Professional Documents
Culture Documents
SharePoint Permissions
Best Practices
1
Table of Contents
Introduction 3
SharePoint Groups 7
Advanced Permissions 8
Permissions Inheritance 16
Final Word 20
About Netwrix 22
2
Introduction
SharePoint has a very flexible model for permissions assignment. You can regulate
access rights at various levels that are inherited by lower levels of the hierarchy, and
you can also create exceptions that break the inheritance of permissions. Moreover,
you can assign permissions to groups or directly to users.
This flexibility can be very useful, but it has an important downside: It often results in
a tangled permissions structure that is difficult to understand and manage, especially
when several people are responsible for SharePoint environment. Nevertheless, it’s
critical to set SharePoint permissions correctly and manage them effectively; in fact,
this process can make or break the security of your SharePoint and the information
stored in it.
This guide will help you understand the layers of SharePoint permissions, administra-
tive roles and permissions management best practices, so you can build a transparent
and secure SharePoint environment in your organization.
Introduction 3
I. Understanding SharePoint
Permissions
Figure 1.1
SharePoint admin roles and
system components, which they
can manage
Farm Administrator. Members of the Farm Administrators group have full control
permissions to all SharePoint farms; that is, they can perform all administrative
tasks in SharePoint Central Administration for the server farm. For example, they
can assign administrators to manage service applications, features and site collec-
tions. This group does not have access to individual sites, site collections and their
content, but a Farm Administrator can easily take ownership of any site collection
and get full access to its content simply by adding himself or herself to the site
collection’s Administrators group on the Application Management page.
The web application level does not have a unique administrator group, but farm
Web Application administrators have control over the web applications within their scope. Members of
Policies the Farm Administrators group and members of the Administrators group on the local
server can define a policy to grant permission to individual users at the web application
level. The following polices are available:
Anonymous policies. Defines the access restriction to be applied to users who are
not authorized in the domain: no policy, deny write access or deny all access.
Site collection administrator. These administrators have the Full Control permission
Site Collection Roles for all sites in a site collection. They have Full Control access to all site content in
that site collection, even if they do not have explicit permissions on that site. They
can audit all site content and receive any administrative message. A primary and
a secondary site collection administrator can be specified during the creation of
a site collection.
Site owner. By default, members of the Owners group for a site have the Full Con-
trol permission level on that site. They can perform administrative tasks on the site,
and on any list or library within the site. They receive e-mail notifications for events
such as the pending automatic deletion of inactive sites and requests for site
access.
Full Access. The user can manage site settings, create sub-sites, and add users to
groups.
Design. The user can view, add, update and delete approvals and customizations,
as well as create and edit new document libraries and lists on the site, but cannot
manage settings for the whole site.
Contribute. The user can view, add, update and remove list items and documents.
Contribute is the most common right for regular SharePoint users, since it enables
them to manage documents and information on a site.
Read. The user can view list items, pages and download documents.
Edit. The user can manage lists and list items and contribute permissions.
View Only. The user can view pages, list items and documents. Documents can be
viewed only in the browser; they cannot be downloaded from a SharePoint server
to a local computer.
SharePoint Groups
SharePoint groups enable you to manage sets of users instead of individual users.
A group can include individual users created in SharePoint, as well as users or groups
from any identity management or domain services system, such as Active Directory
Domain Services (AD DS), LDAPv3-based directories, application-specific databases and
identity models such as Windows Live ID. You can organize your users into any number
of groups, depending on the size and complexity of your organization or site.
SharePoint groups cannot be nested.
User-defined SharePoint groups do not have specific access rights to the site. However,
there are predefined SharePoint groups that do grant members specific access permis-
sions. The set of predefined groups depends on the site template you are using. Here
are the predefined groups for a team site and their default permissions to the
SharePoint site:
Visitors Read
Members Edit
And here are the predefined groups for the publishing site template and their default
permissions:
Hierarchy
Can create sites, lists, list items, and documents.
Managers
Note that all these groups and their permissions can be changed.
The best practice is to add regular users who only need to read information to the
Visitors group and add users who need to create or edit documents to the Members
group. This is because users in the Members group can add, change or remove items
or documents, but they cannot change the site structure, settings or appearance.
