Based on the “Guide to SharePoint Permissions” eBook
SharePoint site architecture
The basic SharePoint structure
Permission fundamentals There are three relevant facts for permissions
Fact 1 Fact 2 Fact 3
Files and folders can By default, an object Fact 2 can be changed, have different inherits permissions this is called breaking Permission levels in from the parent, e.g. a inheritance. SharePoint file is a child of a parent folder.
E.g. a List item
E.g. an AD group E.g. Full Control
Thought process to granting permissions Some important concepts 3rd party or Limited Access SC Admin PowerShell
Share feature? Unique
Revoke deletion (SP 2013 or permissions permission greater) prevail
List and library
If it’s not shared, Superior columns are not it’s not visible permission rules affected How to navigate to the permissions page The permissions page Managing permissions Before doing this, it’s important to be sure that the optimal level is selected, many unique permissions items are difficult to manage.
If you grant permissions to an user through a group,
make sure that the group has access first. Use Check Permissions.
The scope/file must have unique permissions in
order to get their permissions removed.
Specially useful when there are users that have
permissions to a certain file/scope through groups (AD or SP). More actions and anonymous access
This should be enabled at WAP scope first.
This option is for public websites.
With this option you can create your own custom
permissions levels, specifically if the out of the box ones don’t fill your requirements.
Site Collection Administrators have FULL CONTROL
over the entire Site Collection. Final advices Perform a quarterly Audit for: ◦ Site Collection Administrators Forgotten users that remain as SC Admin Only a small group should be Admin Current SC Admins can grant permissions to new SC Admins These users should be acquainted with SharePoint, because… Final advices Perform a quarterly Audit for: ◦ Sensitive Areas Some areas will be more sensitive than others Check who has permissions over this content Document these areas with the work team Use “Check Permissions” in order to control this better Final advices Manageability tips ◦ Train Site Owners and Power Users SharePoint allows to delegate sites and contents (e.g. the Marketing team can have their own site). Provide constant training to site owners. ◦ Avoid granular permissions The more granular permissions, the harder manage. Consider use folders and group to optimize this. ◦ User account expiration If you work with external people be sure of deleting ALL their access permissions when they work is done.
Admin Free - Active Directory and Windows, Part 1 - Understanding Privileged Groups in AD - An Infrastructure Geek Floating in A Sea of UberCoders - Site Home - TechNet Blogs