Traditionally, in any Windows Active Directory Domain, the responsibility for adding users and groups and assigning privileges to those groups has been in the hands of the server or domain administrator. User provisioning would include assigning access to all resources and objects in the domain, including intranet sites. MOSS 2007 allows the SharePoint Site owner to have control over the creation and administration of users and groups for Site Collections. This power gives local site administrators fine-grained control over who can and cannot interact with various parts of a portal. Rather than rely on a remote administrator, the local site administrator can grant, revoke, and modify permissions on a per-site, per-part, or sometimes even per-list element basis.
There are three default SharePoint groups created when a site is created, and each group possesses default access permissions:
It is unlikely that the default groups provided will meet all of your needs. However, you can create or modify SharePoint groups to satisfy any access or security needs required by your teams, departments, and overall organization in the following ways:
Site Owners and Site Collection Administrators have permissions both to modify default groups and permissions and to create unique groups and group permissions by default. They also can assign any other user or group Create Groups permissions to accomplish these tasks.
When a site owner or administrator creates a new group on a SharePoint site, the following additional access permission groups are created by default:
- Approvers
Assign users to this group if you want them to be able to approve or reject pending documents and list items. Items they approve become visible to both anonymous and restricted readers.
- Designers
This group is usually comprised of a limited number of administrators and web developers who are responsible for supporting the performance and look and feel of the site.
- Hierarchy Managers
This group can manage and modify the structure of the site and site collection. Members of this group can rename and move sites within the site collection hierarchy.
- Home Members
Use this group if you need to assign members Contribute permissions.
- Home Owners
Add only people to this group whom you want to have Full Control Rights on the site.
- Home Visitors
Like the Visitors group previously mentioned, members of this group have read permissions only.
- Quick Deploy Users
Members of this group are able to quickly update site content where the site uses separate levels for authoring content and deploying that content.
- Restricted Readers
Users in this group simply have read-only access to the site’s content.
- Style Resource Readers
By default, all authenticated users are members of this group and have rights to read the Master Page Gallery and have Restricted Readers permissions to the Style Gallery.
- Viewers
Members of this group can only view lists, pages, and documents in the Server Rendering View.
See Figure 12-1 for an illustration of this list of groups.
Security access can further be modified at the levels of a site, list, library, list item, library item, or document.
Tip
See Chapter 22 for more information.
In order to add users to a group, they must belong to the authenticated users group on the local server or the domain. You can add authenticated users to the system with their usernames, domain usernames, or email addresses.
Generally groups exist to control access rights to site or domain resources. SharePoint now gives site owners the ability to directly create and modify groups and to add or remove users from groups. Consequently, the server administrators can pay more attention to the server room and let you manage your own sites.
The default groups that come with SharePoint aren’t particularly useful unless they contain users. Here’s the process of adding users to a group:
On your SharePoint Site, click Site Actions and select Site Settings from the menu.
In the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click Groups in Quick Launch.
On the All Groups page in the Groups column, click the desired group.
On the group’s page, click New and select Add Users, as seen in Figure 12-2.
Use one of the following methods to add users:
In the Give Permission section, make one of the following selections:
Choose a SharePoint group from the “Add users to a SharePoint group” list.
Choose “Give users permission directly,” and then select the permission level you want to assign to this group.
Tip
As you can see in Figure 12-3, you can also click the drop-down arrow to change the group and group permissions assignments for this user.
Click OK.
The users you added to the group now have the access permissions assigned to that group (Figure 12-3).
As users change departments, switch job functions, or leave the company, their access rights also need to be changed or removed.:
On your SharePoint Site, click Site Actions and select Site Settings from the menu.
In the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click Groups in Quick Launch.
On the All Groups page in the Groups column, click the desired group.
Click the checkboxes next to the names of the users you want to remove, as seen in Figure 12-4.
Click the Actions menu, and then click Remove Users from Group.
When the confirmation dialog box appears, click OK.
When the screen refreshes, the selected users no longer appear in the group, as in Figure 12-5.
As mentioned previously, it is unlikely that you will be able to make do with the default groups included in SharePoint. Fortunately, you can create and customize as many access groups as are necessary to construct the security model you need:
On your SharePoint Site, click on Site Actions and select Site Settings from the menu.
In the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click New and then select New Group, as seen in Figure 12-6.
On the New Group page, in the Name and About Me Description section, type in a name and brief description for the group in the available fields.
In the Owner section, the person creating the group is automatically listed as the group owner. Only one person or group can be the owner, but you can change the name in this field to transfer ownership.
In the Group Settings section, select the users who should have the rights to view and edit the membership of this group. By default, group members can view the group and group owners can edit the group.
In the Group Membership section, click Yes to allow people who request it to either join the group or leave the group, or click No to prevent it.
If you click Yes in step 7, you can click Yes right below to allow people to join automatically or click No to have the system send an email notification to the designated approver. In the available field, type in the email address of the approver.
When you are done, click Create. See an example of this page in Figure 12-7.
