In
the Users and Permissions section of the Site Settings page are links
to People and Groups, Site Permissions, and Site Collection
Administrators. A quick review of the Site Collection Administrators
assigned to the site is important, as in some cases the accounts listed
here are not correct or appropriate. The site collection administrator
should review and modify these as appropriate.
Next, click the Site
Permissions link to review the groups that exist for the site
collection, as well as any individual users or AD groups that have been
granted direct permissions. Figure 1 shows the Permissions page for a new site collection. The Edit tab provides a number of tools:
Grant Permissions—
Add users or AD groups and grant permissions by adding to an existing
SharePoint group or give direct permissions for full control, design,
contribute, read, or view only. A welcome email can be sent to the users
added.
Create Group—
Define a new SharePoint group and description, define the Group Owner,
define who can view the membership of the group (Group Members,
Everyone) and who can edit the membership of the group (Group Owner,
Group Members). Also choose whether to allow requests to join/leave the
group, auto-accept requests, and define the email address to which
membership requests go. Most important, choose the permission level
group members get on the site (full control, design, contribute, read,
or view only). Edit User Permissions— If a group or user is selected, allows the permission level to be modified. Remove User Permissions— If a group or user is selected, clicking this button will remove all permissions for the user or group to the site. Check Permissions button—
Allows the entry of a user or group name, and when the Check Now button
is clicked, provides a summary of the permission levels given to the
group or user and whether they were given directly or via a specific
group. Permission Levels—
Clicking this icon opens the Permission Levels page that allows the
addition of a permission level, deletion of a permission level, or
modification of a permission level. Manage Access Requests— Either allows or denies requests for access and defines the email address these requests will go to. Note
Double-check
the email address that is defined if allowing requests for access is
enabled. Often, the email is for an administration account that may not
be monitored.
Site Collection Administrators—
Provides access to the list of users defined as site collection
administrators and allows the addition of new site collection
administrators or the removal of existing ones.
Clicking the name of the
group from the Permissions page will show the users or AD groups that
are part of the group. The administrator can also add users to the group
from and perform other actions, including the following:
Add users or AD groups to the SharePoint group Email users in the group Call/message selected users based on the tools available (such as if Office Communication Server is configured) Remove users from the group Access group settings View group permissions by listing the URLs to sites, lists, or items that inherit permissions from these URLs Make the group the default group for the site Provide access to the list settings for the User Information List
Table 1
provides an overview of the permissions that Approvers, Owners,
Members, Visitors, and Designers groups receive by default in a
SharePoint Server 2010 Enterprise site and summarizes the privileges for
each group. Table 21.3
continues to provide an overview of the privileges of Hierarchy
Managers, Records Center Web Service Submitters, Restricted Readers,
Style Resource Readers, and Viewers.
Table 1. Default Permissions for Approvers, Members, Owners, Visitors, and
Designers Groups in SharePoint Server 2010 Enterprise | Approvers (Approve Permission Level) | Owners (Full Control Permission Level) | Members (Contribute Permission Level) | Visitors (Read Permission Level) | Designers (Design, Limited Access Permission Levels) |
---|
