Log in

No account? Create an account
IBNeko's Journal-Nyo~!
Sharepoint Notes: Permissions, permission levels
Web Application > Site > List/Library > Document/Item

Adding a user in Central Administration > Application Management > Policy for Web Application will OVERRIDE any independent settings within that Web Application. Once revoked, their permissions goes back to what it was before they were added. (That is, if they existed at that site previously.)

A subsite to a site may use separate permissions if on creation of that subsite, you select "Use unique permissions". Or you choose to "Edit Permissions" from the 'Site Settings' > Permissions page, under the "Actions" menu. You can revert back to using the parent site's permissions by choosing "Inherit Permissions".

As long as an object (be it subsite, list/library, or document/item) is set to "Inherit Permissions", it will inherit permissions from the parent object. If "Inherit Permissions" is turned off in a child object, and a permission is granted in the parent object, that permission will not get passed down to the child object. Inherit permissions can be turned back on for all objects except in the original/root site collection.

Group management is important: If a user is in a group, they do not need to be explicitly given permissions for any object that grants that group permissions. Groups can be given specific permissions in relationship to specific objects, as well as a default set of permissions. (ie, normal read permissions site-wide, but write permissions for a certain library)

Also, the "Site Permissions" is the equivalent of a group that all offspring objects inherit, if they use "Inherit Permissions".

You can add more permissions (ie, write, delete) and override the group or site permissions by modifying an object's permissions directly and adding the user. However, there is no way to subtract permissions from a user that's in a group (and the group has been granted permissions to an object). (think colored glass - by adding different sheets of glass, you can change the colors and make things darker, but you can't add a sheet to remove a previously added color.)

There is one exception:
Permissions set on the Web Application are more powerful: one can use the "Manage Permission Policy" (from Policy for Web Application) to create specific policy levels - where specific permissions can be denied. Denying permissions prevents users from ever having that permission.

[edit 6/14 1PM] some clarification changes in the second to last paragraph. Also...
**DISCLAIMER** This information is not reliable. It's built from my trial and error, toying with SharePoint experience, as notes to myself.


4 happy kittens | Leave catnip
From: brywerk Date: July 3rd, 2007 09:41 am (UTC) (Link)

The complexity of sharepoint model and security management burdens

Thank you, Benjamin, for your valuable tips! I must say they are very reliable. So don't confuse sharing your experience with us. At least we all are here to sharepoint khm, to share our experience. That what the basic need for the sharepoint is, you know. The structure of the Sharepoint model is a bit complicated. We have the farm, then web services, then we have web applications which is the parent of the object that holds sites, a site collection. Site collection, as it comes from its name, contains the set of sites and their subsites, which are the child objects for the sites and site collection. Sites include lists and their childs, that is fields and items. The additional mess is added by SQL/Active Directory peculiarities. You must strictly differentiate between roles and groups and so on. Level permission management represents an standalone thing that for me personally creates a lot of complexity. Expecially, when I need to redistribute permissions for different domain users and provide the different kind of access for several users. Sometimes I do something wrong while copying permissions and everything goes wrong after that like one user can't access the document, or he has limited access to one particular view. I definitely need something that simplifies that. I recently read the article that covers the upcoming Scriptlogic product that as they say supports sharepoint permission management centrally. As it seems from the screen I see on the site, it's possible to browse the site structure using the tree. I scared about beta products but I guess, I'll try this tool. A friend of mine told me that he worked with Scriptlogic products and they were reliable in beta version too. Well, let's see if it's so.
By the way, the object inheritance schema is available here.
ibneko From: ibneko Date: July 3rd, 2007 11:43 am (UTC) (Link)

Re: The complexity of sharepoint model and security management burdens

Ah, thank you. If you don't mind though, I'm screening your comment for the time being: your journal was created right before the comment was posted. And I want to double check and make sure the links aren't pointing to some nasty malware; I'm sure it's not- it'd be very unlikely that someone has a bot smart enough to generate a comment that's actually tailored to an entry... but I'd still like to double check. (in short, sorry, your comment is setting off the 'spam' alerts in my mind. And I need to get to work, so I can't check this now.)
ibneko From: ibneko Date: July 3rd, 2007 01:48 pm (UTC) (Link)

Re: The complexity of sharepoint model and security management burdens

Comment unscreened. I have not tried the tool: apparently, you're required to register in order to download, and quite honestly, I don't see a big enough need to jump through an extra hoop to try things.

That said, a quick google search for "dl.scriptlogic.com" revealed four other comments that appeared to push this "Security Explorer" tool, all in long-ish comments that didn't have any linebreaks. And each with different author names, such as "Paul Goldschmidt", "Michael Cox", and "Jim Bowell". They're all posted within days (June 20, 21, 22, then 28th, and on mine today...) of each other. Multiple commenters who all write in large blocks of text that only serve to promote one product? I don't know - smells fishy. Regardless, someone gets props for trying. So the comment will be unscreened, although it's right on that fine line of getting deleted for being unwanted advertising.
4 happy kittens | Leave catnip