SharePoint Permission Management

Hi All,
In today's blog post I will define the permission management in SharePoint. Most of us knows very well about the permissions on Site/Sub sites/List/Library/Items but there is a lot of confusion in permissions managed on a Farm level or from Central Administration level. Here today I am trying to define these permissions.

Farm level Permissions

Farm Account

Farm Account is the user who have installed SharePoint in a environment. Basically this account is supposed to be a Service account (it is expected that password of this service account  will never be changed)

For Installing SharePoint, user must be in Local Server Administrator group. This user should have 'Securityadmin' and 'DBCreator' permissions on SQL server.

When SharePoint has been configured this user will automatically get DBOwner access on the databases. That is required for performing any operation in SharePoint using Powershell.

Farm Administrators

Farm Administrators have complete access on SharePoint sites/products/feautres same as Farm Account but they can use GUI on for performing their tasks but they can not do any query with database. They can’t do anything with PowerShell.

If they need to use power shell or access database they have to get DBOwner rights on all SharePoint Database. 

This access can be granted using 

Add-SPshelladmin -username domain\user

To use powershell (Permission will be granted on Config and CA Content DB)

Add-SPshelladmin –username domain\user -database Databasename

To use powershell for a particular Web application

Service Account

You can use multiple service accounts. The different between a normal account and a service account is that it is expected that the password of service accounts will not be changed in future. Basically these accounts are used for configuring different type of services and service applications in SharePoint.

These accounts should not be used for accessing SharePoint sites and by any normal users. Only power user should have access to these accounts.

Web Application Level Permissions

Anonymous Access

If you enabled this access, anyone in the network can access your SharePoint site with logging in to it (like you access google without any login).

This is required to be enabled on Central Administration Level for a particular web application and once enabled Site collection admins can manage its permissions on the site level.

Permission Policy

There are four permission policy by default.

Full Control – Have full access on complete web application

Full Read - Have full read on complete web application 

Deny Write – Can’t write or modify anything in complete web application

Deny All – Can’t access complete web application

You can define the custom permission of your choice and choose what are the permissions for the user on web app. This policy is defined on the bases of Zones of the web application.

User Policy

A Farm admin can define that, what a user can do with in the web application. Any permission policy can be applied for a user that will impact on complete web application.

These settings can’t be removed by any site collection admin or any user who have full control. If you have selected Deny All for a particular user then that user cannot access any site collection, Site, Subsite, List, Library, Document even if he/she have full control on the site or he/she is a Site collection admin.

User Permissions

Farm admin can choose which permissions will be available for the users inside a site collection. If you removed Manage Permissions from this location any user having full control on the site will not be able to change the permissions of the site. Only Site Collection Admin will be able to do this.

Site Collection Level Permissions

Site Collection Administrator

A Site Collection Administrator has full control on the Site Collection and its sub sites.

But there are two type of Site Collection Administrators

     1. Managed by Central Administration

·         Maximum 2 users can have this access. Groups are not allowed.

·         When we create a Site collection we have to provide 2 Site collection Administrator (Primary and Secondary). Primary is mandatory.

·         Have full access on complete site collection and its sub sites

·         Receives Alerts related to issues with Quota Limit and Site Access requests and other issues that are coming due to settings in the site.

·         Can’t be managed by Site Settings. Only Farm admins can remove these users.

     2. Managed by the site it self

·         Any number of users or groups can have these permissions.

·         Managed by Site Settings. Any user having Site collection admin right can remove these users.

·         Does not get any alert of any issue in the site.

Scope of Users and Groups

·         SharePoint Group – Site Collection

·         Permission Level – Site Collection

·         Permissions - Site/Subsite/List/Library/Items

·         Users – Active directory

·         Domain Group – Active Directory (Domain groups can’t be granted any permission on SharePoint.

·         Security Group – Active Directory (Domain groups must be converted to security groups if you need to give permission to AD groups) 

SharePoint Architecture

Today I am defining the normal Architecture of SharePoint -

Architecture of SharePoint –

1-Tier: all above layers can only run in one computer. In order to achieve 1-Tier, we need to use the embedded database system, which cannot run in an individual process. Otherwise, there will be at least 2-Tier because non-embedded databases usually can run in an individual computer (tier).   ​

2-Tier: Either presentation layer and application layer can only run in one computer, or application layer and data layer can only run in one computer. The whole application cannot run in more than 2 computers. ​

3-Tier: the simplest case of N-Tier architecture; all above three layers are able to run in three separate computers. Practically, these three layers can also be deployed in one computer (3-Tier architecture, but deployed as 1-Tier). ​

N-Tier: 3 or more tiers architecture. Diagram 2 below depicts a typical N-Tier architecture. Some layers in 3-Tier can be broken further into more layers. These broken layers may be able to run in more tiers. For example, application layer can be broken into business layer, persistence layer or more. Presentation layer can be broken into client layer and client presenter layer. In diagram 2, in order to claim a complete N-Tier architecture, client presenter layer, business layer and data layer should be able to run in three separate computers (tiers). Practically, all these layers can also be deployed in one computer (tier). ​