List Permissions | | | | | | Manage Lists | No | Yes | No | No | Yes | Override Check Out | Yes | Yes | No | No | Yes | Add Items | Yes | Yes | Yes | No | Yes | Edit Items | Yes | Yes | Yes | No | Yes | Delete Items | Yes | Yes | Yes | No | Yes | View Items | Yes | Yes | Yes | Yes | Yes | Approve Items | Yes | Yes | No | No | Yes | Open Items | Yes | Yes | Yes | Yes | Yes | View Versions | Yes | Yes | Yes | Yes | Yes | Delete Versions | Yes | Yes | Yes | No | Yes | Create Alerts | Yes | Yes | Yes | Yes | Yes | View Application Pages | Yes | Yes | Yes | Yes | Yes | Site Permissions | | | | | | Manage Permissions | No | Yes | No | No | No | View Web Analytics Data | No | Yes | No | No | No | Create Subsites | No | Yes | No | No | No | Manage Web Site | No | Yes | No | No | No | Add and Customize Pages | No | Yes | No | No | Yes | Apply Themes and Borders | No | Yes | No | No | Yes | Apply Style Sheets | No | Yes | No | No | Yes | Create Groups | No | Yes | No | No | No | Browse Directories | Yes | Yes | Yes | No | Yes | Use Self-Service Site Creation | Yes | Yes | Yes | Yes | Yes | View Pages | Yes | Yes | Yes | Yes | Yes | Enumerate Permissions | No | Yes | No | No | No | Browse User Information | Yes | Yes | Yes | Yes | Yes | Manage Alerts | No | Yes | No | No | No | Use Remote Interfaces | Yes | Yes | Yes | Yes | Yes | Use Client Integration Features | Yes | Yes | Yes | Yes | Yes | Open | Yes | Yes | Yes | Yes | Yes | Edit Personal Information | Yes | Yes | Yes | No | Yes | Personal Permissions | | | | | | Manage Personal Views | Yes | Yes | Yes | No | Yes | Add/Remove Personal Web Parts | Yes | Yes | Yes | No | Yes | Update Personal Web Parts | Yes | Yes | Yes | No | Yes |
Table
2. Default Permissions for Hierarchy Managers, Records Center Web
Service Submitters, Restricted Readers, Style Resource Readers, and
Viewers in SharePoint Server 2010 Enterprise | Hierarchy Managers (Manage Hierarchy Permission Level) | Records Center Web Service Submitters (Records Center Web Service Submitters Permission Level) | Restricted Readers (Restricted Read Permission Level) | Style Resource Readers (Limited Access Permission Level) | Viewers (View Only Permission Level) |
---|
List Permissions | | | | | | Manage Lists | Yes | No | No | No | No | Override Check Out | Yes | No | No | No | No | Add Items | Yes | No | No | No | No | Edit Items | Yes | No | No | No | No | Delete Items | Yes | No | No | No | No | View Items | Yes | No | Yes | No | Yes | Approve Items | No | No | No | No | No | Open Items | Yes | No | Yes | No | No | View Versions | Yes | No | No | No | Yes | Delete Versions | Yes | No | No | No | No | Create Alerts | Yes | No | No | No | Yes | View Application Pages | Yes | No | No | No | Yes | Site Permissions | | | | | | Manage Permissions | Yes | No | No | No | No | View Web Analytics Data | Yes | No | No | No | No | Create Subsites | Yes | No | No | No | No | Manage Web Site | Yes | No | No | No | No | Add and Customize Pages | Yes | No | No | No | No | Apply Themes and Borders | No | No | No | No | No | Apply Style Sheets | No | No | No | No | No | Create Groups | No | No | No | No | No | Browse Directories | Yes | No | No | No | No | Use Self-Service Site Creation | Yes | No | No | No | Yes | View Pages | Yes | No | Yes | No | Yes | Enumerate Permissions | Yes | No | No | No | No | Browse User Information | Yes | No | No | Yes | Yes | Manage Alerts | Yes | No | No | No | No | Use Remote Interfaces | Yes | Yes | No | No | Yes | Use Client Integration Features | Yes | No | No | Yes | Yes | Open | Yes | Yes | Yes | Yes | Yes | Edit Personal Information | Yes | No | No | No | No | Personal Permissions | | | | | | Manage Personal Views | Yes | No | No | No | No | Add/Remove Personal Web Parts | Yes | No | No | No | No | Update Personal Web Parts | Yes | No | No | No | No |
Note
A best practice
recommendation is to not change the settings for these default Owners,
Members, and Visitors groups. In fact, the Owners group permissions
can’t be changed. Although it may seem like a good idea to modify the
permissions of the Members or Visitors groups to meet specific
requirements (for example, to remove the ability of the Visitors group
to View Versions in a list and to Create Alerts), this can lead to
confusion from an administrative and end-user standpoint. Other
administrators may not know about these customizations, and users may
not know either, and may think that, for example, their inability to
create alerts is due to a SharePoint error and file a help desk ticket.
The best practice is to create one or more new groups, such as Members
Customized or Visitors Customized, and use those instead. This will call
out clearly that the default settings have been customized. There is a
Copy Permission Level button at the bottom of the Edit Permission Level
page that makes it easy, for example, to copy the permissions for the
standard Members group and then give it a name and add or remove
permissions.
For this table, all site and site collection features have been enabled, to ensure that the full list of groups is provided.
|