts and Web Parts pages

Role Category Applies to Description Recommended guidelines


Input Validation

Web Part code

Input validation refers to how your application filters, scrubs, or rejects input before additional processing. This includes verification that the input that your application receives is valid and safe.

Building Secure ASP.NET Pages and Controls

Creating Web Parts For SharePoint

Server administrator



Authentication is the process where an entity validates the identity of another entity, typically through credentials such as a user name and password.

Plan for user authentication methods in SharePoint 2013

Site administrator/ Server administrator


Site collections

Authorization is the process that provides access controls for Web sites, lists, folders, or items by determining which users can perform specific actions on a given object. The authorization process assumes that the user has already been authenticated.

Authorization and Authentication

Server administrator

Configuration Management

.NET Framework configuration

Configuration management encompasses a broad range of settings that allow an administrator to manage the Web application and its environment. These settings are stored in XML configuration files, some of which control computer-wide settings, while others control application-specific configurations. You can define special security constraints in configuration files and computer-level code access security permissions.

Code Access Security

Microsoft Windows SharePoint Services and Code Access Security

Using Code Access Security with ASP.NET