Understanding Authorization in SharePoint 2010
Authorization is an important aspect of any software application. You don’t want someone to access resources that the he is not supposed to even though he might have been successfully authenticated in the system. SharePoint has a robust authorization model, which is discussed in this section.
Authorization in SharePoint starts with the concept of permissions. Permissions represent authorization to perform some action. However, you do not assign permissions directly to a user. Permissions are grouped together to define a permission group. The permission groups are then assigned to a user or a SharePoint group.
You can see the SharePoint groups by going to People and Groups in the Site Settings. The SharePoint groups are listed on the left-hand side. Click the Groups link to see all the groups as shown in Figure 17.11.
Figure 17.11. SharePoint groups
You can see the permission levels assigned to the various groups and users by going to Site Permissions in the Site Settings. This is shown in Figure 17.12.
Figure 17.12. Site permissions
Clicking on Permission Levels in the ribbon shows you the Permission Levels in the site, as shown in Figure 17.13.
Figure 17.13. Permission levels
Clicking on the specific permission level displays the permissions assigned to that permission level as shown in Figure 17.14.
Figure 17.14. SharePoint permissions assigned to the Full Control permission level
The permissions defined for the specific groups or users govern the access to all the objects, including the lists, libraries, and subsites. You can see this by browsing to a list or library and going to library permissions as shown in Figure 17.15.
Figure 17.15. List permissions
However, you can give unique permissions to these objects by breaking permission inheritance. To give unique permissions click the Stop Inheriting Permissions button. This copies the parent permissions to the list, and you can modify these permissions at the list level without impacting the site permissions.
The ability to break inheritance gives great flexibility and control in providing permissions. However it can quickly become difficult to manage. It is recommended to avoid breaking inheritance at a very granular level like breaking permissions for every file in a document library. It is more efficient to group these files into a folder based on permissions and then break inheritance at the folder level and not for every file.