​

Usage of Different Tier Architectures of SharePoint -

1-Tier: Normally this architecture is used in development environment.  This is a standalone SharePoint installation that contains all the services, web applications, SQL server, Central Administration in one machine. We can also install a complete farm SharePoint but we will not add any other server in this farm otherwise it will become 2 or more tier architecture.​

​

2-Tier: Normally this architecture is used in development/preprod environment. There are two machine that are sharing the load from SharePoint. This can be used where we have SQL server installed on different machine. In this mode we can use both standalone installation or farm installation but if we install a farm then we will not add any other server in this farm otherwise it will become 3 or more tier architecture.​

 ​

3-Tier/N-Tier: This is a complete SharePoint farm installation, where we a have a Database server, Application server and Web Front End (WFE) servers. This architecture is used in Preprod or Prod Environment.

In a typical 3-tier architecture there is -​

 ​

One Database server – This server contains the SQL server database, that hosts the SharePoint and its databases. ​

​

One Application server – Normally this server hosts Central Administration, and SharePoint services and service applications. ​

​

Two Web Front End servers – This server hosts all web custom applications in the SharePoint farm, most of custom SharePoint features, wsp solutions are installed on these servers only. ​

​

A WFE can be identified by "Microsoft SharePoint Foundation Web Application" service. This service is not started on a application server. 

SharePoint Usage

Today I am Providing some basic and useful information about SharePoint -

What is SharePoint?

SharePoint is web based portal that uses IIS web sites to share different type of data and information securely. This is a very easy tool that can be used by any size of organizations may be small, Medium or large. SharePoint is available onprime (local Machine) or online. SharePoint can be installed on a Windows Server Machine and can be accessed from anywhere in the network. Even without knowing the physical location of the files. SharePoint keeps its data on SQL server. Basically SharePoint is data and information Sharing Software.

As per Microsoft –

SharePoint is a collaboration environment that organizations of all sizes can use to increase the efficiency of business processes.​

​SharePoint sites provide secure environments that administrators can configure to provide personalized access to documents and other information. Search features enable users to find content efficiently regardless of the physical location of data.​

https://technet.microsoft.com/en-us/library/cc303422.aspx

Usage of SharePoint –

SharePoint is very useful in different scenario. Here I am defining some of them.

Documents – User can store documents in SharePoint and share it with other users and limits then from performing the operations on the documents. SharePoint Usages Permissions that can be given of item levels that is different items can have different permissions. And the allowed users can perform task on the SharePoint.

Calendars – User can store calendars events and create your schedule and store in SharePoint and share it with other users and limits then from performing the operations on the events. SharePoint Usages Permissions that can be given of item levels that is different items can have different permissions. And the allowed users can perform task on the SharePoint.

Surveys – SharePoint can be used to do surveys in your local environments and online environments as well.

Task and Projects – You can manage your tasks and projects in SharePoint and assign them to related persons as well.

Collaboration – SharePoint’s Newfeed, user profile, collaboration features enable user to share their thoughts, like and comments on the each other posts, Share their Knowledge.

SharePoint is capable to send email alerts, automation tasks, data sharing in a secure environment.

Introduction and Configuration of SharePoint Objects

Hi All,

In this blog post you will find the configuration steps of different objects in SharePoint.

1. Configuration of Content Type Hub
2. Configuration of different type Cache available in SharePoint
1. BLOB Cache
2. Page Output Cache
3. Object Cache 
3. Configuration of Term Store Management (Managed Metadata Service)

List of Issue Solved

Here is the solutions of different issues and their solution faced by us -

1. Host named Site collection is not opening
2. Site Collection is in Read Only mode due to some activity like site backup failure
3. Object reference not set to an instance of an object while creating site collection
4. BLOB cached has stopped syncing with SQL server due to some reason

SharePoint 2013 Limitations

Below are some limitations of SharePoint 2013. Refer to Microsoft Technet Article for more details.

Web Application - 20 per Farm Supported
Site Zone - 5 per Web Application Fixed
Managed Path - 20 per Farm Supported
Application Pool - 10 per Web Server
Content Database - 500 per Farm
Content Database Size - 200 GB per Database
Items in Content Database - 60 Millions per Database
Site Collections - 10000 per Content Database and 750000 per Farm
Sub Site - 2000 per Site Collection
Web parts - 25 per Page
Documents - 3 Crore per Library
Items - 3 Crore per List
Major Version - 400000 Supported
Minor Version - 511 Fixed
Bulk Operation - 100 items at a time
List/Library View Threshold - 5000 Can be increased
Lookup Threshold - 8 Lookup columns
User in a Collection - 2 Million

Checking if Load Balancing is working fine

Go to any web front and server connected on Network Load Balancing Manager.

1. Select Start Menu
2. Select Administrator Tools
3. Click on Network Load Balancing Manager.
4. Right click on any listed web front end server under "Network Load Balancing Clusters".
5. Select Control Host.
6. Click on Stop.
7. Now check the SharePoint Site using the load balancing url and it should work properly.
8. In same way stop each or multiple servers and site should be available until any single WFE  is started.
9. Finally Stop all WFEs now site should not be available.