As seen in the prior exercise, “Creating a New Group in SharePoint,” because the group was created at a subsite, it did not have permissions to that subsite. You will have to go to the All Groups list and edit the group’s permissions. Those permissions options weren’t previously available but will be in this exercise:
On your SharePoint Site, click Site Actions and select Site Settings from the menu.
In the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click Groups in Quick Launch.
On the All Groups Page in the Groups column, locate and click the name of the desired group, as seen in Figure 12-8.
Click Settings, and then click Group Settings.
On the Change Group Settings page, scroll down until you see the Give Group Permission to this Site section and check at least one of the permission levels, as seen in Figure 12-9.
Once you have created and configured your groups, there are a number of ways you can maintain them on your site.
Quick Launch makes it easy to find the names of groups and open them, but you might not always want every group you access to be available in Quick Launch. For example, you might want to have quick access to the readers and contributors group, but you might not want to provide easy access to the administrators or designers groups:
On your SharePoint Site, click Site Actions and select Site Settings from the menu.
In the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click Groups in Quick Launch.
On the All Groups Page, click Settings and then click Edit Group Quick Launch, as in Figure 12-10.
On the Edit Group Quick Launch page, in the Groups field, add the groups you want to appear by either typing in their names or searching for them, or right click a name and select Delete to remove it, as shown in Figure 12-11.
Click OK to save your changes.
In SharePoint you can use the Set Up Groups option to create a collection of new and existing groups and then assign Owners, Members, and Visitors to those groups:
On your site, click Site Actions and then select Site Settings from the menu.
On the Site Settings page, in the “Users and Permissions” column, click “People and groups.”
On the “People and Groups” page, click on Groups in Quick Launch.
On the All Groups page, click Settings and select Set Up Groups from the list, as in Figure 12-12.
On the “Set Up Groups for this Site” page, go to each section and either select an existing SharePoint group from the list or click “Create a new group” to do just that. See an example of this page in Figure 12-13.
Tip
If you choose “Create a new group,” follow steps 4–8 in the exercise “Creating a New Group in SharePoint” to complete the creation process. Also, when you create a new group for a group collection, you can choose to either accept the group name automatically assigned by the system or manually give it a new name.
When you are finished, click OK.
Warning
Notice that because you have used this option from a subsite, you are getting the same warning as you did in the earlier exercise “Creating a New Group in SharePoint.” After this group collection is finished, you will have to repeat the exercise steps from Editing Group Settings for this collection.
You can use either a Summary Link Web Part or a Summary Link field control to add links to a web page in a site. This lets you organize groups by title or function, such as Programming Languages Groups or Network Engineers Groups. It takes only a few minutes to put these links together:
On the site, click Site Actions and select Edit Page from the menu.
In the Summary Link Web Part or field control, click New Group, as in Figure 12-14.
When the New Group Web Page dialog box appears, in the Group Header Name field, type a header name for your collection of group links and then click OK to finish.
There are multiple ways you can ensure that specific groups will receive or be able to view content relevant to their group. You can configure lists, libraries, links, and Web Parts to be viewed differently based on group membership.
Tip
See Chapter 22 for more information about targeting content.
In addition to creating multiple views to filter the content of a list or library, you can enable Audience-Based Content Targeting, which will allow people to see only specific items depending on their group membership:
On your site, either click the list or library name in Quick Launch or click View All Site Content and then click on the list or library name.
On the toolbar, click Settings and then select the appropriate item, such as List Settings or Document Library Settings, as illustrated in Figure 12-15.
Under General Settings, click “Audience targeting settings.”
Check the “Enable audience targeting” checkbox, as in Figure 12-16, and click OK.
Back on the Customize page near the top, click the name of the list or library to return there.
In the list or library, click the arrow next to the name of an item and select Edit Properties from the list, as in Figure 12-17.
In the Target Audiences list, select one or more groups that you want to be part of the targeted audience for this item.
Click OK. An example of this page can be seen in Figure 12-18.
Now when members of the designated group visit the list or library, any items targeted to the group will appear to its members. Items not targeted to that group will not be accessible.
Instead of waiting for members of various groups to visit a list or library to view the targeted content, you can display the content in a separate Web Part on their site so it will be readily available. For example, you might have a master list of work assignments as a list on an administrative page. You might want to create targeted lists for each team and display only the team’s items on a Web Part on each team page.
First, add a Content Query Web Part to the appropriate Web Part page. This Web Part lets you build a query that can filter list and library items. After you have added the Web Part, do the following:
Click Edit on the Content Query Web Part to open the Web Part’s tool pane.
In the tool pane in the Query section, click “Show items from the following list” and click the Browse button to open the Select a List or Library dialog box, as shown in Figure 12-19.
Tip
The default setting in this section is “Show items from all sites in this site collection,” which sometimes presents an overabundance of information. After selecting “Show items from the following list” and clicking Browse, you may have to scroll through the dialog box to see all the choices. Also, some folders are expandable and contain more choices inside.
Select an option in the dialog box and click OK.
In the List Type section, select the type of list or library, such as Document Library.
