Hi All,
In today's blog post I will define the permission management in SharePoint. Most of us knows very well about the permissions on Site/Sub sites/List/Library/Items but there is a lot of confusion in permissions managed on a Farm level or from Central Administration level. Here today I am trying to define these permissions.
In today's blog post I will define the permission management in SharePoint. Most of us knows very well about the permissions on Site/Sub sites/List/Library/Items but there is a lot of confusion in permissions managed on a Farm level or from Central Administration level. Here today I am trying to define these permissions.
Farm level Permissions
Farm Account
Farm Account is the user who have installed SharePoint in a environment. Basically this account is supposed to be a Service account (it is expected that password of this service account will never be changed)
For Installing SharePoint, user must be in Local Server Administrator group. This user should have 'Securityadmin' and 'DBCreator' permissions on SQL server.
When SharePoint has been configured this user will automatically get DBOwner access on the databases. That is required for performing any operation in SharePoint using Powershell.
Farm Administrators
Farm Administrators have complete access on SharePoint sites/products/feautres same as Farm Account but they can use GUI on for performing their tasks but they can not do any query with database. They can’t do anything with PowerShell.
If they need to use power shell or access database they have to get DBOwner rights on all SharePoint Database.
This access can be granted using
Add-SPshelladmin -username domain\user
To use powershell (Permission will be granted on Config and CA Content DB)
Add-SPshelladmin –username domain\user -database Databasename
To use powershell for a particular Web application
Service Account
You can use multiple service accounts. The different between a normal account and a service account is that it is expected that the password of service accounts will not be changed in future. Basically these accounts are used for configuring different type of services and service applications in SharePoint.
These accounts should not be used for accessing SharePoint sites and by any normal users. Only power user should have access to these accounts.
Web Application Level Permissions
Anonymous Access
If you enabled this access, anyone in the network can access your SharePoint site with logging in to it (like you access google without any login).
This is required to be enabled on Central Administration Level for a particular web application and once enabled Site collection admins can manage its permissions on the site level.
Permission Policy
There are four permission policy by default.
Full Control – Have full access on complete web application
Full Read - Have full read on complete web application
Deny Write – Can’t write or modify anything in complete web application
Deny All – Can’t access complete web application
You can define the custom permission of your choice and choose what are the permissions for the user on web app. This policy is defined on the bases of Zones of the web application.
User Policy
A Farm admin can define that, what a user can do with in the web application. Any permission policy can be applied for a user that will impact on complete web application.
These settings can’t be removed by any site collection admin or any user who have full control. If you have selected Deny All for a particular user then that user cannot access any site collection, Site, Subsite, List, Library, Document even if he/she have full control on the site or he/she is a Site collection admin.
User Permissions
Farm admin can choose which permissions will be available for the users inside a site collection. If you removed Manage Permissions from this location any user having full control on the site will not be able to change the permissions of the site. Only Site Collection Admin will be able to do this.
Site Collection Level Permissions
Site Collection Administrator
A Site Collection Administrator has full control on the Site Collection and its sub sites.
But there are two type of Site Collection Administrators
1. Managed by Central Administration
· Maximum 2 users can have this access. Groups are not allowed.
· When we create a Site collection we have to provide 2 Site collection Administrator (Primary and Secondary). Primary is mandatory.
· Have full access on complete site collection and its sub sites
· Receives Alerts related to issues with Quota Limit and Site Access requests and other issues that are coming due to settings in the site.
· Can’t be managed by Site Settings. Only Farm admins can remove these users.
2. Managed by the site it self
· Any number of users or groups can have these permissions.
· Managed by Site Settings. Any user having Site collection admin right can remove these users.
· Does not get any alert of any issue in the site.
Scope of Users and Groups
· SharePoint Group – Site Collection
· Permission Level – Site Collection
· Permissions - Site/Subsite/List/Library/Items
· Users – Active directory
· Domain Group – Active Directory (Domain groups can’t be granted any permission on SharePoint.
· Security Group – Active Directory (Domain groups must be converted to security groups if you need to give permission to AD groups)