Similarly, users in the Visitors group can see pages, documents and items but cannot
perform add or remove operations.
Advanced Permissions
The default groups and permission levels in SharePoint provide a general framework
for permissions that is useful for many types of organization. However, they might not
map exactly to how users are organized or the many different tasks they perform on
your sites. If the default permission levels do not suit your organization, you can create
custom groups, change the permissions included in specific permission levels or create
custom permission levels.
Add and Customize Create subsites such as team sites, publishing sites and news-
Pages feed sites
Apply Themes
Apply a theme or borders to the site
and Borders
Apply Style Sheets Apply a style sheet (.CSS file) to the site
Use the SOAP, Web DAV, Client Object Model or SharePoint De-
Use Remote Interfaces
signer interfaces to access the site
Open Open a site, list or folder and access items inside that container
Edit Personal User Change one’s own user information, such as by updating a tele-
Information phone number or title or adding a picture
SharePoint Personal Manage Personal Views Create, change and delete personal list views
Permissions
Add/Remove Add or remove personal web parts
These permissions affect Personal Web Parts
the configuration and
management of personal
pages. Update Personal Add or edit personalized information in personal web parts
Web Parts
Access control relies on authentication (verifying that the user is who they claim to
be) and authorization (determining what the user should have access to). SharePoint
performs authorization but it does not perform any authentication; it relies on the
underlying Internet Information Services (IIS) and authentication providers to handle
that.
Since SharePoint 2010, the standard authentication has been claims-based authentica-
tion. There are different types of claims-based authentication; the industry standards
are WS-Federation, Security Assertion Markup Language (SAML) and OAuth. However,
Microsoft baked into SharePoint a claims engine, the Security Token Service (STS),
which can understand many different authentication approaches. Out of the box,
SharePoint supports standard Windows Authentication (NTLM, Basic and Kerberos),
Forms Based Authentication (FBA) and SAML.
SAML attributes
SharePoint groups
A specific user (though best practices recommend not assigning permissions at this
level in SharePoint)
Subsite Permissions
Document library
Sharing Permissions
or list
For all of these objects, you can assign permissions to the entities listed in the previ-
ous section, such as SharePoint security groups, roles, attributes or specific users. (As
noted earlier, however, the best practice is to use security groups or roles for assigning
user permissions instead of adding permissions directly to a user account.)
You can organize your users into any number of groups, depending on the size and
complexity of your organization or site. However, SharePoint groups cannot contain
other SharePoint groups (that is, they cannot be nested).
There are two ways of assigning permissions to a SharePoint site via groups: The first
one is to add a user to a SharePoint group, and the second one is to give an AD securi-
ty group access directly to the site or put it in a SharePoint group that has permissions
on the site.
To create a SharePoint group, go to Site Permissions in Site Settings and click the
Creating a SharePoint “Create Group” button. Enter a name and description for the group. Then specify the
group group owner; the users who can view and edit the group’s membership; whether to
allow users to request membership or request to leave the group; and the group’s per-
missions for the site. Then click “Create” to create the group.
Figure 2.1
Creating a SharePoint group
To add members to a SharePoint group, from the “People and Groups” menu, click
Changing group the name of the group in the left pane and then click “New” and “Add Users”, as shown
membership below. Enter one or more usernames you want to add to the group, and then click
“Share”.
Figure 2.2
Changing group membership
To remove a user from a group, select the user you want to delete, click “Actions”, and
then click “Remove Users from Group”.
To modify the permissions for a site collection or site, the Site Collection Administra-
tors or Site Owners should choose "Site Settings" and edit the SharePoint permissions;
lower level permissions, such as permissions to document libraries or lists, are accessi-
ble within the settings pages for those specific securable objects.
Navigate to the “Site Settings” page, click “Site Permissions” and then click the “Permission
Customizing Levels” menu. To customize an existing permission level, click its name on the “Permis-
an Existing sion Levels” page. On the “Edit Permission Level” page, change the description and add
or remove permissions as you require.