In the Audience Targeting section, check the Apply Audience Filtering checkbox to display these items to the group or groups you specified in the previous exercise, “Enabling Audience-Based Targeting in a List or Library” in step 6.
You can also check the “Include items that are not targeted” checkbox if you want the content to be displayed to nontargeted audiences.
Click OK to save your changes, and then click Exit Edit Mode.
Tip
If you choose to paste a URL in the field available in the Query section in step 2 instead of browsing, make sure that the URL references a source in the current site collection. If you are performing this action in a site under the top-level site and you choose a list in the top-level site, the Web Part will not be able to display the information. Use the current site or any sites beneath it as library or list sources.
The previous exercise, “Displaying Targeted Items in a Web Part,” showed you how to specify which groups can view the contents of a Web Part. This exercise shows you how to make a Web Part itself available to a specific group:
On the page containing the desired Web Part, click Site Actions and then select Edit Page from the menu.
Click Edit on the Web Part and then click Modify Shared Web Part.
In the Web Part’s tool pane in the Advanced section, add one or more group names to the Audiences List, as in Figure 12-20.
Click OK to finish.
Like lists, libraries, and Web Parts, you can target navigation links to one or more groups. This allows those groups to visit parts of the site collection specifically relevant to them. Because it involves altering navigation in the site collection, you must have Designer permissions or higher to complete this exercise:
On the Portal Site, click Site Actions and select Site Settings from the menu.
Click Modify Navigation to open the Site Navigation Settings page.
Click Add Link, as in Figure 12-21.
On the Navigation Link dialog box, type the title of the link and then add the URL, either by typing or pasting in the link or by browsing to it.
If you want the link to open in a separate window, check the “Open link in new window” checkbox.
Type a brief description of the link in the Description field.
Add one or more group names to the Audiences list and click OK to close the dialog box.
Click OK again to finish on the Site Navigation Setting page.
See an example of configuring this dialog box in Figure 12-22.
When the page with the navigation links is opened, only members of the specified group will be able to see the link.
When a document is first added to a library with an approval workflow, the document is in a draft or pending state until it is approved by a member of the Approvers group. Until then, only administrators, users with View Lists rights, and the author can see the draft. Document drafts are also created when an existing document is modified. The minor revision changes are not visible until published. You can change the default permissions and allow specific groups the ability to view draft documents:
In the desired list or library, click Settings and then click the appropriate selection, such as List Settings or Document Library Settings.
Under General Settings, click “Versioning settings.”
In the Draft Item Security section under “Who should see draft items,” select the group name you want to be able to view drafts.
Click OK to finish.
Although this is not generally recommended, it is possible to allow anonymous users access to a SharePoint site and its lists and libraries. The preferred practice is to allow only authenticated users access, which means that anyone accessing the site collection is a member or your organization in some way.
If you allow anonymous users access, even with read-only privileges, they will still be able to view the information contained on the site, including email addresses, phone numbers, and other data you might not want available to the general public. You can allow or restrict anonymous user access in the following ways:
- Allow Access to the Entire Site
An anonymous user would be able to browse the top-level site and any subsites that inherit parent site permissions. They can open and read the contents of any list or library available in the site collection where parent site permissions propagate.
- Allow Access only to Specific Lists and Libraries
You can specify which lists and libraries can be accessed anonymously.
- Nothing
This completely denies anonymous users access to the site collection and any of its contents.
Anonymous access must be enabled by the site owner or administrator before these options can be accessed. One of the only justifications for allowing anonymous access to lists and libraries is if they contain information you want potential customers to view, such as content about your products and services. In that case, anonymous user access must be strictly limited to the specific content areas without the possibility of the user navigating to nonpublic areas of the site.
Warning
To reiterate, enabling anonymous user access to the entire site is an extremely dangerous thing to do, since the general public would be able to browse the entire content of your site.
If you created a site within the site collection containing only publicly consumable information, allowed anonymous access to the site, and made sure that the subsite did not inherit permissions from the business parts of the site collection, you could create a show room of sorts, where you could display all of your products and services to customers and potential customers.
Warning
It would probably be better to create a completely separate site for your web presence on the Internet.
On the site you want to enable anonymous user access, click Site Actions and select Site Settings from the list.
Under “Users and Permissions,” click “Advanced permissions.”
In the Settings menu, click on Anonymous Access.
Open the list or library you want open to anonymous users.
Click Settings and select the appropriate item, such as List Settings or Document Library Settings.
In the Permissions and Management column, click the appropriate choice, such as “Permissions for this list” or “Permissions for this library.”
To prevent the list or library from inheriting permissions from the site, click Actions, select Edit Permissions, and then click OK.
On the Permissions page, click Settings and then click Anonymous Access.
On the Change Anonymous Access Settings page, select the permissions that you want to grant to anonymous users for this list or library.
Warning
If you select any permission level besides Read-only, anonymous users will be able to modify items in the list or library.
Anonymous access is not enabled by default. To allow anonymous access, the site administrator or owner must specifically enable the process.