Permission Level
To create a new custom permission level, you must be logged in as a SharePoint Farm
Creating a New Administrator, Site Collection Administrator or Site Owner. Navigate to the “Site Set-
Custom Permission tings” page and click “Site Permissions”. Next, click on the “Permission Levels” menu item:
Level from Scratch
Figure 2.3
Creating a new custom
permission level
On the “Add a Permission Level” page, enter the name of the new permission level and a
description. Then select the check boxes next to the list, site and personal permissions
that you want the new permission level to include. To save your new permission level,
click “Create”.
To clone an existing permission level, go to the “Permission Levels” page and then click
Creating a New on the permission level you want to clone.
Custom Permission
Level by Cloning
Figure 2.4
Cloning an existing permission
level
Then click the “Copy permission level” button, name the new permission level, modify it
as needed, and then save it.
If you break permissions inheritance, the subsite, document library, website or file will
be able to form its own unique permissions, but, as stated earlier, only the permission
levels regulated by the web application’s user permissions will be available.
Therefore, we have two types of inheritance, which are tied to policies configured on
the web application level:
User permissions, which are inherited by all site collections advanced permissions.
This inheritance cannot be broken at lower levels.
Any permissions changes at the parent level site (list of items, document library) will
not affect child elements with unique permissions, and unique permissions will always
win when they conflict with parent ones.
As you can imagine, this model of inheriting permissions from higher level elements
How to Break does not meet all security requirements. For example, multiple users might need ac-
Permissions cess to a certain document library, but only a few of them should be able to read one
of the documents in that library. Similarly, you also might need:
Inheritance
Subsite permissions that differ from those for the parent site collection
List or library permissions that vary from those of the parent site
File permissions that are different from the parent library or folder
Currently, the only way of achieving these goals is to break inheritance for the specific
item. You edit user permissions as required, removing any that are not necessary.
This strategy is effective, but assigning unique permissions to specific user accounts
creates management headaches and can introduce security gaps. Therefore, you
should avoid breaking inheritance whenever possible.
To break inheritance for a given object, select that object, click "Stop inheriting permis-
sions" and then remove or add users or groups as needed.
Because there are so many layers of SharePoint permissions and ways to assign them,
it can be challenging to ensure transparent and manageable permissions structure.
Understanding and following best practices when it comes to SharePoint permissions
can help you with that.
The security boundary object defined in SharePoint is always the SharePoint group.
Permission levels in SharePoint are assigned to SharePoint groups; by default, site
permissions consist of specific SharePoint groups with their default permission levels,
making a group the perfect container.
Therefore, you should set permissions on either a SharePoint site group or an Active
Directory group. In environments where Active Directory is not the core authentication
mechanism, the group could be a Forms Authentication Role or even an attribute from
a Security Assertion Markup Language (SAML) claim.
Using groups for permission assignment helps ensure permissions are in line
with the least-privilege principle. It comes down to the inheritance of permissions for
users based on their group memberships. As users change roles or leave the organiza-
tion, removing them from security groups instantly removes their access to sites, their
subsites, and all files and folders in the hierarchy. In contrast, when access rights are
assigned at the user level, permissions are rarely revoked in those situations, putting
your content at unnecessary risk.
We find broken inheritance and unique permissions again and again on files in file
shares, which leads to NTFS or share permissions being allocated and then never
removed. However, unlike file servers, SharePoint does not provide an easy way to
identify unique permissions and remedy them easily, so they put the security of
SharePoint at risk.
Figure 3.1
SharePoint permission structure
Regular privilege attestations help you spot excessive access rights in a timely manner,
as well as identify unauthorized broken inheritance, which could lead to security or op-
erational issues.
SharePoint is all about collaboration and sharing of documents, files and other
content. Sometimes, users need to share content externally for legitimate business
reasons. That capability is now built into the product.
Protecting the sharing of content with external users is vitally important to the busi-
ness. Best practices are to block external sharing unless there is a business reason for
it and to isolate all external sharing sites into a single site collection so you can control
what can and cannot be shared externally. This approach reduces the risk of privilege
misuse and attacks on the information on your other sites.
Having the ability to share content outside of the organization without requiring any
authentication is appealing to users, especially if the organization restricts email
attachments. SharePoint makes it easy: Users can send anyone a link that allows them
to download and even edit a particular file.
The best practices detailed here provide a high-level view of how to get started.
For more detailed information, check out the following resources:
Final Word 20
Netwrix Auditor for SharePoint
21
About Netwrix